From: Brijesh Singh <brijesh.singh@amd.com>
To: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: brijesh.singh@amd.com, "Dov Murik" <dovmurik@linux.ibm.com>,
qemu-devel@nongnu.org, "Paolo Bonzini" <pbonzini@redhat.com>,
"Marcelo Tosatti" <mtosatti@redhat.com>,
"Eduardo Habkost" <ehabkost@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Ashish Kalra" <ashish.kalra@amd.com>,
"Tom Lendacky" <thomas.lendacky@amd.com>,
"Tobin Feldman-Fitzthum" <tobin@linux.ibm.com>,
"James Bottomley" <jejb@linux.ibm.com>
Subject: Re: [PATCH 0/3] SEV: fixes for -kernel launch with incompatible OVMF
Date: Wed, 3 Nov 2021 10:44:53 -0500 [thread overview]
Message-ID: <f2dce4c6-1dbd-4bef-ad90-4e176db9d628@amd.com> (raw)
In-Reply-To: <YYKX7kmDE71NN8Sb@work-vm>
On 11/3/21 9:08 AM, Dr. David Alan Gilbert wrote:
> * Brijesh Singh (brijesh.singh@amd.com) wrote:
>>
>>
>> On 11/2/21 8:22 AM, Dov Murik wrote:
>>>
>>>
>>> On 02/11/2021 12:52, Brijesh Singh wrote:
>>>> Hi Dov,
>>>>
>>>> Overall the patch looks good, only question I have is that now we are
>>>> enforce qemu to hash the kernel, initrd and cmdline unconditionally for
>>>> any of the SEV guest launches. This requires anyone wanting to
>>>> calculating the expected measurement need to account for it. Should we
>>>> make the hash page build optional ?
>>>>
>>>
>>> The problem with adding a -enable-add-kernel-hashes QEMU option (or
>>> suboption) is yet another complexity for the user. I'd also argue that
>>> adding these hashes can lead to a more secure VM boot process, so it
>>> makes sense for it to be the default (and maybe introduce a
>>> -allow-insecure-unmeasured-kernel-via-fw-cfg option to prevent the
>>> measurement from changing due to addition of hashes?).
>>>
>>> Maybe, on the other hand, OVMF should "report" whether it supports
>>> hashes verification. If it does, it should have the GUID in the table
>>> (near the reset vector), like the current OvmfPkg/AmdSev edk2 build. If
>>> it doesn't support that, then the entry should not appear at all, and
>>> then QEMU won't add the hashes (with patch 1 from this series). This
>>> means that in edk2 we need to remove the SEV Hash Table block from the
>>> ResetVectorVtf0.asm for OvmfPkg, but include it in the AmdSev build.
>>>
>>
>> By leaving it ON is conveying a wrong message to the user. The library used
>> for verifying the hash is a NULL library for all the builds of Ovmf except
>> the AmdSev package. In the NULL library case, OVMF does not perform any
>> checks and hash table is useless. I will raise this on concern on your Ovmf
>> patch series.
>>
>> IMHO, if you want to turn it ON by default then make sure all the OVMF
>> package builds supports validating the hash.
>>
>>
>>> But the problem with this approach is that it prevents the future
>>> unification of AmdSev and OvmfPkg, which is a possibility we discussed
>>> (at least with Dave Gilbert), though not sure it's a good/feasible goal.
>>>
>>>
>>
>> This is my exact concern, we are auto enabling the features in Qemu that is
>> supported by AmdSev package only.
>
> I'm confused; wouldn't the trick be to only define the GUIDs for the
> builds that support the validation?
>
The GUID is hardcoded in the OVMF reset vector asm file, and the file
gets included for all the flavor of OVMF builds. In its current form,
GUID is defined for all the package.
thanks
next prev parent reply other threads:[~2021-11-03 15:51 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-01 10:21 [PATCH 0/3] SEV: fixes for -kernel launch with incompatible OVMF Dov Murik
2021-11-01 10:21 ` [PATCH 1/3] sev/i386: Allow launching with -kernel if no OVMF hashes table found Dov Murik
2021-11-01 14:25 ` Tom Lendacky
2021-11-01 17:56 ` Dov Murik
2021-11-03 16:02 ` Daniel P. Berrangé
2021-11-04 18:18 ` Dr. David Alan Gilbert
2021-11-04 18:22 ` Daniel P. Berrangé
2021-11-05 7:41 ` Dov Murik
2021-11-01 10:21 ` [PATCH 2/3] sev/i386: Warn if using -kernel with invalid OVMF hashes table area Dov Murik
2021-11-02 12:36 ` Dr. David Alan Gilbert
2021-11-02 12:56 ` Dov Murik
2021-11-02 18:38 ` Dr. David Alan Gilbert
2021-11-02 19:00 ` Philippe Mathieu-Daudé
2021-11-03 16:07 ` Daniel P. Berrangé
2021-11-05 7:52 ` Dov Murik
2021-11-01 10:21 ` [PATCH 3/3] sev/i386: Perform padding calculations at compile-time Dov Murik
2021-11-02 11:36 ` Dr. David Alan Gilbert
2021-11-02 11:50 ` Dov Murik
2021-11-03 14:49 ` Philippe Mathieu-Daudé
2021-11-02 10:52 ` [PATCH 0/3] SEV: fixes for -kernel launch with incompatible OVMF Brijesh Singh
2021-11-02 13:22 ` Dov Murik
2021-11-02 14:48 ` Brijesh Singh
2021-11-03 14:08 ` Dr. David Alan Gilbert
2021-11-03 15:44 ` Brijesh Singh [this message]
2021-11-05 7:38 ` Dov Murik
2021-11-05 18:32 ` Dov Murik
2021-11-08 21:22 ` Brijesh Singh
2021-11-09 7:34 ` Dov Murik
2021-11-03 16:10 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f2dce4c6-1dbd-4bef-ad90-4e176db9d628@amd.com \
--to=brijesh.singh@amd.com \
--cc=ashish.kalra@amd.com \
--cc=dgilbert@redhat.com \
--cc=dovmurik@linux.ibm.com \
--cc=ehabkost@redhat.com \
--cc=jejb@linux.ibm.com \
--cc=mtosatti@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=thomas.lendacky@amd.com \
--cc=tobin@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.