* [PATCH qemu-server] cpu config: sev: add attestation parameters
@ 2026-03-19 12:10 Loh Yu Chen
0 siblings, 0 replies; only message in thread
From: Loh Yu Chen @ 2026-03-19 12:10 UTC (permalink / raw)
To: pve-devel; +Cc: Loh Yu Chen
The QEMU sev-guest object supports dh-cert-file and session-file parameters,
required for guest owner launch measurement attestation, but those are not
currently exposed.
These parameters are only applicable for type=std and type=es, as type=snp uses
a different attestation mechanism.
See https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html
Signed-off-by: Loh Yu Chen <lohyuchen@gmail.com>
---
src/PVE/QemuServer/CPUConfig.pm | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm
index 32ec4954..8ae05b91 100644
--- a/src/PVE/QemuServer/CPUConfig.pm
+++ b/src/PVE/QemuServer/CPUConfig.pm
@@ -413,6 +413,20 @@ my $sev_fmt = {
default => 0,
optional => 1,
},
+ "dh-cert-file" => {
+ description => "Path to guest owner Diffie-Hellman certificate file for SEV(-ES) attestation"
+ . " (Ignored for SEV-SNP)",
+ type => 'string',
+ format_description => 'filepath',
+ optional => 1,
+ },
+ "session-file" => {
+ description => "Path to the session blob file generated by the guest owner for SEV(-ES) attestation"
+ . " (Ignored for SEV-SNP)",
+ type => 'string',
+ format_description => 'filepath',
+ optional => 1,
+ },
};
PVE::JSONSchema::register_format('pve-qemu-sev-fmt', $sev_fmt);
@@ -1173,6 +1187,20 @@ sub get_amd_sev_object {
$policy |= 1 << 2 if $amd_sev_conf->{type} eq 'es';
# disable migration with bit 3 nosend to prevent amd-sev-migration-attack
$policy |= 1 << 3;
+
+ if (defined($amd_sev_conf->{'dh-cert-file'}) xor defined($amd_sev_conf->{'session-file'})) {
+ die "dh-cert-file and session-file must be specified together.\n";
+ }
+ if (defined($amd_sev_conf->{'dh-cert-file'})) {
+ if (!-f $amd_sev_conf->{'dh-cert-file'}) {
+ die "dh-cert-file '$amd_sev_conf->{'dh-cert-file'}' does not exist.\n";
+ }
+ if (!-f $amd_sev_conf->{'session-file'}) {
+ die "session-file '$amd_sev_conf->{'session-file'}' does not exist.\n";
+ }
+ $sev_mem_object .= ',dh-cert-file=' . $amd_sev_conf->{'dh-cert-file'};
+ $sev_mem_object .= ',session-file=' . $amd_sev_conf->{'session-file'};
+ }
} elsif ($amd_sev_conf->{type} eq 'snp') {
$sev_mem_object .= 'sev-snp-guest,id=sev0';
$sev_mem_object .= ',cbitpos=' . $sev_hw_caps->{cbitpos};
--
2.53.0.windows.1
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-03-20 7:30 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-03-19 12:10 [PATCH qemu-server] cpu config: sev: add attestation parameters Loh Yu Chen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.