Update patch set 13

Patch Set 13: (4 comments) Patch-set: 13
2024-04-22 02:53:23 +00:00 · 2024-04-22 02:53:23 +00:00 · d396b1868e
commit d396b1868e
parent b83343ce7c
1 changed files with 84 additions and 0 deletions
--- a/84
+++ b/84
@ -34,6 +34,24 @@
      "revId": "7c4933d86f23cb3964513293e4e5e772f9875a97",
      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
    },
+    {
+      "unresolved": false,
+      "key": {
+        "uuid": "970e17ec_f47b82f9",
+        "filename": "/PATCHSET_LEVEL",
+        "patchSetId": 13
+      },
+      "lineNbr": 0,
+      "author": {
+        "id": 9816
+      },
+      "writtenOn": "2024-04-22T02:53:23Z",
+      "side": 1,
+      "message": "Attestation mechanism is currently out of scope of this work, because the mechanism supported by SEV/SEV-ES is heavily dependent on hypervisor feature and is not suitable for confidential computing use case. So the known vulnerability is not a big blocker for the current work.\n\nBecause SEV-SNP is still under active development (even after a few years) and SEV-ES has been available for some time, it\u0027s still useful to provide the functionality in case users are looking for better data protection mechanism than SEV.",
+      "parentUuid": "8d25ef25_609abd4b",
+      "revId": "7c4933d86f23cb3964513293e4e5e772f9875a97",
+      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
+    },
    {
      "unresolved": true,
      "key": {
@ -57,6 +75,30 @@
      "revId": "7c4933d86f23cb3964513293e4e5e772f9875a97",
      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
    },
+    {
+      "unresolved": true,
+      "key": {
+        "uuid": "0419b6eb_348aff91",
+        "filename": "specs/2024.2/approved/amd-sev-es-libvirt-support.rst",
+        "patchSetId": 13
+      },
+      "lineNbr": 27,
+      "author": {
+        "id": 9816
+      },
+      "writtenOn": "2024-04-22T02:53:23Z",
+      "side": 1,
+      "message": "This is not a difference between SEV and SEV-ES but one between EPYC gen 1 and gen 2. Number of slots is not dependent on CPU features but CPU model.",
+      "parentUuid": "2c29a6ca_64a4fd1c",
+      "range": {
+        "startLine": 21,
+        "startChar": 1,
+        "endLine": 27,
+        "endChar": 19
+      },
+      "revId": "7c4933d86f23cb3964513293e4e5e772f9875a97",
+      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
+    },
    {
      "unresolved": true,
      "key": {
@ -80,6 +122,30 @@
      "revId": "7c4933d86f23cb3964513293e4e5e772f9875a97",
      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
    },
+    {
+      "unresolved": false,
+      "key": {
+        "uuid": "f7abbbd2_21de7bde",
+        "filename": "specs/2024.2/approved/amd-sev-es-libvirt-support.rst",
+        "patchSetId": 13
+      },
+      "lineNbr": 34,
+      "author": {
+        "id": 9816
+      },
+      "writtenOn": "2024-04-22T02:53:23Z",
+      "side": 1,
+      "message": "yeah. I\u0027m also leaving the link for kernel patch for future reference. Fortunately the kernel patch is likely merged quite soon so I hope the work in QEMU would progress further.\n\nhttps://lore.kernel.org/linux-coco/20240421180122.1650812-1-michael.roth@amd.com/T/#t",
+      "parentUuid": "5fadd814_5e5680cc",
+      "range": {
+        "startLine": 30,
+        "startChar": 0,
+        "endLine": 34,
+        "endChar": 70
+      },
+      "revId": "7c4933d86f23cb3964513293e4e5e772f9875a97",
+      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
+    },
    {
      "unresolved": true,
      "key": {
@ -96,6 +162,24 @@
      "message": "Also consider the below two things:\n\n- `virt-qemu-sev-validate` tool[2] — it lets you \"validate\" the measurement of a SEV-ES guest, among other features.  Even if we don\u0027t use this, we should at least mention this in the documentation.\n\n- Boot attestation — users who know why they want to use SEV-ES usually also know that \"guest boot attestation\" important before they can trust that the guest is truly confidential.  Again, we don\u0027t have to do it as part of this change, but at least we should point to upstream libvirt docs[3] to give enough guidance.\n\n  It also talks about the requirements, such as the expected configuration of  the \"\u003claunchSecurity\u003e\" XML element, (already part of Nova\u0027s XML modelling code).\n  \n[2] https://libvirt.org/manpages/virt-qemu-sev-validate.html\n\n[3] https://libvirt.org/kbase/launch_security_sev.html#guest-attestation-for-sev-sev-es-from-a-trusted-host",
      "revId": "7c4933d86f23cb3964513293e4e5e772f9875a97",
      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
+    },
+    {
+      "unresolved": false,
+      "key": {
+        "uuid": "59a9748f_b2db9825",
+        "filename": "specs/2024.2/approved/amd-sev-es-libvirt-support.rst",
+        "patchSetId": 13
+      },
+      "lineNbr": 57,
+      "author": {
+        "id": 9816
+      },
+      "writtenOn": "2024-04-22T02:53:23Z",
+      "side": 1,
+      "message": "I included the description about attestation (using measurement). As described, I\u0027ll leave it as out of our current scope.",
+      "parentUuid": "66c58da5_c2719fc4",
+      "revId": "7c4933d86f23cb3964513293e4e5e772f9875a97",
+      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
    }
  ]
 }