New subcommand: sevctl-attest (with initial support for QEMU)

[connorkuehl]

sevctl should enable users to perform attestation routed through hypervisors that support AMD SEV virtual machines.

Example usage, for inspiration:

$ sevctl attest qemu --socket=$QEMU_QMP_SOCKADDR --ovmf=/path/to/ovmf

sevctl will need to learn the QEMU machine protocol so that it can attest through QEMU's API.

[dubek]

On top of OVMF attestation, there is work under review in QEMU and OVMF to support measured (attested) SEV boot with -kernel / -initrd / -append. In order for that to be secure, QEMU injects the hashes of those three blobs into a special SEV hashes page (designated in OVMF) before launch, and encrypts it as part of the initial guest memory so it is part of the measured memory. OVMF then makes sure that the kernel/initrd/cmdline it reads from QEMU indeed match those hashes, refusing to boot otherwise.

To verify such measurements, the Guest Owner needs the OVMF file and the three blobs. In such case, the command-line may look like:

$ sevctl attest qemu --socket=$QEMU_QMP_SOCKADDR \
    --ovmf=/path/to/ovmf \
    --kernel=/path/to/vmlinuz \
    --initrd=/path/to/initrd.img \
    --cmdline="console=ttyS0 loglevel=6"

This qemu patch includes the SevHashTable which is the memory that is added to the measurement after OVMF. Special care should be taken with empty cmdline and empty initrd.

/cc @fitzthum @jimcadden @jejb

[connorkuehl]

For upstream posterity:

As I mentioned over emails, I will sketch out what this looks like in terms of sevctl's implementation of this.