Message ID | 20210930054915.13252-1-dovmurik@linux.ibm.com (mailing list archive) |
---|---|
Headers | show |
Series | x86/sev: Measured Linux SEV guest with kernel/initrd/cmdline | expand |
Queued, thanks. However, it would be nice to have a documentation of all our SEV firmware interfaces somewhere in docs/specs/. Paolo On Thu, Sep 30, 2021 at 7:49 AM Dov Murik <dovmurik@linux.ibm.com> wrote: > > Currently booting with -kernel/-initrd/-append is not supported in SEV > confidential guests, because the content of these blobs is not measured > and therefore not trusted by the SEV guest. > > However, in some cases the kernel, initrd, and cmdline are not secret > but should not be modified by the host. In such a case, we want to > verify inside the trusted VM that the kernel, initrd, and cmdline are > indeed the ones expected by the Guest Owner, and only if that is the > case go on and boot them up (removing the need for grub inside OVMF in > that mode). > > To support that, OVMF adds a special area for hashes of > kernel/initrd/cmdline; that area is expected to be filled by QEMU and > encrypted as part of the initial SEV guest launch. This in turn makes > the hashes part of the AMD PSP measured content, and OVMF can trust > these inputs if they match the hashes. > > This series adds an SEV function to generate the table of hashes for > OVMF and encrypt it (patch 1/2), and calls this function if SEV is > enabled when the kernel/initrd/cmdline are prepared (patch 2/2). > > Corresponding OVMF support [1] is already available in edk2 (patch series > "Measured SEV boot with kernel/initrd/cmdline"). > > [1] https://edk2.groups.io/g/devel/message/78250 > > --- > > v4 changes: > - struct and variable renames (KernelLoaderContext -> SevKernelLoaderContext, > kernel_loader_context -> sev_load_ctx). > > v3 resend: https://lore.kernel.org/qemu-devel/20210825073538.959525-1-dovmurik@linux.ibm.com/ > v3: https://lore.kernel.org/qemu-devel/20210624102040.2015280-1-dovmurik@linux.ibm.com/ > v3 changes: > - initrd hash is now mandatory; if no -initrd is passed, calculate the > hash of the empty buffer. This is now aligned with the OVMF > behaviour which verifies the empty initrd (correctly). > - make SevHashTable entries fixed: 3 entries for cmdline, initrd, and kernel. > - in sev_add_kernel_loader_hashes: first calculate all the hashes, only then > fill-in the hashes table in the guest's memory. > - Use g_assert_not_reached in sev-stub.c. > - Use QEMU_PACKED attribute for structs. > - Use QemuUUID type for guids. > - in sev_add_kernel_loader_hashes: use ARRAY_SIZE(iov) instead of literal 2. > > v2: https://lore.kernel.org/qemu-devel/20210621190553.1763020-1-dovmurik@linux.ibm.com/ > v2 changes: > - Extract main functionality to sev.c (with empty stub in sev-stub.c) > - Use sev_enabled() instead of machine->cgs->ready to detect SEV guest > - Coding style changes > > v1: https://lore.kernel.org/qemu-devel/20210525065931.1628554-1-dovmurik@linux.ibm.com/ > > > Dov Murik (2): > sev/i386: Introduce sev_add_kernel_loader_hashes for measured linux > boot > x86/sev: generate SEV kernel loader hashes in x86_load_linux > > target/i386/sev_i386.h | 12 ++++ > hw/i386/x86.c | 25 +++++++- > target/i386/sev-stub.c | 5 ++ > target/i386/sev.c | 137 +++++++++++++++++++++++++++++++++++++++++ > 4 files changed, 178 insertions(+), 1 deletion(-) > > -- > 2.25.1 >
On 04/10/2021 11:03, Paolo Bonzini wrote: > Queued, thanks. However, it would be nice to have a documentation of > all our SEV firmware interfaces somewhere in docs/specs/. Thanks Paolo. I'll try to arrange a skeleton for such document. So far I think we have the following interfaces: 1. SEV_SECRET_GUID - Secret injection target page 2. SEV_INFO_BLOCK_GUID - Used (currently) for the SEV-ES AP reset vector 3. SEV_HASH_TABLE_RV_GUID - For hashes of kernel/initrd/cmdline -Dov