Re: [PATCH v4 1/1] KVM: Introduce KVM_EXIT_SNP_REQ_CERTS for SNP certificate-fetching

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 20/01/2025 21:58, Melody Wang wrote:
From: Michael Roth <michael.roth@xxxxxxx>

For SEV-SNP, the host can optionally provide a certificate table to the
guest when it issues an attestation request to firmware (see GHCB 2.0
specification regarding "SNP Extended Guest Requests"). This certificate
table can then be used to verify the endorsement key used by firmware to
sign the attestation report.

While it is possible for guests to obtain the certificates through other
means, handling it via the host provides more flexibility in being able
to keep the certificate data in sync with the endorsement key throughout
host-side operations that might resulting in the endorsement key

In the case of KVM, userspace will be responsible for fetching the
certificate table and keeping it in sync with any modifications to the
endorsement key by other userspace management tools. Define a new
KVM_EXIT_SNP_REQ_CERTS event where userspace is provided with the GPA of
the buffer the guest has provided as part of the attestation request so
that userspace can write the certificate data into it while relying on
filesystem-based locking to keep the certificates up-to-date relative to
the endorsement keys installed/utilized by firmware at the time the
certificates are fetched.

Also introduce a KVM_CAP_EXIT_SNP_REQ_CERTS capability to enable/disable
the exit for cases where userspace does not support
certificate-fetching, in which case KVM will fall back to returning an
empty certificate table if the guest provides a buffer for it.

   [Melody: Update the documentation scheme about how file locking is
   expected to happen.]

Signed-off-by: Michael Roth <michael.roth@xxxxxxx>
Signed-off-by: Melody Wang <>

Reviewed-by: Liam Merwick <liam.merwick@xxxxxxxxxx>

  Documentation/virt/kvm/api.rst  | 106 ++++++++++++++++++++++++++++++++
  arch/x86/include/asm/kvm_host.h |   1 +
  arch/x86/kvm/svm/sev.c          |  43 +++++++++++--
  arch/x86/kvm/x86.c              |  11 ++++
  include/uapi/linux/kvm.h        |  10 +++
  include/uapi/linux/sev-guest.h  |   8 +++
  6 files changed, 173 insertions(+), 6 deletions(-)

[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux