From cd4e9177609e2ab04d9afb514eabc4cb54465111 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 9 Dec 2021 05:21:04 -0500
Subject: [PATCH] conf: add support for setting SEV kernel hashes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Normally the SEV measurement only covers the firmware
loader contents. When doing a direct kernel boot, however,
with new enough OVMF it is possible to ask for the
measurement to cover the kernel, ramdisk and command line.

It can't be done automatically as that would break existing
guests using direct kernel boot with old firmware, so there
is a new XML setting allowing this behaviour to be toggled.

Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 docs/formatdomain.rst         | 7 ++++++-
 docs/schemas/domaincommon.rng | 5 +++++
 src/conf/domain_conf.c        | 8 ++++++++
 src/conf/domain_conf.h        | 1 +
 4 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
index 2e9c450606..51ca23aece 100644
--- a/docs/formatdomain.rst
+++ b/docs/formatdomain.rst
@@ -8222,7 +8222,7 @@ spec <https://support.amd.com/TechDocs/55766_SEV-KM_API_Specification.pdf>`__
 
    <domain>
      ...
-     <launchSecurity type='sev'>
+     <launchSecurity type='sev' kernelHashes='yes'>
        <policy>0x0001</policy>
        <cbitpos>47</cbitpos>
        <reducedPhysBits>1</reducedPhysBits>
@@ -8232,6 +8232,11 @@ spec <https://support.amd.com/TechDocs/55766_SEV-KM_API_Specification.pdf>`__
      ...
    </domain>
 
+``kernelHashes``
+   The optional ``kernelHashes`` attribute indicates whether the
+   hashes of the kernel, ramdisk and command line should be included
+   in the measurement done by the firmware. This is only valid if
+   using direct kernel boot. :since:`Since 8.0.0`
 ``cbitpos``
    The required ``cbitpos`` element provides the C-bit (aka encryption bit)
    location in guest page table entry. The value of ``cbitpos`` is hypervisor
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index ce5018f798..7fa5c2b8b5 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -499,6 +499,11 @@
     <attribute name="type">
       <value>sev</value>
     </attribute>
+    <optional>
+      <attribute name="kernelHashes">
+        <ref name="virYesNo"/>
+      </attribute>
+    </optional>
     <interleave>
       <optional>
         <element name="cbitpos">
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index e0c92816f1..716c6d2240 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -14804,6 +14804,10 @@ virDomainSEVDefParseXML(virDomainSEVDef *def,
     unsigned long policy;
     int rc;
 
+    if (virXMLPropTristateBool(ctxt->node, "kernelHashes", VIR_XML_PROP_NONE,
+                               &def->kernel_hashes) < 0)
+        return -1;
+
     if (virXPathULongHex("string(./policy)", ctxt, &policy) < 0) {
         virReportError(VIR_ERR_XML_ERROR, "%s",
                        _("failed to get launch security policy"));
@@ -27134,6 +27138,10 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec)
     case VIR_DOMAIN_LAUNCH_SECURITY_SEV: {
         virDomainSEVDef *sev = &sec->data.sev;
 
+        if (sev->kernel_hashes != VIR_TRISTATE_BOOL_ABSENT)
+            virBufferAsprintf(&attrBuf, " kernelHashes='%s'",
+                              virTristateBoolTypeToString(sev->kernel_hashes));
+
         if (sev->haveCbitpos)
             virBufferAsprintf(&childBuf, "<cbitpos>%d</cbitpos>\n", sev->cbitpos);
 
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index afabcd1b4d..144ba4dd12 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2714,6 +2714,7 @@ struct _virDomainSEVDef {
     unsigned int cbitpos;
     bool haveReducedPhysBits;
     unsigned int reduced_phys_bits;
+    virTristateBool kernel_hashes;
 };
 
 struct _virDomainSecDef {