Re: [PATCH Part1 v5 38/38] virt: sevguest: Add support to get extended report
From: Brijesh Singh
Date: Tue Aug 31 2021 - 17:11:52 EST
On 8/31/21 3:22 PM, Dov Murik wrote:
Hi Brijesh,
On 20/08/2021 18:19, Brijesh Singh wrote:
Version 2 of GHCB specification defines NAE to get the extended guest
request. It is similar to the SNP_GET_REPORT ioctl. The main difference
is related to the additional data that be returned. The additional
data returned is a certificate blob that can be used by the SNP guest
user.
It seems like the SNP_GET_EXT_REPORT ioctl does everything that the
SNP_GET_REPORT ioctl does, and more. Why expose SNP_GET_REPORT to
userspace at all?
Since both of these options are provided by the GHCB protocol so I
exposed it. Its possible that some applications may not care about the
extended certificate blob. And in those case, if the hypervisor is
programmed with the extended certificate blob and caller does not supply
the enough number of pages to copy the blob then command should fail.
This will enforce a new requirement on that guest application to
allocate an extra memory. e.g:
1. Hypervisor is programmed with a system wide certificate blob using
the SNP_SET_EXT_CONFIG ioctl().
2. Guest wants to get the report but does not care about the certificate
blob.
3. Guest issues a extended guest report with the npages = 0. The command
will fail with invalid length and number of pages will be returned in
the response.
4. Guest will not need to allocate memory to hold the certificate and
reissue the command.
The #4 is unnecessary for a guest which does not want to get. In this
case, a guest can simply call the attestation report without asking for
certificate blob. Please see the GHCB spec for more details.
thanks