Re: Qeustion about how to use domsetlaunchsecstate command correctly.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Fri, Oct 14, 2022 at 11:11:08AM +0800, 贺培轩 wrote:
> Hello,
>       I'm new to libvirt. I have tried to launch a sev vm with secret
> injection recently, and I found the command domsetlaunchsecstate is what I
> need. But I had some problem to make it work. Here is what I did to use
> this command.
> 1. run command: virsh create sev-guest.xml
> 2. create secret header file and secret file.
> 3. run command: virsh domsetlaunchsecstate sev-guest-1
> --secrethdr <hdr-filename> --secret <secret-filename> .
> But it will report this error: SEV: not in correct state.
> I think it is because the vm is not in a paused state. So how can I launch
> a sev vm which is in a paused state? How should I revise my xml file?

Just pass the --paused flag, eg

  $ virsh create --paused sev-guest.xml

Note, that before injecting sectrets to the guest, you would want to
perform an attestation to validate the boot measurement is what is

The next release of libvirt is likley to include a script which
handles the attestation and can inject a secret when it succeeds:

See docs showing usage here:

This script is hardcoded to inject a LUKS disk secret, as defined
by the OVMF amdsev build flavour. I'm curious what kind of secret
you are wanting to inject, and whether our tool needs extending
to cope with other secrets besides the disk.

> The sev-guest.xml I use is as follows:
>  <domain type="kvm">
> <name>sev-guest-1</name>
> <uuid>d50a4205-40e0-4482-b0dc-f26bb4a1a9ff</uuid>
> <metadata>
> <libosinfo:libosinfo xmlns:libosinfo="
> <libosinfo:os id=""/>
> </libosinfo:libosinfo>
> </metadata>
> <memory>4194304</memory>
> <currentMemory>4194304</currentMemory>
> <memtune>
> <hard_limit>4563402</hard_limit>
> </memtune>
> <vcpu>32</vcpu>
> <cpu mode='custom' match='exact' check='partial'>
> <model fallback='forbid'>EPYC</model>
> </cpu>
> <os>
> <type arch="x86_64" machine="q35">hvm</type>
> <loader readonly="yes" type="pflash">/data01/OVMF.fd</loader>
> <nvram
> template="/data01/OVMF.fd">/var/lib/libvirt/qemu/nvram/sev-guest-1_VARS.fd</nvram>

For use with SEV, if you want to perform attestation prior
to injecting a disk secret, then use of a  stateless
firmware (ie no NVRAM) is strongly recommended, otherwise
the NVRAM can be used to undermine the integrity of the
guest from a malicious host.

With regards,
|:      -o- :|
|:         -o-   :|
|:    -o- :|

[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux