On 01/09/2021 0:11, Brijesh Singh wrote: > > > On 8/31/21 3:22 PM, Dov Murik wrote: >> Hi Brijesh, >> >> On 20/08/2021 18:19, Brijesh Singh wrote: >>> Version 2 of GHCB specification defines NAE to get the extended guest >>> request. It is similar to the SNP_GET_REPORT ioctl. The main difference >>> is related to the additional data that be returned. The additional >>> data returned is a certificate blob that can be used by the SNP guest >>> user. >> >> It seems like the SNP_GET_EXT_REPORT ioctl does everything that the >> SNP_GET_REPORT ioctl does, and more. Why expose SNP_GET_REPORT to >> userspace at all? >> >> > > Since both of these options are provided by the GHCB protocol so I > exposed it. Its possible that some applications may not care about the > extended certificate blob. And in those case, if the hypervisor is > programmed with the extended certificate blob and caller does not supply > the enough number of pages to copy the blob then command should fail. > This will enforce a new requirement on that guest application to > allocate an extra memory. e.g: > > 1. Hypervisor is programmed with a system wide certificate blob using > the SNP_SET_EXT_CONFIG ioctl(). > > 2. Guest wants to get the report but does not care about the certificate > blob. > > 3. Guest issues a extended guest report with the npages = 0. The command > will fail with invalid length and number of pages will be returned in > the response. > > 4. Guest will not need to allocate memory to hold the certificate and > reissue the command. > > The #4 is unnecessary for a guest which does not want to get. In this > case, a guest can simply call the attestation report without asking for > certificate blob. Please see the GHCB spec for more details. > OK. Originally I thought that by passing certs_address=NULL and certs_len=0 the user program can say "I don't want this extra data"; but now I understand that this will return an error (invalid length) with number of pages needed. -Dov
