On 10/7/22 7:43 AM, Daniel P. Berrangé wrote: > Despite efforts to make the virt-qemu-sev-validate tool friendly, it is > a certainty that almost everyone who tries it will hit false negative > results, getting a failure despite the VM being trustworthy. > > Diagnosing these problems is no easy matter, especially for those not > familiar with SEV/SEV-ES in general. This extra docs text attempts to > set out a checklist of items to look at to identify what went wrong. > > Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> > --- > docs/manpages/virt-qemu-sev-validate.rst | 112 +++++++++++++++++++++++ > 1 file changed, 112 insertions(+) > > diff --git a/docs/manpages/virt-qemu-sev-validate.rst b/docs/manpages/virt-qemu-sev-validate.rst > index 7542bea9aa..e0c18f2d20 100644 > --- a/docs/manpages/virt-qemu-sev-validate.rst > +++ b/docs/manpages/virt-qemu-sev-validate.rst > @@ -437,6 +437,118 @@ inject a disk password on success: > --domain fedora34x86_64 \ > --disk-password passwd.txt > > +COMMON MISTAKES CHECKLIST > +========================= > + > +The complexity of configuring a guest and validating its boot measurement > +means it is very likely to see the failure:: > + > + ERROR: Measurement does not match, VM is not trustworthy > + > +This error message assumes the worst, but in most cases will failure will be > +a result of either mis-configuring the guest, or passing the wrong information > +when trying to validate it. The following information is a guide for what > +items to check in order to stand the best chance of diagnosing the problem > + > +* Check the VM configuration for the DH certificate and session > + blob in the libvirt guest XML. > + > + The content for these fields should be in base64 format, which is > + what ``sevctl session`` generates. Other tools may generate the files > + in binary format, so ensure it has been correctly converted to base64. > + > +* Check the VM configuration policy value matches the session blob > + > + The ``<policy>`` value in libvirt guest XML has to match the value > + passed to the ``sevctl session`` command. > + FWIW In this case, qemu will explicitly error. From 7.0.0-6.fc36: -accel kvm: sev_launch_start: LAUNCH_START ret=1 fw_error=11 'Bad measurement' I think it's worth putting some subset of that qemu error string at the top of this section too. If users hit it, going through the checklist here may solve their issue. For example, If you're flailing around with sevctl like I have, some of the sub commands will invalidate all your previous generated session/dhCert blobs, and subsequent VM boots will fail as above. `sevctl reset` and/or `sevctl rotate`. That's probably obscure enough to not need documenting, but if the first item here leads to re-running sevctl session then you'll fix your problem :) Thanks, Cole