From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: Connor Kuehl <ckuehl@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>,
Ashish Kalra <ashish.kalra@amd.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Eduardo Habkost <ehabkost@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
James Bottomley <jejb@linux.ibm.com>,
Richard Henderson <richard.henderson@linaro.org>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
qemu-devel@nongnu.org, Dov Murik <dovmurik@linux.ibm.com>,
Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
Jim Cadden <jcadden@ibm.com>, Laszlo Ersek <lersek@redhat.com>
Subject: Re: [PATCH v3 0/2] x86/sev: Measured Linux SEV guest with kernel/initrd/cmdline
Date: Thu, 8 Jul 2021 19:03:24 +0200 [thread overview]
Message-ID: <fbf2dd1f-150e-beb5-bf17-fc5dc787ab0d@redhat.com> (raw)
In-Reply-To: <2dc6c60e-48f8-7c6f-6131-0bc1020e106f@redhat.com>
On 7/8/21 6:41 PM, Connor Kuehl wrote:
> Hi Paolo,
>
> Please consider this series[1] for inclusion into your next pull request.
>
> Just a note that this series has a companion series that is getting
> upstreamed into OVMF[2]
Shouldn't we get the OVMF part merged first?
>
> [1] Patchwork link, if convenient: https://patchwork.kernel.org/project/qemu-devel/cover/20210624102040.2015280-1-dovmurik@linux.ibm.com/
> [2] https://bugzilla.tianocore.org/show_bug.cgi?id=3457#c6
>
> Thank you,
>
> Connor
>
> On 6/24/21 3:20 AM, Dov Murik wrote:
>> Currently booting with -kernel/-initrd/-append is not supported in SEV
>> confidential guests, because the content of these blobs is not measured
>> and therefore not trusted by the SEV guest.
>>
>> However, in some cases the kernel, initrd, and cmdline are not secret
>> but should not be modified by the host. In such a case, we want to
>> verify inside the trusted VM that the kernel, initrd, and cmdline are
>> indeed the ones expected by the Guest Owner, and only if that is the
>> case go on and boot them up (removing the need for grub inside OVMF in
>> that mode).
>>
>> To support that, OVMF adds a special area for hashes of
>> kernel/initrd/cmdline; that area is expected to be filled by QEMU and
>> encrypted as part of the initial SEV guest launch. This in turn makes
>> the hashes part of the PSP measured content, and OVMF can trust these
>> inputs if they match the hashes.
>>
>> This series adds an SEV function to generate the table of hashes for
>> OVMF and encrypt it (patch 1/2), and calls this function if SEV is
>> enabled when the kernel/initrd/cmdline are prepared (patch 2/2).
>>
>> Corresponding OVMF support was submitted to edk2-devel [1] (patch series
>> "Measured SEV boot with kernel/initrd/cmdline"); it's still under
>> review.
>>
>> [1] https://edk2.groups.io/g/devel/topic/patch_v1_0_8_measured_sev/83074450
>>
>> ---
next prev parent reply other threads:[~2021-07-08 17:34 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-24 10:20 [PATCH v3 0/2] x86/sev: Measured Linux SEV guest with kernel/initrd/cmdline Dov Murik
2021-06-24 10:20 ` [PATCH v3 1/2] sev/i386: Introduce sev_add_kernel_loader_hashes for measured linux boot Dov Murik
2021-07-01 17:23 ` Connor Kuehl
2021-07-02 12:29 ` Dov Murik
2021-06-24 10:20 ` [PATCH v3 2/2] x86/sev: generate SEV kernel loader hashes in x86_load_linux Dov Murik
2021-07-08 16:41 ` [PATCH v3 0/2] x86/sev: Measured Linux SEV guest with kernel/initrd/cmdline Connor Kuehl
2021-07-08 17:03 ` Philippe Mathieu-Daudé [this message]
2021-07-08 17:16 ` Connor Kuehl
2021-07-29 19:31 ` Dov Murik
2021-07-30 14:47 ` Connor Kuehl
2021-07-30 18:02 ` Dov Murik
2021-07-30 18:14 ` Connor Kuehl
2021-07-09 6:55 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fbf2dd1f-150e-beb5-bf17-fc5dc787ab0d@redhat.com \
--to=philmd@redhat.com \
--cc=ashish.kalra@amd.com \
--cc=brijesh.singh@amd.com \
--cc=ckuehl@redhat.com \
--cc=dgilbert@redhat.com \
--cc=dovmurik@linux.ibm.com \
--cc=ehabkost@redhat.com \
--cc=jcadden@ibm.com \
--cc=jejb@linux.ibm.com \
--cc=lersek@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thomas.lendacky@amd.com \
--cc=tobin@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).