On Wed, Oct 26, 2022 at 03:47:12PM +0300, Dov Murik wrote: > > > On 19/10/2022 13:17, berrange at redhat.com (Daniel P. Berrangé) wrote: > > It is possible to build OVMF for SEV with an embedded Grub that can > > fetch LUKS disk secrets. This adds support for injecting secrets in > > the required format. > > > > Signed-off-by: Daniel P. Berrang? <berrange at redhat.com> > > --- > > docs/manpages/virt-qemu-sev-validate.rst | 66 ++++++++++ > > tools/virt-qemu-sev-validate | 156 +++++++++++++++++++++-- > > 2 files changed, 213 insertions(+), 9 deletions(-) > > > > diff --git a/docs/manpages/virt-qemu-sev-validate.rst b/docs/manpages/virt-qemu-sev-validate.rst > > index fcc13d68c8..7542bea9aa 100644 > > --- a/docs/manpages/virt-qemu-sev-validate.rst > > +++ b/docs/manpages/virt-qemu-sev-validate.rst > > @@ -187,6 +187,29 @@ understand any configuration mistakes that have been made. If the > > will be skipped. The result is that the validation will likely be reported as > > failed. > > > > +Secret injection options > > +------------------------ > > + > > +These options provide a way to inject a secret if validation of the > > +launch measurement passes. > > + > > +``--disk-password PATH`` > > + > > +Path to a file containing the password to use to unlock the LUKS container > > +for the guest disk. > > Maybe add an option to add custom secret entries: > > --add-secret-entry GUID:PATH > > ? Yeah, I was just thinking the same. I'll respin with --disk-password removed, and instead allow --inject GUID:PATH --inject NAME:PATH where 'NAME' can refer to any well known GUIDs, so most fo the time in the common case people can do: --inject luks-key:/some/path instead of --inject IMPOSSIBLE-TO-RMEMBER-UUID:/some/poath and of course allow --inject multiple times too. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|