mirror of
https://github.com/libvirt/libvirt.git
synced 2025-02-25 18:55:26 -06:00
tools: load guest config from libvirt
Accept information about a connection to libvirt and a guest on the command line. Talk to libvirt to obtain the running guest state and automatically detect as much configuration as possible. It will refuse to use a libvirt connection that is thought to be local to the current machine, as running this tool on the hypervisor itself is not considered secure. This can be overridden using the --insecure flag. When querying the guest, it will also analyse the XML configuration in an attempt to detect any options that are liable to be mistakes. For example the NVRAM being measured should not have a persistent varstore. Reviewed-by: Cole Robinson <crobinso@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé
@@ -37,6 +37,12 @@ another virtual machine protected by AMD SEV that has already had its launch
|
||||
measurement validated. Running this program on the virtualization host will not
|
||||
produce an answer that can be trusted.
|
||||
|
||||
If told to connect to libvirt, it will refuse to use a libvirt connection that
|
||||
is local to the machine, since that cannot be trusted. For the sake of testing
|
||||
or demonstration purposes, however, it can be forced to run in this scenario
|
||||
using the ``--insecure`` flag. The result will, of course, still not be
|
||||
trustworthy.
|
||||
|
||||
OPTIONS
|
||||
=======
|
||||
|
||||
@@ -115,6 +121,43 @@ size, with the first 16 bytes containing the TEK and the last 16 bytes
|
||||
containing the TIK. This is mutually exclusive with the ``--tik`` and ``--tek``
|
||||
arguments.
|
||||
|
||||
Libvirt options
|
||||
---------------
|
||||
|
||||
These options are used when connecting to libvirt to automatically obtain
|
||||
state and configuration information about the domain to be attested.
|
||||
|
||||
``-c``, ``--connect URI``
|
||||
|
||||
Libvirt connection URI. For the validation to be trustworthy this must be a URI
|
||||
resolving to a remote virtualization host. This requirement can be overridden
|
||||
using the ``--insecure`` argument.
|
||||
|
||||
``-o``, ``--domain ID|NAME|UUID``
|
||||
|
||||
Domain ID, or domain name or domain UUID. Used to identify which libvirt domain
|
||||
is to have its launch measured. The domain must be running, and would usually
|
||||
have been started in a paused state, to allow validation to be performed before
|
||||
guest CPUs begin execution.
|
||||
|
||||
``-i``, ``--insecure``
|
||||
|
||||
Proceed even if usage scenario is known to be insecure. This allows the program
|
||||
to connect to a local libvirt hypervisor and rely on file content from the
|
||||
virtualization host. It also allows the validation to proceed even if the
|
||||
virtual machine CPUs are not in the initial paused state. The result of the
|
||||
validation must not be trusted.
|
||||
|
||||
``-g``, ``--ignore-config``
|
||||
|
||||
Do not attempt to sanity check the domain config. The default behaviour is to
|
||||
print out errors if identifying configuration elements in the guest XML that
|
||||
would invalidate the launch measurement. This can help the guest owner to
|
||||
understand any configuration mistakes that have been made. If the
|
||||
``--ignore-config`` argument is given, this sanity checking of configuration
|
||||
will be skipped. The result is that the validation will likely be reported as
|
||||
failed.
|
||||
|
||||
EXAMPLES
|
||||
========
|
||||
|
||||
@@ -139,6 +182,46 @@ Validate the measurement of a SEV guest booting from disk:
|
||||
--build-id 13 \
|
||||
--policy 3
|
||||
|
||||
Fetch from remote libvirt
|
||||
-------------------------
|
||||
|
||||
This scenario allows fetching certain data from a remote hypervisor via a
|
||||
connection to libvirt. It will aid in debugging by analysing the guest
|
||||
configuration and reporting anything that could invalidate the measurement
|
||||
of the guest. This usage model is considered secure, because the limited
|
||||
information obtained from the untrusted hypervisor cannot be used to change
|
||||
the result.
|
||||
|
||||
Validate the measurement of a SEV guest booting from disk:
|
||||
|
||||
::
|
||||
|
||||
# virt-qemu-sev-validate \
|
||||
--connect qemu+ssh://root@some.remote.host/system \
|
||||
--firmware OVMF.sev.fd \
|
||||
--tk this-guest-tk.bin \
|
||||
--domain fedora34x86_64
|
||||
|
||||
Fetch from local libvirt
|
||||
------------------------
|
||||
|
||||
This scenario allows fetching all data from the local hypervisor via a
|
||||
connection to libvirt. It is only to be used for the purpose of testing,
|
||||
debugging, or demonstrations, because running on the local hypervisor is not
|
||||
a secure scenario. To enable this usage, the ``--insecure`` flag must be
|
||||
specified. Given a pointer to the libvirt guest to validate, all information
|
||||
needed to perform a validation, except the TIK/TEK pair can be acquired
|
||||
automatically.
|
||||
|
||||
Validate the measurement of a SEV guest booting from disk:
|
||||
|
||||
::
|
||||
|
||||
# virt-qemu-sev-validate \
|
||||
--insecure \
|
||||
--tk this-guest-tk.bin \
|
||||
--domain fedora34x86_64
|
||||
|
||||
EXIT STATUS
|
||||
===========
|
||||
|
||||
@@ -158,7 +241,33 @@ be set:
|
||||
The way in which this program has been invoked prevent it from being able to
|
||||
validate the launch measurement.
|
||||
|
||||
* **3** - *unexpected error occurred in the code*
|
||||
* **3** - *Usage scenario is not secure*
|
||||
|
||||
The way in which this program has been invoked means that the result of any
|
||||
launch measurement validation will not be secure.
|
||||
|
||||
The program can be reinvoked with ``--insecure`` argument to force a
|
||||
validation, however, the results of this should not be trusted. This should
|
||||
only be used for testing, debugging or demonstration purposes, never in a
|
||||
production deployment.
|
||||
|
||||
* **4** - *Domain has incorrect configuration to be measured*
|
||||
|
||||
The way in which the guest has been configured prevent this program from being
|
||||
able to validate the launch measurement. Note that in general the guest
|
||||
configuration reported by the hypervisor is not trustworthy, so it is
|
||||
possible this error could be a false positive designed to cause a denial of
|
||||
service.
|
||||
|
||||
This program can be reinvoked with the ``--ignore-config`` argument to skip
|
||||
the sanity checks on the domain XML. This will likely result in it failing
|
||||
with an exit code of **1** indicating the measurement is invalid
|
||||
|
||||
* **5** - *Domain is in incorrect state to be measured*
|
||||
|
||||
The domain has to be running in order to validate a launch measurement.
|
||||
|
||||
* **6** - *unexpected error occurred in the code*
|
||||
|
||||
A logic flaw in this program means it is unable to complete the validation of
|
||||
the measurement. This is a bug which should be reported to the maintainers.
|
||||
|
||||
Reference in New Issue
Block a user