2030435 – Libvirt does not report SEV metadata needed to calculate guest measurement

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2030435 - Libvirt does not report SEV metadata needed to calculate guest measurement

Summary: Libvirt does not report SEV metadata needed to calculate guest measurement

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Deadline:	2022-01-31
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	8.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Berrangé
QA Contact:	Luyao Huang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-12-08 18:50 UTC by Daniel Berrangé
Modified:	2022-05-10 13:37 UTC (History)
CC List:	5 users (show)
Fixed In Version:	libvirt-8.0.0-1.module+el8.6.0+13888+55157bfb
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-10 13:24:21 UTC
Type:	Bug
Target Upstream Version:	8.0.0
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-105185	0	None	None	None	2021-12-08 18:53:58 UTC
Red Hat Product Errata	RHSA-2022:1759	0	None	None	None	2022-05-10 13:25:03 UTC

Description Daniel Berrangé 2021-12-08 18:50:41 UTC

Description of problem:
The virDomainGetLaunchSecurityInfo API currently reports a 'sev-measurement' string which is a measurement of the initial guest state.

A user of libvirt wishing to validate the state of the guest needs to calculate an expected measurement, and compare it to this actual measurement.

Per the AMD SEV API docs, section 6.5, the measurement is calculate with

    measurement = HMAC(0x04 || API_MAJOR || API_MINOR || BUILD ||
                     GCTX.POLICY || GCTX.LD || MNONCE; GCTX.TIK)

The API_MAJOR, API_MINOR and BUILD values are exposed by QEMU in 'query-sev' but are not made available from libvirt.

These need to be exposed by virDomainGetLaunchSecurityInfo alongside the measurement to enable the user to calculate an expected measurement. 

Addressed by these patches

https://listman.redhat.com/archives/libvir-list/2021-December/msg00232.html
https://listman.redhat.com/archives/libvir-list/2021-December/msg00234.html
https://listman.redhat.com/archives/libvir-list/2021-December/msg00235.html

Version-Release number of selected component (if applicable):
7.10.0

Comment 1 Peter Krempa 2022-01-19 12:10:58 UTC

The aforementioned patches were pushed upstream as of: 

commit 719bb0bf23709bcbd007a65a9304dadd7e6bbeba
Author: Daniel P. Berrangé <berrange>
Date:   Wed Dec 8 08:28:48 2021 -0500

    tools: add 'nodesevinfo' virsh command
    
    While some SEV info is reported in the domain capabilities,
    for reasons of size, this excludes the certificates. The
    nodesevinfo command provides the full set of information.
    
    Reviewed-by: Peter Krempa <pkrempa>
    Signed-off-by: Daniel P. Berrangé <berrange>

commit ac79e9ff5cb362cd7e801647ac17ef80f8055b2c
Author: Daniel P. Berrangé <berrange>
Date:   Wed Dec 8 07:53:00 2021 -0500

    tools: add 'domlaunchsecinfo' virsh command
    
    This command reports the launch security parameters for
    a guest, allowing an external tool to perform a launch
    attestation.
    
    Reviewed-by: Peter Krempa <pkrempa>
    Signed-off-by: Daniel P. Berrangé <berrange>

commit 8c071180cfcdff690bff40c15aca5386598c45ad
Author: Daniel P. Berrangé <berrange>
Date:   Wed Dec 8 07:52:33 2021 -0500

    qemu: report new launch security parameters
    
    Report extra info about the SEV setup, returning those fields
    that are required to calculate the expected launch measurement
    
     HMAC(0x04 || API_MAJOR || API_MINOR || BUILD ||
          GCTX.POLICY || GCTX.LD || MNONCE; GCTX.TIK)
    
    specified in section 6.5.1 of AMD Secure Encrypted
    Virtualization API.
    
    Reviewed-by: Peter Krempa <pkrempa>
    Signed-off-by: Daniel P. Berrangé <berrange>

commit cc9679ef1452596e2509c0923d5d398fb25c176c
Author: Daniel P. Berrangé <berrange>
Date:   Wed Dec 8 07:05:44 2021 -0500

    qemu: add monitor APIs for query-sev
    
    We're only returning the set of fields needed to perform an
    attestation, per the SEV API docs.
    
    Reviewed-by: Peter Krempa <pkrempa>
    Signed-off-by: Daniel P. Berrangé <berrange>

commit 5842163910e8b8d320a896d9485b321d553bad3f
Author: Daniel P. Berrangé <berrange>
Date:   Wed Dec 8 07:51:43 2021 -0500

    qemu: report error querying launch params for inactive guest
    
    Querying launch params on a inactive guest currently triggers
    a warning about the monitor being NULL.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=2030437
    
    Reviewed-by: Peter Krempa <pkrempa>
    Signed-off-by: Daniel P. Berrangé <berrange>

commit 36fa504dd75ba2e3c675e7c9257ca99a6b28d998
Author: Daniel P. Berrangé <berrange>
Date:   Wed Dec 8 07:50:24 2021 -0500

    include: add new launch security parameters
    
    Three more parameters are required in order that clients can
    perform a launch attestation on the SEV guest.
    
    Reviewed-by: Peter Krempa <pkrempa>
    Signed-off-by: Daniel P. Berrangé <berrange>

v7.10.0-303-g719bb0bf23

Comment 4 Luyao Huang 2022-01-24 09:00:39 UTC

Verify this bug with libvirt-daemon-8.0.0-1.module+el8.6.0+13888+55157bfb.x86_64:

S1: test nodesevinfo command

1. check help document

# virsh nodesevinfo --help
  NAME
    nodesevinfo - node SEV information

  SYNOPSIS
    nodesevinfo

  DESCRIPTION
    Returns basic SEV information about the node.

2. check virsh man:

   nodesevinfo
       Syntax:

          nodesevinfo

       Reports information about the AMD SEV launch security features for the node, if any. Some of this information is also reported in the domain  capa‐
       bilities XML document.

3. test readonly mode:

# virsh -r nodesevinfo
error: Unable to get host SEV information
error: operation forbidden: read only access prevents virNodeGetSEVInfo

4. install sev-tool and create pdh.cert and cert_chain.cert

5. verify the output data of nodesevinfo

# virsh nodesevinfo
pdh               : AQAA....AAA=
cert-chain        : AQAAA...AAAA
cbitpos           : 51
reduced-phys-bits : 1
max-guests        : 508
max-es-guests     : 1

# base64 sev_certs/pdh.cert
AQAA....AAA=   <=== match pdh in nodesevinfo

# base64 sev_certs/cert_chain.cert
AQAAA...AAAA   <=== match cert-chain in ndoesevinfo

# dmesg |grep SEV
[ 1896.000535] SEV supported: 508 ASIDs    <=== match max-guests
[ 1896.004122] SEV-ES supported: 1 ASIDs   <=== match max-es-guests


S2: test domlaunchsecinfo command

1. check help document
# virsh domlaunchsecinfo --help
  NAME
    domlaunchsecinfo - Get domain launch security info

  SYNOPSIS
    domlaunchsecinfo <domain>

  DESCRIPTION
    Get the launch security parameters for a guest domain

  OPTIONS
    [--domain] <string>  domain name, id or uuid

2. check virsh man:

   domlaunchsecinfo
       Syntax:

          domlaunchsecinfo domain

       Returns information about the launch security parameters associated with a running domain.

       The set of parameters reported will vary depending on which type of launch security protection is active. If none is active, no parameters will  be
       reported.

3. test readonly mode:


# virsh -r domlaunchsecinfo vm1
error: Unable to get launch security parameters
error: operation forbidden: read only access prevents virDomainGetLaunchSecurityInfo

4. install sev-tool

5. verify the output data of domlaunchsecinfo

# virsh domlaunchsecinfo vm1
sev-measurement: fTeI90mv0mxkTO0pmlW2aRJ06r+76SvMDz7ljFWg4bkzvWcPuS4aGehuDFGO9F/m
sev-api-major  : 1
sev-api-minor  : 42
sev-build-id   : 42
sev-policy     : 7

# virsh qemu-monitor-command vm1 '{"execute": "query-sev-launch-measure"}' --pretty
{
  "return": {
    "data": "fTeI90mv0mxkTO0pmlW2aRJ06r+76SvMDz7ljFWg4bkzvWcPuS4aGehuDFGO9F/m"  <== match sev-measurement in domlaunchsecinfo
  },
  "id": "libvirt-410"
}

# ./src/sevtool --platform_status
api_major:	1    <== match sev-api-major in domlaunchsecinfo
api_minor:	42   <== match sev-api-minor in domlaunchsecinfo
platform_state:	2
owner:		0
config:		1
build:		42   <== match sev-build-id in domlaunchsecinfo
guest_count:	1

# virsh dumpxml vm1

  <launchSecurity type='sev'>
    <cbitpos>51</cbitpos>
    <reducedPhysBits>1</reducedPhysBits>
    <policy>0x0007</policy>   <== match sev-policy in domlaunchsecinfo
  </launchSecurity>


S3: use domlaunchsecinfo get an inactive guest sev info

# virsh  domlaunchsecinfo vm1
error: Unable to get launch security parameters
error: Requested operation is not valid: domain is not running

Comment 6 errata-xmlrpc 2022-05-10 13:24:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:1759

Note You need to log in before you can comment on or make changes to this bug.