On Wed, 2022-10-26 at 10:59 +0100, Daniel P. Berrangé wrote: > On Tue, Oct 25, 2022 at 07:38:43PM -0400, Cole Robinson wrote: > > On 10/19/22 6:17 AM, Daniel P. Berrangé wrote: > > > It is possible to build OVMF for SEV with an embedded Grub that > > > can fetch LUKS disk secrets. This adds support for injecting > > > secrets in the required format. > > > > > > Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> > > > --- > > > diff --git a/tools/virt-qemu-sev-validate b/tools/virt-qemu-sev- > > > validate > > > index 5ce5763d5b..2d15edb933 100755 > > > --- a/tools/virt-qemu-sev-validate > > > +++ b/tools/virt-qemu-sev-validate > > > @@ -36,16 +36,19 @@ > > > > > > import abc > > > import argparse > > > -from base64 import b64decode > > > +from base64 import b64decode, b64encode > > > from hashlib import sha256 > > > import hmac > > > import logging > > > +import os > > > import re > > > import socket > > > from struct import pack > > > import sys > > > import traceback > > > from uuid import UUID > > > +from cryptography.hazmat.primitives.ciphers import Cipher, > > > algorithms, modes > > > + > > > > > > from lxml import etree > > > import libvirt > > > @@ -573,7 +576,26 @@ class KernelTable(GUIDTable): > > > return entries > > > > > > > > > -class ConfidentialVM(object): > > > +class SecretsTable(GUIDTable): > > > + > > > + TABLE_GUID = UUID('{1e74f542-71dd-4d66-963e- > > > ef4287ff173b}').bytes_le > > > + DISK_PW_GUID = UUID('{736869e5-84f0-4973-92ec- > > > 06879ce3da0b}').bytes_le > > > + > > > + def __init__(self): > > > + super().__init__(guid=self.TABLE_GUID, > > > + lenlen=4) > > > + self.disk_password = None > > > + > > > + def load_disk_password(self, path): > > > + with open(path, 'rb') as fh: > > > + self.disk_password = fh.read() > > > + > > > + def entries(self): > > > + return self.build_entry(self.DISK_PW_GUID, > > > + self.disk_password + bytes([0]), > > > 4) > > > + > > > > This bytes([0]) NUL byte ends up in the efi_secret /sys path. > > Dropping > > it doesn't seem to impact injecting the secret at all > > The specs/sev-guest-firmware.rst files does not specify anything in > particular about the injected secret format. The rules for the format > will vary according to the GUID used for the entry. In this case what > I've called the DISK_PW_GUID is the same as the GUID used in James > Bottomley's grub patch: > > https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00260.html That's way too old; the latest version is here: https://lists.gnu.org/archive/html/grub-devel/2022-02/msg00064.html The specific change was to update to use the new disk protector API. > > In particular note > > + /* > + * the passphrase must be a zero terminated string because > the > + * password routines call grub_strlen () to find its size > + */ > > As written, the code just passes around a pointer to the data in the > secret table, so it can't simply add a NUL terminator itself. > > See also James' python demo script for injection which adds a NUL: > > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg03691.html Which makes all of this unnecessary. The disk protector API takes a pointer and a length, so no longer needs to call grub_strlen on the data. Thus if we don't need backwards compatibility (or older versions of grub have the disk protector API backported), the trailing NULL can be removed. The patch here: https://lists.gnu.org/archive/html/grub-devel/2022-02/msg00065.html Still has the grub_strlen, but it's now in the patch series not grub itself so it could be eliminated by expanding the get API to retrieve the length as well as the secret. James