| Message ID | 20210930054915.13252-1-dovmurik@linux.ibm.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | x86/sev: Measured Linux SEV guest with kernel/initrd/cmdline | expand |
Queued, thanks. However, it would be nice to have a documentation of all our SEV firmware interfaces somewhere in docs/specs/. Paolo On Thu, Sep 30, 2021 at 7:49 AM Dov Murik <dovmurik@linux.ibm.com> wrote: > > Currently booting with -kernel/-initrd/-append is not supported in SEV > confidential guests, because the content of these blobs is not measured > and therefore not trusted by the SEV guest. > > However, in some cases the kernel, initrd, and cmdline are not secret > but should not be modified by the host. In such a case, we want to > verify inside the trusted VM that the kernel, initrd, and cmdline are > indeed the ones expected by the Guest Owner, and only if that is the > case go on and boot them up (removing the need for grub inside OVMF in > that mode). > > To support that, OVMF adds a special area for hashes of > kernel/initrd/cmdline; that area is expected to be filled by QEMU and > encrypted as part of the initial SEV guest launch. This in turn makes > the hashes part of the AMD PSP measured content, and OVMF can trust > these inputs if they match the hashes. > > This series adds an SEV function to generate the table of hashes for > OVMF and encrypt it (patch 1/2), and calls this function if SEV is > enabled when the kernel/initrd/cmdline are prepared (patch 2/2). > > Corresponding OVMF support [1] is already available in edk2 (patch series > "Measured SEV boot with kernel/initrd/cmdline"). > > [1] https://edk2.groups.io/g/devel/message/78250 > > --- > > v4 changes: > - struct and variable renames (KernelLoaderContext -> SevKernelLoaderContext, > kernel_loader_context -> sev_load_ctx). > > v3 resend: https://lore.kernel.org/qemu-devel/20210825073538.959525-1-dovmurik@linux.ibm.com/ > v3: https://lore.kernel.org/qemu-devel/20210624102040.2015280-1-dovmurik@linux.ibm.com/ > v3 changes: > - initrd hash is now mandatory; if no -initrd is passed, calculate the > hash of the empty buffer. This is now aligned with the OVMF > behaviour which verifies the empty initrd (correctly). > - make SevHashTable entries fixed: 3 entries for cmdline, initrd, and kernel. > - in sev_add_kernel_loader_hashes: first calculate all the hashes, only then > fill-in the hashes table in the guest's memory. > - Use g_assert_not_reached in sev-stub.c. > - Use QEMU_PACKED attribute for structs. > - Use QemuUUID type for guids. > - in sev_add_kernel_loader_hashes: use ARRAY_SIZE(iov) instead of literal 2. > > v2: https://lore.kernel.org/qemu-devel/20210621190553.1763020-1-dovmurik@linux.ibm.com/ > v2 changes: > - Extract main functionality to sev.c (with empty stub in sev-stub.c) > - Use sev_enabled() instead of machine->cgs->ready to detect SEV guest > - Coding style changes > > v1: https://lore.kernel.org/qemu-devel/20210525065931.1628554-1-dovmurik@linux.ibm.com/ > > > Dov Murik (2): > sev/i386: Introduce sev_add_kernel_loader_hashes for measured linux > boot > x86/sev: generate SEV kernel loader hashes in x86_load_linux > > target/i386/sev_i386.h | 12 ++++ > hw/i386/x86.c | 25 +++++++- > target/i386/sev-stub.c | 5 ++ > target/i386/sev.c | 137 +++++++++++++++++++++++++++++++++++++++++ > 4 files changed, 178 insertions(+), 1 deletion(-) > > -- > 2.25.1 >
On 04/10/2021 11:03, Paolo Bonzini wrote: > Queued, thanks. However, it would be nice to have a documentation of > all our SEV firmware interfaces somewhere in docs/specs/. Thanks Paolo. I'll try to arrange a skeleton for such document. So far I think we have the following interfaces: 1. SEV_SECRET_GUID - Secret injection target page 2. SEV_INFO_BLOCK_GUID - Used (currently) for the SEV-ES AP reset vector 3. SEV_HASH_TABLE_RV_GUID - For hashes of kernel/initrd/cmdline -Dov
Currently booting with -kernel/-initrd/-append is not supported in SEV confidential guests, because the content of these blobs is not measured and therefore not trusted by the SEV guest. However, in some cases the kernel, initrd, and cmdline are not secret but should not be modified by the host. In such a case, we want to verify inside the trusted VM that the kernel, initrd, and cmdline are indeed the ones expected by the Guest Owner, and only if that is the case go on and boot them up (removing the need for grub inside OVMF in that mode). To support that, OVMF adds a special area for hashes of kernel/initrd/cmdline; that area is expected to be filled by QEMU and encrypted as part of the initial SEV guest launch. This in turn makes the hashes part of the AMD PSP measured content, and OVMF can trust these inputs if they match the hashes. This series adds an SEV function to generate the table of hashes for OVMF and encrypt it (patch 1/2), and calls this function if SEV is enabled when the kernel/initrd/cmdline are prepared (patch 2/2). Corresponding OVMF support [1] is already available in edk2 (patch series "Measured SEV boot with kernel/initrd/cmdline"). [1] https://edk2.groups.io/g/devel/message/78250 --- v4 changes: - struct and variable renames (KernelLoaderContext -> SevKernelLoaderContext, kernel_loader_context -> sev_load_ctx). v3 resend: https://lore.kernel.org/qemu-devel/20210825073538.959525-1-dovmurik@linux.ibm.com/ v3: https://lore.kernel.org/qemu-devel/20210624102040.2015280-1-dovmurik@linux.ibm.com/ v3 changes: - initrd hash is now mandatory; if no -initrd is passed, calculate the hash of the empty buffer. This is now aligned with the OVMF behaviour which verifies the empty initrd (correctly). - make SevHashTable entries fixed: 3 entries for cmdline, initrd, and kernel. - in sev_add_kernel_loader_hashes: first calculate all the hashes, only then fill-in the hashes table in the guest's memory. - Use g_assert_not_reached in sev-stub.c. - Use QEMU_PACKED attribute for structs. - Use QemuUUID type for guids. - in sev_add_kernel_loader_hashes: use ARRAY_SIZE(iov) instead of literal 2. v2: https://lore.kernel.org/qemu-devel/20210621190553.1763020-1-dovmurik@linux.ibm.com/ v2 changes: - Extract main functionality to sev.c (with empty stub in sev-stub.c) - Use sev_enabled() instead of machine->cgs->ready to detect SEV guest - Coding style changes v1: https://lore.kernel.org/qemu-devel/20210525065931.1628554-1-dovmurik@linux.ibm.com/ Dov Murik (2): sev/i386: Introduce sev_add_kernel_loader_hashes for measured linux boot x86/sev: generate SEV kernel loader hashes in x86_load_linux target/i386/sev_i386.h | 12 ++++ hw/i386/x86.c | 25 +++++++- target/i386/sev-stub.c | 5 ++ target/i386/sev.c | 137 +++++++++++++++++++++++++++++++++++++++++ 4 files changed, 178 insertions(+), 1 deletion(-)