From d6d8497b560b47f6c9902b11bf919a639f82064d Mon Sep 17 00:00:00 2001 From: "alex.lyn" Date: Fri, 13 Jun 2025 17:37:26 +0800 Subject: [PATCH] runtime-rs: Add host-data property to sev-snp-guest object SEV-SNP guest configuration utilizes a different set of properties compared to the existing 'sev-guest' object. This change introduces the `host-data` property within the sev-snp-guest object. This property allows for configuring an SEV-SNP guest with host-provided data, which is crucial for data integrity verification during attestation. The `host-data` property is specifically valid for SEV-SNP guests running on a capable platform. It is configured as a base64-encoded string when using the sev-snp-guest object. the example cmdline looks like: ```shell -object sev-snp-guest,id=sev-snp0,host-data=CGNkCHoBC5CcdGXir... ``` Fixes #11180 Signed-off-by: alex.lyn --- .../hypervisor/src/qemu/cmdline_generator.rs | 19 ++++++++++++++----- .../crates/hypervisor/src/qemu/inner.rs | 1 + 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs b/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs index 338fd8d07..87dcbea4f 100644 --- a/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs +++ b/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs @@ -1798,17 +1798,18 @@ struct ObjectSevSnpGuest { cbitpos: u32, reduced_phys_bits: u32, kernel_hashes: bool, - + host_data: Option, is_snp: bool, } impl ObjectSevSnpGuest { - fn new(is_snp: bool, cbitpos: u32) -> Self { + fn new(is_snp: bool, cbitpos: u32, host_data: Option) -> Self { ObjectSevSnpGuest { id: (if is_snp { "snp" } else { "sev" }).to_owned(), cbitpos, reduced_phys_bits: 1, kernel_hashes: true, + host_data, is_snp, } } @@ -1834,6 +1835,9 @@ impl ToQemuParams for ObjectSevSnpGuest { "kernel-hashes={}", if self.kernel_hashes { "on" } else { "off" } )); + if let Some(host_data) = &self.host_data { + params.push(format!("host-data={}", host_data)) + } } Ok(vec!["-object".to_owned(), params.join(",")]) } @@ -2430,7 +2434,7 @@ impl<'a> QemuCmdLine<'a> { } pub fn add_sev_protection_device(&mut self, cbitpos: u32, firmware: &str) { - let sev_object = ObjectSevSnpGuest::new(false, cbitpos); + let sev_object = ObjectSevSnpGuest::new(true, cbitpos, None); self.devices.push(Box::new(sev_object)); self.devices.push(Box::new(Bios::new(firmware.to_owned()))); @@ -2440,8 +2444,13 @@ impl<'a> QemuCmdLine<'a> { .set_nvdimm(false); } - pub fn add_sev_snp_protection_device(&mut self, cbitpos: u32, firmware: &str) { - let sev_snp_object = ObjectSevSnpGuest::new(true, cbitpos); + pub fn add_sev_snp_protection_device( + &mut self, + cbitpos: u32, + firmware: &str, + host_data: &Option, + ) { + let sev_snp_object = ObjectSevSnpGuest::new(true, cbitpos, host_data.clone()); self.devices.push(Box::new(sev_snp_object)); self.devices.push(Box::new(Bios::new(firmware.to_owned()))); diff --git a/src/runtime-rs/crates/hypervisor/src/qemu/inner.rs b/src/runtime-rs/crates/hypervisor/src/qemu/inner.rs index 8aa6c8327..86765c321 100644 --- a/src/runtime-rs/crates/hypervisor/src/qemu/inner.rs +++ b/src/runtime-rs/crates/hypervisor/src/qemu/inner.rs @@ -136,6 +136,7 @@ impl QemuInner { cmdline.add_sev_snp_protection_device( sev_snp_cfg.cbitpos, &sev_snp_cfg.firmware, + &sev_snp_cfg.host_data, ) } else { cmdline.add_sev_protection_device(