On 9/1/21 4:02 PM, Connor Kuehl wrote: > On 8/20/21 10:58 AM, Brijesh Singh wrote: >> +2.4 SNP_SET_EXT_CONFIG >> +---------------------- >> +:Technology: sev-snp >> +:Type: hypervisor ioctl cmd >> +:Parameters (in): struct sev_data_snp_ext_config >> +:Returns (out): 0 on success, -negative on error >> + >> +The SNP_SET_EXT_CONFIG is used to set the system-wide configuration such as >> +reported TCB version in the attestation report. The command is similar to >> +SNP_CONFIG command defined in the SEV-SNP spec. The main difference is the >> +command also accepts an additional certificate blob defined in the GHCB >> +specification. >> + >> +If the certs_address is zero, then previous certificate blob will deleted. >> +For more information on the certificate blob layout, see the GHCB spec >> +(extended guest request message). > Hi Brijesh, > > Just to be clear, is the documentation you're referring to regarding the > layout of the certificate blob specified on page 47 of the GHCB spec? > More specifically, is it the `struct cert_table` on that page? Yes that is correct. > > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper.amd.com%2Fwp-content%2Fresources%2F56421.pdf&data=04%7C01%7Cbrijesh.singh%40amd.com%7C62df2fe1cb384de88ed708d96d8bda20%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637661270135555480%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=V4S8atM%2BTlZ%2BiIlddRjpTNIx4yecGEoETuFVjeNWWNQ%3D&reserved=0 > > If so, where is the VCEK certificate layout documented? You can get the VCEK from the KDS using the chip id. The certificate is standard X.509. thanks > > Connor > >> +/** >> + * struct sev_data_snp_ext_config - system wide configuration value for SNP. >> + * >> + * @config_address: address of the struct sev_user_data_snp_config or 0 when >> + * reported_tcb does not need to be updated. >> + * @certs_address: address of extended guest request certificate chain or >> + * 0 when previous certificate should be removed on SNP_SET_EXT_CONFIG. >> + * @certs_len: length of the certs >> + */ >> +struct sev_user_data_ext_snp_config { >> + __u64 config_address; /* In */ >> + __u64 certs_address; /* In */ >> + __u32 certs_len; /* In */ >> +};
