qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: Connor Kuehl <ckuehl@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>,
	Ashish Kalra <ashish.kalra@amd.com>,
	Brijesh Singh <brijesh.singh@amd.com>,
	Eduardo Habkost <ehabkost@redhat.com>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	James Bottomley <jejb@linux.ibm.com>,
	Richard Henderson <richard.henderson@linaro.org>,
	"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
	qemu-devel@nongnu.org, Dov Murik <dovmurik@linux.ibm.com>,
	Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
	Jim Cadden <jcadden@ibm.com>, Laszlo Ersek <lersek@redhat.com>
Subject: Re: [PATCH v3 0/2] x86/sev: Measured Linux SEV guest with kernel/initrd/cmdline
Date: Thu, 8 Jul 2021 19:03:24 +0200	[thread overview]
Message-ID: <fbf2dd1f-150e-beb5-bf17-fc5dc787ab0d@redhat.com> (raw)
In-Reply-To: <2dc6c60e-48f8-7c6f-6131-0bc1020e106f@redhat.com>

On 7/8/21 6:41 PM, Connor Kuehl wrote:
> Hi Paolo,
> 
> Please consider this series[1] for inclusion into your next pull request.
> 
> Just a note that this series has a companion series that is getting
> upstreamed into OVMF[2]

Shouldn't we get the OVMF part merged first?

> 
> [1] Patchwork link, if convenient: https://patchwork.kernel.org/project/qemu-devel/cover/20210624102040.2015280-1-dovmurik@linux.ibm.com/
> [2] https://bugzilla.tianocore.org/show_bug.cgi?id=3457#c6
> 
> Thank you,
> 
> Connor
> 
> On 6/24/21 3:20 AM, Dov Murik wrote:
>> Currently booting with -kernel/-initrd/-append is not supported in SEV
>> confidential guests, because the content of these blobs is not measured
>> and therefore not trusted by the SEV guest.
>>
>> However, in some cases the kernel, initrd, and cmdline are not secret
>> but should not be modified by the host.  In such a case, we want to
>> verify inside the trusted VM that the kernel, initrd, and cmdline are
>> indeed the ones expected by the Guest Owner, and only if that is the
>> case go on and boot them up (removing the need for grub inside OVMF in
>> that mode).
>>
>> To support that, OVMF adds a special area for hashes of
>> kernel/initrd/cmdline; that area is expected to be filled by QEMU and
>> encrypted as part of the initial SEV guest launch.  This in turn makes
>> the hashes part of the PSP measured content, and OVMF can trust these
>> inputs if they match the hashes.
>>
>> This series adds an SEV function to generate the table of hashes for
>> OVMF and encrypt it (patch 1/2), and calls this function if SEV is
>> enabled when the kernel/initrd/cmdline are prepared (patch 2/2).
>>
>> Corresponding OVMF support was submitted to edk2-devel [1] (patch series
>> "Measured SEV boot with kernel/initrd/cmdline"); it's still under
>> review.
>>
>> [1] https://edk2.groups.io/g/devel/topic/patch_v1_0_8_measured_sev/83074450
>>
>> ---



  reply	other threads:[~2021-07-08 17:34 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-24 10:20 Dov Murik
2021-06-24 10:20 ` [PATCH v3 1/2] sev/i386: Introduce sev_add_kernel_loader_hashes for measured linux boot Dov Murik
2021-07-01 17:23   ` Connor Kuehl
2021-07-02 12:29     ` Dov Murik
2021-06-24 10:20 ` [PATCH v3 2/2] x86/sev: generate SEV kernel loader hashes in x86_load_linux Dov Murik
2021-07-08 16:41 ` [PATCH v3 0/2] x86/sev: Measured Linux SEV guest with kernel/initrd/cmdline Connor Kuehl
2021-07-08 17:03   ` Philippe Mathieu-Daudé [this message]
2021-07-08 17:16     ` Connor Kuehl
2021-07-29 19:31       ` Dov Murik
2021-07-30 14:47         ` Connor Kuehl
2021-07-30 18:02           ` Dov Murik
2021-07-30 18:14             ` Connor Kuehl
2021-07-09  6:55 ` Michael S. Tsirkin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=fbf2dd1f-150e-beb5-bf17-fc5dc787ab0d@redhat.com \
    --to=philmd@redhat.com \
    --cc=ashish.kalra@amd.com \
    --cc=brijesh.singh@amd.com \
    --cc=ckuehl@redhat.com \
    --cc=dgilbert@redhat.com \
    --cc=dovmurik@linux.ibm.com \
    --cc=ehabkost@redhat.com \
    --cc=jcadden@ibm.com \
    --cc=jejb@linux.ibm.com \
    --cc=lersek@redhat.com \
    --cc=mst@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=richard.henderson@linaro.org \
    --cc=thomas.lendacky@amd.com \
    --cc=tobin@linux.ibm.com \
    --subject='Re: [PATCH v3 0/2] x86/sev: Measured Linux SEV guest with kernel/initrd/cmdline' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).