On Fri, Oct 14, 2022 at 11:11:08AM +0800, 贺培轩 wrote: > Hello, > I'm new to libvirt. I have tried to launch a sev vm with secret > injection recently, and I found the command domsetlaunchsecstate is what I > need. But I had some problem to make it work. Here is what I did to use > this command. > 1. run command: virsh create sev-guest.xml > 2. create secret header file and secret file. > 3. run command: virsh domsetlaunchsecstate sev-guest-1 > --secrethdr <hdr-filename> --secret <secret-filename> . > But it will report this error: SEV: not in correct state. > I think it is because the vm is not in a paused state. So how can I launch > a sev vm which is in a paused state? How should I revise my xml file? Just pass the --paused flag, eg $ virsh create --paused sev-guest.xml Note, that before injecting sectrets to the guest, you would want to perform an attestation to validate the boot measurement is what is expected. https://listman.redhat.com/archives/libvir-list/2022-October/234729.html The next release of libvirt is likley to include a script which handles the attestation and can inject a secret when it succeeds: https://gitlab.com/berrange/libvirt/-/blob/lgtm-vm/tools/virt-qemu-sev-validate See docs showing usage here: https://gitlab.com/berrange/libvirt/-/blob/lgtm-vm/docs/manpages/virt-qemu-sev-validate.rst#examples This script is hardcoded to inject a LUKS disk secret, as defined by the OVMF amdsev build flavour. I'm curious what kind of secret you are wanting to inject, and whether our tool needs extending to cope with other secrets besides the disk. > The sev-guest.xml I use is as follows: > <domain type="kvm"> > <name>sev-guest-1</name> > <uuid>d50a4205-40e0-4482-b0dc-f26bb4a1a9ff</uuid> > <metadata> > <libosinfo:libosinfo xmlns:libosinfo=" > http://libosinfo.org/xmlns/libvirt/domain/1.0";> > <libosinfo:os id="http://ubuntu.com/ubuntu/16.04"/> > </libosinfo:libosinfo> > </metadata> > <memory>4194304</memory> > <currentMemory>4194304</currentMemory> > <memtune> > <hard_limit>4563402</hard_limit> > </memtune> > <vcpu>32</vcpu> > <cpu mode='custom' match='exact' check='partial'> > <model fallback='forbid'>EPYC</model> > </cpu> > <os> > <type arch="x86_64" machine="q35">hvm</type> > <loader readonly="yes" type="pflash">/data01/OVMF.fd</loader> > <nvram > template="/data01/OVMF.fd">/var/lib/libvirt/qemu/nvram/sev-guest-1_VARS.fd</nvram> For use with SEV, if you want to perform attestation prior to injecting a disk secret, then use of a stateless firmware (ie no NVRAM) is strongly recommended, otherwise the NVRAM can be used to undermine the integrity of the guest from a malicious host. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
