Skip to content

Commit

Permalink
Allow to query launch measurement of a SEV guest
Browse files Browse the repository at this point in the history 
Introduce sev/querylaunchmeasurement API endpoint for VMI. Apart from
the measurement itself it returns the data needed to calculate the
expected value as specified in AMD SEV specification:

  HMAC(0x04 || API_MAJOR || API_MINOR || BUILD ||
       GCTX.POLICY || GCTX.LD || MNONCE; GCTX.TIK)

Signed-off-by: Vasiliy Ulyanov <[email protected]>
  • Loading branch information
@vasiliy-ul
vasiliy-ul committed Jun 23, 2023
1 parent 6d682a0 commit a66769a
Show file tree
Hide file tree
Showing 32 changed files with 791 additions and 103 deletions.
124 changes: 124 additions & 0 deletions api/openapi-spec/swagger.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11667,6 +11667,47 @@
}
]
},
"/apis/subresources.kubevirt.io/v1/namespaces/{namespace:[a-z0-9][a-z0-9\\-]*}/virtualmachineinstances/{name:[a-z0-9][a-z0-9\\-]*}/sev/querylaunchmeasurement": {
"get": {
"description": "Query SEV launch measurement from a Virtual Machine",
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"operationId": "v1SEVQueryLaunchMeasurement",
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/v1.SEVMeasurementInfo"
}
},
"401": {
"description": "Unauthorized"
}
}
},
"parameters": [
{
"uniqueItems": true,
"type": "string",
"description": "Name of the resource",
"name": "name",
"in": "path",
"required": true
},
{
"uniqueItems": true,
"type": "string",
"description": "Object name and auth scope, such as for teams and projects",
"name": "namespace",
"in": "path",
"required": true
}
]
},
"/apis/subresources.kubevirt.io/v1/namespaces/{namespace:[a-z0-9][a-z0-9\\-]*}/virtualmachineinstances/{name:[a-z0-9][a-z0-9\\-]*}/softreboot": {
"put": {
"description": "Soft reboot a VirtualMachineInstance object.",
Expand Down Expand Up @@ -13214,6 +13255,47 @@
}
]
},
"/apis/subresources.kubevirt.io/v1alpha3/namespaces/{namespace:[a-z0-9][a-z0-9\\-]*}/virtualmachineinstances/{name:[a-z0-9][a-z0-9\\-]*}/sev/querylaunchmeasurement": {
"get": {
"description": "Query SEV launch measurement from a Virtual Machine",
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"operationId": "v1alpha3SEVQueryLaunchMeasurement",
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/v1.SEVMeasurementInfo"
}
},
"401": {
"description": "Unauthorized"
}
}
},
"parameters": [
{
"uniqueItems": true,
"type": "string",
"description": "Name of the resource",
"name": "name",
"in": "path",
"required": true
},
{
"uniqueItems": true,
"type": "string",
"description": "Object name and auth scope, such as for teams and projects",
"name": "namespace",
"in": "path",
"required": true
}
]
},
"/apis/subresources.kubevirt.io/v1alpha3/namespaces/{namespace:[a-z0-9][a-z0-9\\-]*}/virtualmachineinstances/{name:[a-z0-9][a-z0-9\\-]*}/softreboot": {
"put": {
"description": "Soft reboot a VirtualMachineInstance object.",
Expand Down Expand Up @@ -18612,6 +18694,48 @@
"v1.SEVAttestation": {
"type": "object"
},
"v1.SEVMeasurementInfo": {
"description": "SEVMeasurementInfo contains information about the guest launch measurement.",
"type": "object",
"properties": {
"apiMajor": {
"description": "API major version of the SEV host.",
"type": "integer",
"format": "int32"
},
"apiMinor": {
"description": "API minor version of the SEV host.",
"type": "integer",
"format": "int32"
},
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"buildID": {
"description": "Build ID of the SEV host.",
"type": "integer",
"format": "int32"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"loaderSHA": {
"description": "SHA256 of the loader binary",
"type": "string"
},
"measurement": {
"description": "Base64 encoded launch measurement of the SEV guest.",
"type": "string"
},
"policy": {
"description": "Policy of the SEV guest.",
"type": "integer",
"format": "int32"
}
}
},
"v1.SEVPlatformInfo": {
"description": "SEVPlatformInfo contains information about the AMD SEV features for the node.",
"type": "object",
Expand Down
1 change: 1 addition & 0 deletions cmd/virt-handler/virt-handler.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -617,6 +617,7 @@ func (app *virtHandlerApp) runServer(errCh chan error, consoleHandler *rest.Cons
ws.Route(ws.GET("/v1/namespaces/{namespace}/virtualmachineinstances/{name}/filesystemlist").To(lifecycleHandler.GetFilesystems).Produces(restful.MIME_JSON).Consumes(restful.MIME_JSON).Returns(http.StatusOK, "OK", v1.VirtualMachineInstanceFileSystemList{}))
ws.Route(ws.GET("/v1/namespaces/{namespace}/virtualmachineinstances/{name}/vsock").Param(restful.QueryParameter("port", "Target VSOCK port")).To(consoleHandler.VSOCKHandler))
ws.Route(ws.GET("/v1/namespaces/{namespace}/virtualmachineinstances/{name}/sev/fetchcertchain").To(lifecycleHandler.SEVFetchCertChainHandler).Produces(restful.MIME_JSON).Consumes(restful.MIME_JSON).Returns(http.StatusOK, "OK", v1.SEVPlatformInfo{}))
ws.Route(ws.GET("/v1/namespaces/{namespace}/virtualmachineinstances/{name}/sev/querylaunchmeasurement").To(lifecycleHandler.SEVQueryLaunchMeasurementHandler).Produces(restful.MIME_JSON).Consumes(restful.MIME_JSON).Returns(http.StatusOK, "OK", v1.SEVMeasurementInfo{}))
restful.DefaultContainer.Add(ws)
server := &http.Server{
Addr: fmt.Sprintf("%s:%d", app.ServiceListen.BindAddress, app.consoleServerPort),
Expand Down
3 changes: 3 additions & 0 deletions manifests/generated/operator-csv.yaml.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -885,6 +885,7 @@ spec:
- virtualmachineinstances/filesystemlist
- virtualmachineinstances/userlist
- virtualmachineinstances/sev/fetchcertchain
- virtualmachineinstances/sev/querylaunchmeasurement
verbs:
- get
- apiGroups:
Expand Down Expand Up @@ -1031,6 +1032,7 @@ spec:
- virtualmachineinstances/filesystemlist
- virtualmachineinstances/userlist
- virtualmachineinstances/sev/fetchcertchain
- virtualmachineinstances/sev/querylaunchmeasurement
verbs:
- get
- apiGroups:
Expand Down Expand Up @@ -1175,6 +1177,7 @@ spec:
- virtualmachineinstances/filesystemlist
- virtualmachineinstances/userlist
- virtualmachineinstances/sev/fetchcertchain
- virtualmachineinstances/sev/querylaunchmeasurement
verbs:
- get
- apiGroups:
Expand Down
3 changes: 3 additions & 0 deletions manifests/generated/rbac-operator.authorization.k8s.yaml.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -813,6 +813,7 @@ rules:
- virtualmachineinstances/filesystemlist
- virtualmachineinstances/userlist
- virtualmachineinstances/sev/fetchcertchain
- virtualmachineinstances/sev/querylaunchmeasurement
verbs:
- get
- apiGroups:
Expand Down Expand Up @@ -959,6 +960,7 @@ rules:
- virtualmachineinstances/filesystemlist
- virtualmachineinstances/userlist
- virtualmachineinstances/sev/fetchcertchain
- virtualmachineinstances/sev/querylaunchmeasurement
verbs:
- get
- apiGroups:
Expand Down Expand Up @@ -1103,6 +1105,7 @@ rules:
- virtualmachineinstances/filesystemlist
- virtualmachineinstances/userlist
- virtualmachineinstances/sev/fetchcertchain
- virtualmachineinstances/sev/querylaunchmeasurement
verbs:
- get
- apiGroups:
Expand Down
Loading

0 comments on commit a66769a

Please sign in to comment.