On 4/29/21 12:07 PM, Brijesh Singh wrote: > The SEV FW >= 0.23 added a new command that can be used to query the > attestation report containing the SHA-256 digest of the guest memory > and VMSA encrypted with the LAUNCH_UPDATE and sign it with the PEK. > > Note, we already have a command (LAUNCH_MEASURE) that can be used to > query the SHA-256 digest of the guest memory encrypted through the > LAUNCH_UPDATE. The main difference between previous and this command > is that the report is signed with the PEK and unlike the LAUNCH_MEASURE > command the ATTESATION_REPORT command can be called while the guest typo: 'ATTESATION_REPORT' > is running. > > Add a QMP interface "query-sev-attestation-report" that can be used > to get the report encoded in base64. > > Cc: James Bottomley <jejb@xxxxxxxxxxxxx> > Cc: Tom Lendacky <Thomas.Lendacky@xxxxxxx> > Cc: Eric Blake <eblake@xxxxxxxxxx> > Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx> > Cc: kvm@xxxxxxxxxxxxxxx > Reviewed-by: James Bottomley <jejb@xxxxxxxxxxxxx> > Tested-by: James Bottomley <jejb@xxxxxxxxxxxxx> > Signed-off-by: Brijesh Singh <brijesh.singh@xxxxxxx> Looks good to me! Reviewed-by: Connor Kuehl <ckuehl@xxxxxxxxxx>
