* Tyler Fanelli (tfane...@redhat.com) wrote: > Hi, > > We recently discussed a way for remote SEV guest attestation through QEMU. > My initial approach was to get data needed for attestation through different > QMP commands (all of which are already available, so no changes required > there), deriving hashes and certificate data; and collecting all of this > into a new QMP struct (SevLaunchStart, which would include the VM's policy, > secret, and GPA) which would need to be upstreamed into QEMU. Once this is > provided, QEMU would then need to have support for attestation before a VM > is started. Upon speaking to Dave about this proposal, he mentioned that > this may not be the best approach, as some situations would render the > attestation unavailable, such as the instance where a VM is running in a > cloud, and a guest owner would like to perform attestation via QMP (a likely > scenario), yet a cloud provider cannot simply let anyone pass arbitrary QMP > commands, as this could be an issue. > > So I ask, does anyone involved in QEMU's SEV implementation have any input > on a quality way to perform guest attestation? If so, I'd be interested. > Thanks.
QMP is the right way to talk to QEMU; the question is whether something sits between qemu and the attestation program - e.g. libvirt or possibly subsequently something even higher level. Can we start by you putting down what your interfaces look like at the moment? Dave > > Tyler. > > -- > Tyler Fanelli (tfanelli) > -- Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK
