Re: [libvirt PATCH 12/12] docs/manpages: add checklist of problems for SEV attestation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Oct 16, 2022 at 03:27:39PM -0400, Cole Robinson wrote:
> On 10/7/22 7:43 AM, Daniel P. Berrangé wrote:
> > Despite efforts to make the virt-qemu-sev-validate tool friendly, it is
> > a certainty that almost everyone who tries it will hit false negative
> > results, getting a failure despite the VM being trustworthy.
> > 
> > Diagnosing these problems is no easy matter, especially for those not
> > familiar with SEV/SEV-ES in general. This extra docs text attempts to
> > set out a checklist of items to look at to identify what went wrong.
> > 
> > Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> > ---
> >  docs/manpages/virt-qemu-sev-validate.rst | 112 +++++++++++++++++++++++
> >  1 file changed, 112 insertions(+)
> > 
> > diff --git a/docs/manpages/virt-qemu-sev-validate.rst b/docs/manpages/virt-qemu-sev-validate.rst
> > index 7542bea9aa..e0c18f2d20 100644
> > --- a/docs/manpages/virt-qemu-sev-validate.rst
> > +++ b/docs/manpages/virt-qemu-sev-validate.rst
> > @@ -437,6 +437,118 @@ inject a disk password on success:
> >         --domain fedora34x86_64 \
> >         --disk-password passwd.txt
> >  
> > +COMMON MISTAKES CHECKLIST
> > +=========================
> > +
> > +The complexity of configuring a guest and validating its boot measurement
> > +means it is very likely to see the failure::
> > +
> > +   ERROR: Measurement does not match, VM is not trustworthy
> > +
> > +This error message assumes the worst, but in most cases will failure will be
> > +a result of either mis-configuring the guest, or passing the wrong information
> > +when trying to validate it. The following information is a guide for what
> > +items to check in order to stand the best chance of diagnosing the problem
> > +
> > +* Check the VM configuration for the DH certificate and session
> > +  blob in the libvirt guest XML.
> > +
> > +  The content for these fields should be in base64 format, which is
> > +  what ``sevctl session`` generates. Other tools may generate the files
> > +  in binary format, so ensure it has been correctly converted to base64.
> > +
> > +* Check the VM configuration policy value matches the session blob
> > +
> > +  The ``<policy>`` value in libvirt guest XML has to match the value
> > +  passed to the ``sevctl session`` command.
> > +
> 
> FWIW In this case, qemu will explicitly error. From 7.0.0-6.fc36:
> 
> -accel kvm: sev_launch_start: LAUNCH_START ret=1 fw_error=11 'Bad
> measurement'

Oh, I had forgotten that

> 
> I think it's worth putting some subset of that qemu error string at the
> top of this section too. If users hit it, going through the checklist
> here may solve their issue.
> 
> For example, If you're flailing around with sevctl like I have, some of
> the sub commands will invalidate all your previous generated
> session/dhCert blobs, and subsequent VM boots will fail as above.
> `sevctl reset` and/or `sevctl rotate`. That's probably obscure enough to
> not need documenting, but if the first item here leads to re-running
> sevctl session then you'll fix your problem :)

Hmm, yes, I'd stayed away from reset/rotate to avoid trouble :-)


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux