On Wed, Mar 20, 2024 at 03:39:28AM -0500, Michael Roth wrote:
> For SEV-SNP guests, launch measurement is queried from within the guest
> during attestation, so don't attempt to return it as part of
> query-sev-launch-measure.
>
> Signed-off-by: Michael Roth <michael.roth@xxxxxxx>
> ---
> target/i386/sev.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/target/i386/sev.c b/target/i386/sev.c
> index b03d70a3d1..0c8e4bdb4c 100644
> --- a/target/i386/sev.c
> +++ b/target/i386/sev.c
> @@ -803,7 +803,9 @@ sev_launch_get_measure(Notifier *notifier, void *unused)
>
> static char *sev_get_launch_measurement(void)
> {
> - SevGuestState *sev_guest = SEV_GUEST(MACHINE(qdev_get_machine())->cgs);
> + ConfidentialGuestSupport *cgs = MACHINE(qdev_get_machine())->cgs;
> + SevGuestState *sev_guest =
> + (SevGuestState *)object_dynamic_cast(OBJECT(cgs), TYPE_SEV_GUEST);
>
> if (sev_guest &&
> SEV_COMMON(sev_guest)->state >= SEV_STATE_LAUNCH_SECRET) {
The QAPI docs for query-sev-launch-measurement should be updated
to reflect that this command is only valid to call for SEV/SEV-ES,
not SNP.
The error reoprting in qmp_query_sev_launch_measure leaves a little
to be desired just giving a generic message
"SEV launch measurement is not available"
I think that this sev_get_launch_measurement method should report
a more fine grained error, to distinguish
* Unavailable because we're not a SEV/SEV-ES guest
* Unavailable because the guest hasn't reached launch state
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
