Launch digest of igvm is different than the measurement in the attestation report

[dimstav23]

Issue description

• The Launch digest of SVSM is different than the measurement in the attestation report obtained by the monitor.
• Potentially this is caused by the init-flags value that is used to launch the VM (related issue)
• Currently the value they set in the official repo of svsm is 5 and enables restricted injection which stops the VM from booting our case.

Version:

• Branch dev
• Commit 3e1ee874649db7fc4662274a6b8af2cd7ad14eff

How to reproduce:

1. Build svsm and preserve the dumped Launch digest
2. Request an attestation report from the monitor and dump its 48 bytes starting from offset 90h

[mmisono]

I think we can only setinit-flags=4 to notify SVSM presence to KVM

• https://github.com/Sabanic-P/linux/blob/7902bb420130420b0a9afa7cddc274bd1bce413c/include/uapi/linux/kvm.h#L2051-L2058
• https://github.com/Sabanic-P/linux/blob/7902bb420130420b0a9afa7cddc274bd1bce413c/arch/x86/kvm/svm/sev.c#L2228-L2232

[mmisono]

In addition to that, igvmbuilder unconditionally assume the restricted injection

• https://github.com/TUM-DSE/svsm/blob/69f84c39db3be0fd1f5c60259dd5b13328ea736a/igvmbuilder/src/vmsa.rs#L113

diff --git a/igvmbuilder/src/vmsa.rs b/igvmbuilder/src/vmsa.rs
index 1763635..aef983f 100644
--- a/igvmbuilder/src/vmsa.rs
+++ b/igvmbuilder/src/vmsa.rs
@@ -112,7 +112,7 @@ pub fn construct_vmsa(

     let mut features = SevFeatures::new();
     features.set_snp(true);
-    features.set_restrict_injection(true);
+    features.set_restrict_injection(false);
     if vtom != 0 {
         vmsa.virtual_tom = vtom;
         features.set_vtom(true);

This gives the correct measurement (init-flags=4 is also necessary if the guest has multiple vcpus)

[mmisono]

for reference: https://github.com/TUM-DSE/Wallet-VMPL/tree/fix-measurement