On Sun, Oct 16, 2022 at 03:27:39PM -0400, Cole Robinson wrote: > On 10/7/22 7:43 AM, Daniel P. Berrangé wrote: > > Despite efforts to make the virt-qemu-sev-validate tool friendly, it is > > a certainty that almost everyone who tries it will hit false negative > > results, getting a failure despite the VM being trustworthy. > > > > Diagnosing these problems is no easy matter, especially for those not > > familiar with SEV/SEV-ES in general. This extra docs text attempts to > > set out a checklist of items to look at to identify what went wrong. > > > > Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> > > --- > > docs/manpages/virt-qemu-sev-validate.rst | 112 +++++++++++++++++++++++ > > 1 file changed, 112 insertions(+) > > > > diff --git a/docs/manpages/virt-qemu-sev-validate.rst b/docs/manpages/virt-qemu-sev-validate.rst > > index 7542bea9aa..e0c18f2d20 100644 > > --- a/docs/manpages/virt-qemu-sev-validate.rst > > +++ b/docs/manpages/virt-qemu-sev-validate.rst > > @@ -437,6 +437,118 @@ inject a disk password on success: > > --domain fedora34x86_64 \ > > --disk-password passwd.txt > > > > +COMMON MISTAKES CHECKLIST > > +========================= > > + > > +The complexity of configuring a guest and validating its boot measurement > > +means it is very likely to see the failure:: > > + > > + ERROR: Measurement does not match, VM is not trustworthy > > + > > +This error message assumes the worst, but in most cases will failure will be > > +a result of either mis-configuring the guest, or passing the wrong information > > +when trying to validate it. The following information is a guide for what > > +items to check in order to stand the best chance of diagnosing the problem > > + > > +* Check the VM configuration for the DH certificate and session > > + blob in the libvirt guest XML. > > + > > + The content for these fields should be in base64 format, which is > > + what ``sevctl session`` generates. Other tools may generate the files > > + in binary format, so ensure it has been correctly converted to base64. > > + > > +* Check the VM configuration policy value matches the session blob > > + > > + The ``<policy>`` value in libvirt guest XML has to match the value > > + passed to the ``sevctl session`` command. > > + > > FWIW In this case, qemu will explicitly error. From 7.0.0-6.fc36: > > -accel kvm: sev_launch_start: LAUNCH_START ret=1 fw_error=11 'Bad > measurement' Oh, I had forgotten that > > I think it's worth putting some subset of that qemu error string at the > top of this section too. If users hit it, going through the checklist > here may solve their issue. > > For example, If you're flailing around with sevctl like I have, some of > the sub commands will invalidate all your previous generated > session/dhCert blobs, and subsequent VM boots will fail as above. > `sevctl reset` and/or `sevctl rotate`. That's probably obscure enough to > not need documenting, but if the first item here leads to re-running > sevctl session then you'll fix your problem :) Hmm, yes, I'd stayed away from reset/rotate to avoid trouble :-) With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
