From: "Philippe Mathieu-Daudé" <firstname.lastname@example.org> To: Connor Kuehl <email@example.com>, Paolo Bonzini <firstname.lastname@example.org> Cc: Tom Lendacky <email@example.com>, Ashish Kalra <firstname.lastname@example.org>, Brijesh Singh <email@example.com>, Eduardo Habkost <firstname.lastname@example.org>, "Michael S. Tsirkin" <email@example.com>, James Bottomley <firstname.lastname@example.org>, Richard Henderson <email@example.com>, "Dr. David Alan Gilbert" <firstname.lastname@example.org>, email@example.com, Dov Murik <firstname.lastname@example.org>, Tobin Feldman-Fitzthum <email@example.com>, Jim Cadden <firstname.lastname@example.org>, Laszlo Ersek <email@example.com> Subject: Re: [PATCH v3 0/2] x86/sev: Measured Linux SEV guest with kernel/initrd/cmdline Date: Thu, 8 Jul 2021 19:03:24 +0200 [thread overview] Message-ID: <firstname.lastname@example.org> (raw) In-Reply-To: <email@example.com> On 7/8/21 6:41 PM, Connor Kuehl wrote: > Hi Paolo, > > Please consider this series for inclusion into your next pull request. > > Just a note that this series has a companion series that is getting > upstreamed into OVMF Shouldn't we get the OVMF part merged first? > >  Patchwork link, if convenient: https://firstname.lastname@example.org/ >  https://bugzilla.tianocore.org/show_bug.cgi?id=3457#c6 > > Thank you, > > Connor > > On 6/24/21 3:20 AM, Dov Murik wrote: >> Currently booting with -kernel/-initrd/-append is not supported in SEV >> confidential guests, because the content of these blobs is not measured >> and therefore not trusted by the SEV guest. >> >> However, in some cases the kernel, initrd, and cmdline are not secret >> but should not be modified by the host. In such a case, we want to >> verify inside the trusted VM that the kernel, initrd, and cmdline are >> indeed the ones expected by the Guest Owner, and only if that is the >> case go on and boot them up (removing the need for grub inside OVMF in >> that mode). >> >> To support that, OVMF adds a special area for hashes of >> kernel/initrd/cmdline; that area is expected to be filled by QEMU and >> encrypted as part of the initial SEV guest launch. This in turn makes >> the hashes part of the PSP measured content, and OVMF can trust these >> inputs if they match the hashes. >> >> This series adds an SEV function to generate the table of hashes for >> OVMF and encrypt it (patch 1/2), and calls this function if SEV is >> enabled when the kernel/initrd/cmdline are prepared (patch 2/2). >> >> Corresponding OVMF support was submitted to edk2-devel  (patch series >> "Measured SEV boot with kernel/initrd/cmdline"); it's still under >> review. >> >>  https://edk2.groups.io/g/devel/topic/patch_v1_0_8_measured_sev/83074450 >> >> ---
next prev parent reply other threads:[~2021-07-08 17:34 UTC|newest] Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-06-24 10:20 Dov Murik 2021-06-24 10:20 ` [PATCH v3 1/2] sev/i386: Introduce sev_add_kernel_loader_hashes for measured linux boot Dov Murik 2021-07-01 17:23 ` Connor Kuehl 2021-07-02 12:29 ` Dov Murik 2021-06-24 10:20 ` [PATCH v3 2/2] x86/sev: generate SEV kernel loader hashes in x86_load_linux Dov Murik 2021-07-08 16:41 ` [PATCH v3 0/2] x86/sev: Measured Linux SEV guest with kernel/initrd/cmdline Connor Kuehl 2021-07-08 17:03 ` Philippe Mathieu-Daudé [this message] 2021-07-08 17:16 ` Connor Kuehl 2021-07-29 19:31 ` Dov Murik 2021-07-30 14:47 ` Connor Kuehl 2021-07-30 18:02 ` Dov Murik 2021-07-30 18:14 ` Connor Kuehl 2021-07-09 6:55 ` Michael S. Tsirkin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --subject='Re: [PATCH v3 0/2] x86/sev: Measured Linux SEV guest with kernel/initrd/cmdline' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).