diff --git a/docs/manpages/virt-qemu-sev-validate.rst b/docs/manpages/virt-qemu-sev-validate.rst index 34ef328fe8..eef8a0281c 100644 --- a/docs/manpages/virt-qemu-sev-validate.rst +++ b/docs/manpages/virt-qemu-sev-validate.rst @@ -358,7 +358,6 @@ Validate the measurement of a SEV-ES SMP guest booting from disk: # virt-dom-sev-validate \ --insecure \ - --num-cpus 2 \ --vmsa-cpu0 vmsa0.bin \ --vmsa-cpu1 vmsa1.bin \ --tk this-guest-tk.bin \ @@ -371,9 +370,6 @@ automatically constructed VMSA: # virt-dom-sev-validate \ --insecure \ - --cpu-family 23 \ - --cpu-model 49 \ - --cpu-stepping 0 \ --tk this-guest-tk.bin \ --domain fedora34x86_64 diff --git a/tools/virt-qemu-sev-validate b/tools/virt-qemu-sev-validate index ef8fa6fa27..37f6f65bac 100755 --- a/tools/virt-qemu-sev-validate +++ b/tools/virt-qemu-sev-validate @@ -873,6 +873,14 @@ class LibvirtConfidentialVM(ConfidentialVM): if self.policy is None: self.policy = sevinfo["sev-policy"] + if self.is_sev_es() and self.num_cpus is None: + if secure: + raise InsecureUsageException( + "Using CPU count from guest is not secure") + + info = self.dom.info() + self.num_cpus = info[3] + if self.firmware is None: if remote: raise UnsupportedUsageException( @@ -918,6 +926,24 @@ class LibvirtConfidentialVM(ConfidentialVM): "Using cmdline string from XML is not secure") self.kernel_table.load_cmdline(cmdlinenodes[0].text) + capsxml = self.conn.getCapabilities() + capsdoc = etree.fromstring(capsxml) + + if self.is_sev_es() and self.vmsa_cpu0 is None: + if secure: + raise InsecureUsageException( + "Using CPU SKU from capabilities is not secure") + + sig = capsdoc.xpath("/capabilities/host/cpu/signature") + if len(sig) != 1: + raise UnsupportedUsageException( + "Libvirt is too old to report host CPU signature") + + cpu_family = int(sig[0].get("family")) + cpu_model = int(sig[0].get("model")) + cpu_stepping = int(sig[0].get("stepping")) + self.build_vmsas(cpu_family, cpu_model, cpu_stepping) + def parse_command_line(): parser = argparse.ArgumentParser(