From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Laszlo Ersek <lersek@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
qemu-devel@nongnu.org, Xiaoyao Li <xiaoyao.li@intel.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Richard Henderson <richard.henderson@linaro.org>,
Peter Maydell <peter.maydell@linaro.org>,
Gerd Hoffmann <kraxel@redhat.com>,
Ard Biesheuvel <ardb@kernel.org>,
linux-efi@vger.kernel.org
Subject: Re: [PATCH v2] hw/i386: place setup_data at fixed place in memory
Date: Thu, 4 Aug 2022 13:11:37 +0100 [thread overview]
Message-ID: <Yuu3ee1iB3IoLdZS@redhat.com> (raw)
In-Reply-To: <Yuu1kX9CAqSUNNAj@zx2c4.com>
On Thu, Aug 04, 2022 at 02:03:29PM +0200, Jason A. Donenfeld wrote:
> Hi Daniel,
>
> On Thu, Aug 04, 2022 at 10:25:36AM +0100, Daniel P. Berrangé wrote:
> > Yep, and ultimately the inability to distinguish UEFI vs other firmware
> > is arguably correct by design, as the QEMU <-> firmware interface is
> > supposed to be arbitrarily pluggable for any firmware implementation
> > not limited to merely UEFI + seabios.
>
> Indeed, I agree with this.
>
> >
> > > For now I suggest either reverting the original patch, or at least not
> > > enabling the knob by default for any machine types. In particular, when
> > > using MicroVM, the user must leave the knob disabled when direct booting
> > > a kernel on OVMF, and the user may or may not enable the knob when
> > > direct booting a kernel on SeaBIOS.
> >
> > Having it opt-in via a knob would defeat Jason's goal of having the seed
> > available automatically.
>
> Yes, adding a knob is absolutely out of the question.
>
> It also doesn't actually solve the problem: this triggers when QEMU
> passes a DTB too. It's not just for the new RNG seed thing. This bug
> isn't new.
In the other thread I also mentioned that this RNG Seed addition has
caused a bug with AMD SEV too, making boot measurement attestation
fail because the kernel blob passed to the firmware no longer matches
what the tenant expects, due to the injected seed.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2022-08-04 12:12 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-03 17:02 [PATCH RFC v1] hw/i386: place setup_data at fixed place in memory Jason A. Donenfeld
2022-08-03 22:25 ` Michael S. Tsirkin
2022-08-03 22:50 ` Jason A. Donenfeld
2022-08-04 0:39 ` Jason A. Donenfeld
2022-08-04 0:44 ` [PATCH v2] " Jason A. Donenfeld
2022-08-04 7:03 ` Michael S. Tsirkin
2022-08-04 8:58 ` Laszlo Ersek
2022-08-04 9:25 ` Daniel P. Berrangé
2022-08-04 10:26 ` Ard Biesheuvel
2022-08-04 11:31 ` Laszlo Ersek
2022-08-04 12:11 ` Jason A. Donenfeld
2022-08-04 12:47 ` Jason A. Donenfeld
2022-08-04 13:16 ` Laszlo Ersek
2022-08-04 13:25 ` Jason A. Donenfeld
2022-08-04 13:29 ` Laszlo Ersek
2022-08-04 12:03 ` Jason A. Donenfeld
2022-08-04 12:11 ` Daniel P. Berrangé [this message]
2022-08-04 12:16 ` Ard Biesheuvel
2022-08-04 12:17 ` Jason A. Donenfeld
2022-08-04 12:28 ` Jason A. Donenfeld
2022-08-04 13:25 ` Laszlo Ersek
2022-08-04 13:28 ` Jason A. Donenfeld
2022-08-04 13:56 ` Laszlo Ersek
2022-08-04 14:03 ` Daniel P. Berrangé
2022-08-04 14:04 ` Laszlo Ersek
2022-08-04 22:56 ` Jason A. Donenfeld
2022-08-04 23:04 ` [PATCH v3] " Jason A. Donenfeld
2022-08-05 8:10 ` Paolo Bonzini
2022-08-05 11:08 ` Ard Biesheuvel
2022-08-05 17:29 ` Paolo Bonzini
2022-08-05 17:56 ` Ard Biesheuvel
2022-08-09 9:17 ` Michael S. Tsirkin
2022-08-09 14:19 ` Paolo Bonzini
2022-08-05 12:47 ` Jason A. Donenfeld
2022-08-05 13:34 ` Laszlo Ersek
2022-08-09 12:17 ` Jason A. Donenfeld
2022-08-09 14:07 ` Michael S. Tsirkin
2022-08-09 14:15 ` Daniel P. Berrangé
2022-08-05 6:26 ` [PATCH v2] " Laszlo Ersek
2022-08-16 8:55 ` Gerd Hoffmann
2022-08-18 15:38 ` Jason A. Donenfeld
2022-08-19 6:40 ` Gerd Hoffmann
2022-08-19 7:16 ` Ard Biesheuvel
2022-08-04 12:54 ` Daniel P. Berrangé
2022-08-04 13:07 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yuu3ee1iB3IoLdZS@redhat.com \
--to=berrange@redhat.com \
--cc=Jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=kraxel@redhat.com \
--cc=lersek@redhat.com \
--cc=linux-efi@vger.kernel.org \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=xiaoyao.li@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.