Add support for OVMF hashes #11
Conversation
README.md
Outdated
| @@ -56,6 +57,7 @@ optional arguments: | |||
| --append CMDLINE Kernel command line to calculate hash from (use with --kernel) | |||
| --output-format {hex,base64} | |||
| Measurement output format | |||
| --ovmf-hash HASH Precalculated hash of the OVMF binary | |||
There was a problem hiding this comment.
maybe this should be --snp-ovmf-hash because it's only working for SNP guests?
There was a problem hiding this comment.
That's a great point, will change here and in mode.
README.md
Outdated
| ## Precalculated OVMF hashes | ||
|
|
||
| In situations where only minor OVMF changes happen, you may not want to copy the full OVMF binary to the validation system. In these situations, you can use an OVMF hash. | ||
| To generate a hash, use the `--gen-ovmf-hash` parameter: |
There was a problem hiding this comment.
you mention here --gen-ovmf-hash but I don't see it anywhere else.
There was a problem hiding this comment.
I originally had --gen-ovmf-hash as a special argument instead of --mode=ovmf-hash. But while writing the README and seeing how clumsy everything became, I figured I'd fold it in with --mode.
This is a leftover from the original version. I'll change it :)
sevsnpmeasure/cli.py
Outdated
| @@ -41,8 +41,13 @@ def main() -> int: | |||
| parser.add_argument('--append', metavar='CMDLINE', | |||
| help='Kernel command line to calculate hash from (use with --kernel)') | |||
| parser.add_argument('--output-format', choices=['hex', 'base64'], help='Measurement output format', default='hex') | |||
| parser.add_argument('--ovmf-hash', metavar='HASH', help='Precalculated hash of the OVMF binary') | |||
There was a problem hiding this comment.
| parser.add_argument('--ovmf-hash', metavar='HASH', help='Precalculated hash of the OVMF binary') | |
| parser.add_argument('--ovmf-hash', metavar='HASH', help='Precalculated hash of the OVMF binary (hex string)') |
sevsnpmeasure/cli.py
Outdated
| @@ -23,7 +23,7 @@ def main() -> int: | |||
| description='Calculate AMD SEV/SEV-ES/SEV-SNP guest launch measurement') | |||
| parser.add_argument('--version', action='version', version=f'%(prog)s {VERSION}') | |||
| parser.add_argument('-v', '--verbose', action='store_true') | |||
| parser.add_argument('--mode', choices=['sev', 'seves', 'snp'], help='Guest mode', required=True) | |||
| parser.add_argument('--mode', choices=['sev', 'seves', 'snp', 'ovmf-hash'], help='Guest mode', required=True) | |||
There was a problem hiding this comment.
It's a bit strange to add this to the --mode argument. What do you think about introducing a new argument --only-produce-ovmf-hash , and in that case, verify that mode is snp ?
There was a problem hiding this comment.
I had that originally and found it a lot more clumsy, because now you have a mandatory mode parameter which isn't actually mandatory because you're really only generating half the digest.
What if we change this to snp-ovmf-hash and change the description of the feature in a way that explains SNP digest generation as a 2 step process. This mode only executes the first step. The snp mode can ingest the first step as input.
There was a problem hiding this comment.
Even better: While changing it accordingly, I realized we can call the mode snp:ovmf-hash. That makes it obvious that we're executing part of the snp hash calculation.
|
Also, please run |
Some times we may not want to have to keep the full OVMF binary handy
when we try to validate a measurement. Most of the data we extract out
of the OVMF binary is static, except for its actual hashes.
So let's introduce a new mode that generates a precalculated launch
digest that contains the SNP ld hash at the point where we fully
ingested OVMF's contents:
$ sev-snp-measure --mode snp:ovmf-hash --ovmf OVMF.fd
cab7e[...]
In addition, add a new optional parameter that a user can then use to
consume the hash instead of recalculating it from their OVMF binary at
hand:
$ sev-snp-measure --mode snp --vcpus=1 --vcpu-type=EPYC-v4 \
--ovmf=OVMF.fd.old --snp-ovmf-hash cab7e[...]
d5269[...]
which is identical to the full calculation with the new OVMF.fd:
$ sev-snp-measure --mode snp --vcpus=1 --vcpu-type=EPYC-v4 --ovmf=OVMF.fd
d5269[...]
With this in place, we no longer need to copy full OVMF binaries around.
Instead, for almost all OVMF binaries in existence today, we can merely
share their hash values and are still able to validate the measurement
correctness.
Signed-off-by: Alexander Graf <graf@amazon.com>
|
I posted v2 with comments above addressed :) |
|
Thanks again @agraf . This is now part of release sev-snp-measure 0.0.4 on pypi. |
Some times we may not want to have to keep the full OVMF binary handy when we try to validate a measurement. Most of the data we extract out of the OVMF binary is static, except for its actual hashes.
So let's introduce a new mode that generates a precalculated launch digest that contains the SNP ld hash at the point where we fully ingested OVMF's contents:
In addition, add a new optional parameter that a user can then use to consume the hash instead of recalculating it from their OVMF binary at hand:
With this in place, users no longer need to copy full OVMF binaries around. Instead, for almost all SEV-SNP capable OVMF binaries in existence today, we can merely share their hash values and are still able to validate VM measurements.