1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
|
======================
virt-qemu-sev-validate
======================
--------------------------------------------
validate a domain AMD SEV launch measurement
--------------------------------------------
:Manual section: 1
:Manual group: Virtualization Support
.. contents::
SYNOPSIS
========
``virt-qemu-sev-validate`` [*OPTIONS*]
DESCRIPTION
===========
This program validates the reported measurement for a domain launched with AMD
SEV. If the program exits with a status of zero, the guest owner can be
confident that their guest OS is running under the protection offered by the
SEV / SEV-ES platform.
Note that the level of protection varies depending on the AMD SEV platform
generation and describing the differences is outside the scope of this
document.
For the results of this program to be considered trustworthy, it is required to
be run on a machine that is already trusted by the guest owner. This could be a
machine that the guest owner has direct physical control over, or it could be
another virtual machine protected by AMD SEV that has already had its launch
measurement validated. Running this program on the virtualization host will not
produce an answer that can be trusted.
If told to connect to libvirt, it will refuse to use a libvirt connection that
is local to the machine, since that cannot be trusted. For the sake of testing
or demonstration purposes, however, it can be forced to run in this scenario
using the ``--insecure`` flag. The result will, of course, still not be
trustworthy.
OPTIONS
=======
Common options
--------------
``-h``, ``--help``
Display command line help usage then exit.
``-d``, ``--debug``
Show debug information while running
``-q``, ``--quiet``
Don't print information about the attestation result.
Guest state options
-------------------
These options provide information about the state of the guest that needs its
boot attested.
``--measurement BASE64-STRING``
The launch measurement reported by the hypervisor of the domain to be validated.
The measurement must be 48 bytes of binary data encoded as a base64 string.
``--api-major VERSION``
The SEV API major version of the hypervisor the domain is running on.
``--api-minor VERSION``
The SEV API major version of the hypervisor the domain is running on.
``--build-id ID``
The SEV build ID of the hypervisor the domain is running on.
``--policy POLiCY``
The policy bitmask associated with the session launch data of the domain to be
validated.
Guest config options
--------------------
These options provide items needed to calculate the expected domain launch
measurement. This will then be compared to the reported launch measurement.
``-f PATH``, ``--firmware=PATH``
Path to the firmware loader binary. This is the EDK2 build that knows how to
initialize AMD SEV. For the validation to be trustworthy it important that the
firmware build used has no support for loading non-volatile variables from
NVRAM, even if NVRAM is expose to the guest.
``-k PATH``, ``--kernel=PATH``
Path to the kernel binary if doing direct kernel boot.
``-r PATH``, ``--initrd=PATH``
Path to the initrd binary if doing direct kernel boot. Defaults to zero length
content if omitted.
``-e STRING``, ``--cmdline=STRING``
String containing any kernel command line parameters used during boot of the
domain. Defaults to the empty string if omitted.
``-n COUNT``, ``--num-cpus=COUNT``
The number of virtual CPUs for the domain. This is required when the
domain policy is set to require SEV-ES.
``-0 PATH``, ``--vmsa-cpu0=PATH``
Path to the VMSA initial state for the boot CPU. This is required when
the domain policy is set to require SEV-ES. The file contents must be
exactly 4096 bytes in length.
``-1 PATH``, ``--vmsa-cpu1=PATH``
Path to the VMSA initial state for the non-boot CPU. This is required when
the domain policy is set to require SEV-ES and the domain has more than one
CPU present. The file contents must be exactly 4096 bytes in length.
``--tik PATH``
TIK file for domain. This file must be exactly 16 bytes in size and contains the
unique transport integrity key associated with the domain session launch data.
This is mutually exclusive with the ``--tk`` argument.
``--tek PATH``
TEK file for domain. This file must be exactly 16 bytes in size and contains the
unique transport encryption key associated with the domain session launch data.
This is mutually exclusive with the ``--tk`` argument.
``--tk PATH``
TEK/TIK combined file for the domain. This file must be exactly 32 bytes in
size, with the first 16 bytes containing the TEK and the last 16 bytes
containing the TIK. This is mutually exclusive with the ``--tik`` and ``--tek``
arguments.
Libvirt options
---------------
These options are used when connecting to libvirt to automatically obtain
state and configuration information about the domain to be attested.
``-c``, ``--connect URI``
Libvirt connection URI. For the validation to be trustworthy this must be a URI
resolving to a remote virtualization host. This requirement can be overridden
using the ``--insecure`` argument.
``-o``, ``--domain ID|NAME|UUID``
Domain ID, or domain name or domain UUID. Used to identify which libvirt domain
is to have its launch measured. The domain must be running, and would usually
have been started in a paused state, to allow validation to be performed before
guest CPUs begin execution.
``-i``, ``--insecure``
Proceed even if usage scenario is known to be insecure. This allows the program
to connect to a local libvirt hypervisor and rely on file content from the
virtualization host. It also allows the validation to proceed even if the
virtual machine CPUs are not in the initial paused state. The result of the
validation must not be trusted.
``-g``, ``--ignore-config``
Do not attempt to sanity check the domain config. The default behaviour is to
print out errors if identifying configuration elements in the guest XML that
would invalidate the launch measurement. This can help the guest owner to
understand any configuration mistakes that have been made. If the
``--ignore-config`` argument is given, this sanity checking of configuration
will be skipped. The result is that the validation will likely be reported as
failed.
Secret injection options
------------------------
These options provide a way to inject a secret if validation of the
launch measurement passes.
``--inject-secret ALIAS-OR-GUID:PATH``
Path to a file containing a secret to inject into the guest OS. Typical
usage would be to supply a password for unlocking the root filesystem
full disk encryption. ``ALIAS`` can be one of the well known secrets:
* ``luks-key`` - bytes to use as a key for unlocking a LUKS key slot.
GUID of ``736869e5-84f0-4973-92ec-06879ce3da0b``.
Alternatively ``GUID`` refers to an arbitrary UUID of the callers
choosing. The contents of ``PATH`` are defined by the requirements
of the associated GUID, and will used as-is without modification.
In particular be aware:
* Avoid unwanted trailing newline characters in ``PATH`` unless
mandated by the ``GUID``.
* Any trailing ``NUL`` byte must be explicitly included in ``PATH``
if mandated by the ``GUID``.
This argument can be repeated multiple times, provided a different
``GUID`` is given for each instance.
``--secret-header PATH``
Path to a file in which the injected secret header will be written in base64
format and later injected into the domain. This is required if there is no
connection to libvirt, otherwise the secret will be directly injected.
``--secret-payload PATH``
Path to a file in which the injected secret payload will be written in base64
format and later injected into the domain. This is required if there is no
connection to libvirt, otherwise the secret will be directly injected.
EXAMPLES
========
Fully offline execution
-----------------------
This scenario allows a measurement to be securely validated in a completely
offline state without any connection to the hypervisor host. All required
data items must be provided as command line parameters. This usage model is
considered secure, because all input data is provided by the user.
Validate the measurement of a SEV guest booting from disk:
::
# virt-qemu-sev-validate \
--firmware OVMF.sev.fd \
--tk this-guest-tk.bin \
--measurement Zs2pf19ubFSafpZ2WKkwquXvACx9Wt/BV+eJwQ/taO8jhyIj/F8swFrybR1fZ2ID \
--api-major 0 \
--api-minor 24 \
--build-id 13 \
--policy 3
Validate the measurement of a SEV guest with direct kernel boot:
::
# virt-qemu-sev-validate \
--firmware OVMF.sev.fd \
--kernel vmlinuz-5.11.12 \
--initrd initramfs-5.11.12 \
--cmdline "root=/dev/vda1" \
--tk this-guest-tk.bin \
--measurement Zs2pf19ubFSafpZ2WKkwquXvACx9Wt/BV+eJwQ/taO8jhyIj/F8swFrybR1fZ2ID \
--api-major 0 \
--api-minor 24 \
--build-id 13 \
--policy 3
Validate the measurement of a SEV-ES SMP guest booting from disk:
::
# virt-qemu-sev-validate \
--firmware OVMF.sev.fd \
--num-cpus 2 \
--vmsa-cpu0 vmsa0.bin \
--vmsa-cpu1 vmsa1.bin \
--tk this-guest-tk.bin \
--measurement Zs2pf19ubFSafpZ2WKkwquXvACx9Wt/BV+eJwQ/taO8jhyIj/F8swFrybR1fZ2ID \
--api-major 0 \
--api-minor 24 \
--build-id 13 \
--policy 7
Validate the measurement of a SEV-ES SMP guest booting from disk, with
automatically constructed VMSA:
::
# virt-qemu-sev-validate \
--firmware OVMF.sev.fd \
--num-cpus 2 \
--cpu-family 23 \
--cpu-model 49 \
--cpu-stepping 0 \
--tk this-guest-tk.bin \
--measurement Zs2pf19ubFSafpZ2WKkwquXvACx9Wt/BV+eJwQ/taO8jhyIj/F8swFrybR1fZ2ID \
--api-major 0 \
--api-minor 24 \
--build-id 13 \
--policy 7
Validate the measurement of a SEV guest booting from disk and
inject a disk password on success:
::
# virt-qemu-sev-validate \
--firmware OVMF.sev.fd \
--tk this-guest-tk.bin \
--measurement Zs2pf19ubFSafpZ2WKkwquXvACx9Wt/BV+eJwQ/taO8jhyIj/F8swFrybR1fZ2ID \
--api-major 0 \
--api-minor 24 \
--build-id 13 \
--policy 3 \
--inject-secret 736869e5-84f0-4973-92ec-06879ce3da0b:passwd.txt \
--secret-header secret-header.b64 \
--secret-payload secret-payload.b64
The ``secret-header.b64`` and ``secret-payload.b64`` files can now be sent to
the virtualization host for injection.
Fetch from remote libvirt
-------------------------
This scenario allows fetching certain data from a remote hypervisor via a
connection to libvirt. It will aid in debugging by analysing the guest
configuration and reporting anything that could invalidate the measurement
of the guest. This usage model is considered secure, because the limited
information obtained from the untrusted hypervisor cannot be used to change
the result.
Validate the measurement of a SEV guest booting from disk:
::
# virt-qemu-sev-validate \
--connect qemu+ssh://root@some.remote.host/system \
--firmware OVMF.sev.fd \
--tk this-guest-tk.bin \
--domain fedora34x86_64
Validate the measurement of a SEV guest with direct kernel boot:
::
# virt-qemu-sev-validate \
--connect qemu+ssh://root@some.remote.host/system \
--firmware OVMF.sev.fd \
--kernel vmlinuz-5.11.12 \
--initrd initramfs-5.11.12 \
--cmdline "root=/dev/vda1" \
--tk this-guest-tk.bin \
--domain fedora34x86_64
Validate the measurement of a SEV-ES SMP guest booting from disk:
::
# virt-qemu-sev-validate \
--connect qemu+ssh://root@some.remote.host/system \
--firmware OVMF.sev.fd \
--num-cpus 2 \
--vmsa-cpu0 vmsa0.bin \
--vmsa-cpu1 vmsa1.bin \
--tk this-guest-tk.bin \
--domain fedora34x86_64
Validate the measurement of a SEV-ES SMP guest booting from disk, with
automatically constructed VMSA:
::
# virt-qemu-sev-validate \
--connect qemu+ssh://root@some.remote.host/system \
--firmware OVMF.sev.fd \
--cpu-family 23 \
--cpu-model 49 \
--cpu-stepping 0 \
--tk this-guest-tk.bin \
--domain fedora34x86_64
Validate the measurement of a SEV guest booting from disk and
inject a disk password on success:
::
# virt-qemu-sev-validate \
--connect qemu+ssh://root@some.remote.host/system \
--firmware OVMF.sev.fd \
--tk this-guest-tk.bin \
--domain fedora34x86_64 \
--inject-secret 736869e5-84f0-4973-92ec-06879ce3da0b:passwd.txt
Fetch from local libvirt
------------------------
This scenario allows fetching all data from the local hypervisor via a
connection to libvirt. It is only to be used for the purpose of testing,
debugging, or demonstrations, because running on the local hypervisor is not
a secure scenario. To enable this usage, the ``--insecure`` flag must be
specified. Given a pointer to the libvirt guest to validate, all information
needed to perform a validation, except the TIK/TEK pair can be acquired
automatically.
Validate the measurement of a SEV guest booting from disk:
::
# virt-qemu-sev-validate \
--insecure \
--tk this-guest-tk.bin \
--domain fedora34x86_64
Validate the measurement of a SEV guest with direct kernel boot:
::
# virt-qemu-sev-validate \
--insecure \
--tk this-guest-tk.bin \
--domain fedora34x86_64
Validate the measurement of a SEV-ES SMP guest booting from disk:
::
# virt-qemu-sev-validate \
--insecure \
--vmsa-cpu0 vmsa0.bin \
--vmsa-cpu1 vmsa1.bin \
--tk this-guest-tk.bin \
--domain fedora34x86_64
Validate the measurement of a SEV-ES SMP guest booting from disk, with
automatically constructed VMSA:
::
# virt-qemu-sev-validate \
--insecure \
--tk this-guest-tk.bin \
--domain fedora34x86_64
Validate the measurement of a SEV guest booting from disk and
inject a disk password on success:
::
# virt-qemu-sev-validate \
--insecure \
--tk this-guest-tk.bin \
--domain fedora34x86_64 \
--inject-secret 736869e5-84f0-4973-92ec-06879ce3da0b:passwd.txt
COMMON MISTAKES CHECKLIST
=========================
The complexity of configuring a guest and validating its boot measurement
means it is very likely to see the failure::
ERROR: Measurement does not match, VM is not trustworthy
This error message assumes the worst, but in most cases will failure will be
a result of either mis-configuring the guest, or passing the wrong information
when trying to validate it. The following information is a guide for what
items to check in order to stand the best chance of diagnosing the problem
* Check the VM configuration for the DH certificate and session
blob in the libvirt guest XML.
The content for these fields should be in base64 format, which is
what ``sevctl session`` generates. Other tools may generate the files
in binary format, so ensure it has been correctly converted to base64.
* Check the VM configuration policy value matches the session blob
The ``<policy>`` value in libvirt guest XML has to match the value
passed to the ``sevctl session`` command. If this is mismatched
then the guest will not even start, and QEMU will show an error
such as::
sev_launch_start: LAUNCH_START ret=1 fw_error=11 'Bad measurement'
* Check the correct TIK/TEK keypair are passed
The TIK/TEK keypair are uniquely tied to each DH cert and session
blob. Make sure that the TIK/TEK keypair passed to this program
the ones matched to the DH cert and session blob configured for
the libvirt guest XML. This is one of the most common mistakes.
Further ensure that the TIK and TEK files are not swapped.
* Check the firmware binary matches the one used to boot
The firmware binary content is part of the data covered by the
launch measurement. Ensure that the firmware binary passed to
this program matches the one used to launch the guest. The
hypervisor host will periodically get software updates which
introduce a new firmware binary version.
* Check the kernel, initrd and cmdline match the one used to boot
If the guest is configured to use direct kernel boot, check that
the kernel, initrd and cmdline passed to this program match the
ones used to boot the guest. In the kernel cmdline whitespace
must be preserved exactly, including any leading or trailing
spaces.
* Check whether the kernel hash measurement is enabled
The ``kernelHashes`` property in the libvirt guest XML controls
whether hashes of the kernel, initrd and cmdline content are
covered by the boot measurement. If enabled, then the matching
content must be passed to this program. UIf disabled, then
the content must **NOT** be passed.
* Check that the correct measurement hash is passed
The measurement hash includes a nonce, so it will be different
on every boot attempt. Thus when validating the measuremnt it
is important ensure the most recent measurement is used.
* Check the correct VMSA blobs / CPU SKU values for the host are used
The VMSA blobs provide the initial register state for the
boot CPU and any additional CPUs. One of the registers
encodes the CPU SKU (family, model, stepping) of the physical
host CPU. Make sure that the VMSA blob used for validation
is one that matches the SKU of the host the guest is booted
on. Passing the CPU SKU values directly to the tool can
reduce the likelihood of using the wrong ones.
* Check the CPU count is correct
When passing VMSA blobs for SEV-ES guests, the number of CPUs
present will influence the measurement result. Ensure that the
correct vCPU count is used corresponding to the guest boot
attempt.
Best practice is to run this tool in completely offline mode and pass
all information as explicit command line parameters. When debugging
failures, however, it can be useful to tell it to connect to libvirt
and fetch information. If connecting to a remote libvirt instance,
it will fetch any information that can be trusted, which is the basic
VM launch state data. It will also sanity check the XML configuration
to identify some common mistakes. If the ``--insecure`` flag is passed
it can extract some configuration information and use that for the
attestation process.
If the mistake still can't be identified, then this tool can be run
on the virtualization host. In that scenario the only three command
line parameters required are for the TIK, TEK and libvirt domain
name. It should be able to automatically determine all the other
information required. If it still reports a failure, this points
very strongly to the TIK/TEK pair not matching the configured
DH certificate and session blob.
The ``--debug`` flag will display hashes and/or hex dumps for various
pieces of information used in the attestation process. Comparing the
``--debug`` output from running on the hypervisor host, against that
obtained when running in offline mode can give further guidance to
which parameter is inconsistent.
As mentioned earlier in this document, bear in mind that in general
any attestation answers obtained from running on the hypervisor host
should not be trusted. So if a configuration mistake is identified
it is strongly recommended to re-run the attestation in offline mode
on a trusted machine.
EXIT STATUS
===========
Upon successful attestation of the launch measurement, an exit status of 0 will
be set.
Upon failure to attest the launch measurement one of the following codes will
be set:
* **1** - *Guest measurement did not validate*
Assuming the inputs to this program are correct, the virtual machine launch
has been compromised and it should not be trusted henceforth.
* **2** - *Usage scenario cannot be supported*
The way in which this program has been invoked prevent it from being able to
validate the launch measurement.
* **3** - *Usage scenario is not secure*
The way in which this program has been invoked means that the result of any
launch measurement validation will not be secure.
The program can be reinvoked with ``--insecure`` argument to force a
validation, however, the results of this should not be trusted. This should
only be used for testing, debugging or demonstration purposes, never in a
production deployment.
* **4** - *Domain has incorrect configuration to be measured*
The way in which the guest has been configured prevent this program from being
able to validate the launch measurement. Note that in general the guest
configuration reported by the hypervisor is not trustworthy, so it is
possible this error could be a false positive designed to cause a denial of
service.
This program can be reinvoked with the ``--ignore-config`` argument to skip
the sanity checks on the domain XML. This will likely result in it failing
with an exit code of **1** indicating the measurement is invalid
* **5** - *Domain is in incorrect state to be measured*
The domain has to be running in order to validate a launch measurement.
* **6** - *unexpected error occurred in the code*
A logic flaw in this program means it is unable to complete the validation of
the measurement. This is a bug which should be reported to the maintainers.
AUTHOR
======
Daniel P. Berrangé
BUGS
====
Please report all bugs you discover. This should be done via either:
#. the mailing list
`https://libvirt.org/contact.html <https://libvirt.org/contact.html>`_
#. the bug tracker
`https://libvirt.org/bugs.html <https://libvirt.org/bugs.html>`_
Alternatively, you may report bugs to your software distributor / vendor.
COPYRIGHT
=========
Copyright (C) 2022 by Red Hat, Inc.
LICENSE
=======
``virt-qemu-sev-validate`` is distributed under the terms of the GNU LGPL v2.1+.
This is free software; see the source for copying conditions. There
is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE
SEE ALSO
========
virsh(1), `SEV launch security usage <https://libvirt.org/kbase/launch_security_sev.html>`_,
`https://libvirt.org/ <https://libvirt.org/>`_
|
