Include ID block when launching guests#247
Open
markg-github wants to merge 2 commits into
Open
Conversation
- add guest policy to QEMU command - add ID block service logs to certificates - check for presence of measurement file in new ID block service
There was a problem hiding this comment.
Pull request overview
Adds SEV-SNP ID block generation and launch integration so guests can be launched with a signed ID block containing measurement, policy, and metadata.
Changes:
- Adds a host-side
generate-id-blockmodule and service to patch/signid-block.b64. - Updates guest launch to pass
policy,id-block, andid-authto QEMU. - Adds a browser-based ID block template builder and related documentation.
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
tools/id-block-README.md |
Documents the ID block builder and default policy/template. |
tools/id-block-builder.html |
Adds browser UI for generating unsigned ID block templates. |
modules/report/host/display-guest-logs/.../display-guest-logs.sh |
Adds timeout messaging for guest test log display. |
modules/launch/host/mkosi.conf |
Includes the new generate-id-block module. |
modules/launch/host/launch-guest/.../launch-guest.service |
Orders guest launch after ID block generation. |
modules/launch/host/launch-guest/.../launch-guest.sh |
Builds QEMU command dynamically and adds ID block arguments. |
modules/launch/host/launch-guest/.../id-block.b64 |
Adds default unsigned ID block template. |
modules/launch/host/launch-done/.../launch-done.service |
Adds ID block generation to launch completion dependencies. |
modules/launch/host/generate-id-block/README.md |
Documents runtime ID block patching/signing. |
modules/launch/host/generate-id-block/.../generate-id-block.service |
Adds oneshot service for ID block generation. |
modules/launch/host/generate-id-block/.../generate_id_block.py |
Implements measurement patching, ECDSA signing, and ID auth generation. |
modules/launch/host/generate-id-block/mkosi.conf |
Adds cryptography dependency for host image. |
modules/build/guest/mkosi.conf |
Adds Python package to guest build configuration. |
.github/workflows/build-and-release.yml |
Adds release job dependency to build job. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| build: | ||
| name: ${{ matrix.distro }}-${{ matrix.release }} | ||
| needs: create-release |
| -machine memory-backend=ram1 | ||
| -object "${SEV_SNP_OBJECT}" | ||
| -bios "${OVMF_PATH}" | ||
| -kernel "${EFI_PATH}" |
|
|
||
| function fromHex(h) { | ||
| if (h.length % 2) throw new Error('Odd-length hex string'); | ||
| return new Uint8Array(h.match(/.{2}/g).map(b => parseInt(b,16))); |
Comment on lines
+222
to
+225
| function parseFlags() { | ||
| const raw = el('policy_flags').value.replace(/\s/g, ''); | ||
| if (!/^[0-9a-fA-F]{1,12}$/.test(raw)) return 0n; | ||
| return BigInt('0x' + raw); |
| if (iIdHex.length !== 32) throw new Error('Image ID must be 32 hex chars (16 bytes).'); | ||
|
|
||
| const guestSvn = parseInt(el('guest_svn').value, 10); | ||
| if (isNaN(guestSvn) || guestSvn < 0) throw new Error('Invalid guest SVN.'); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ID block includes expected measurement, guest policy, Family ID, Image ID, etc. The expected measurement must match the calculated measurement. Note that sev-certify has always calculated an expected measurement even though it's only now, with this PR, that an ID block is included when launching guests. Ignoring the ID block, sev-certify used the expected measurement as "host data". This is still the case.
ID blocks are signed, but they can be self-signed, which is what this PR does.
Finally, there's a simple tool that allows user specification of some of the fields in the ID block. Just open tools/id-block-builder.html in a browser.