From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Dov Murik <dovmurik@linux.ibm.com>
Cc: "Tom Lendacky" <thomas.lendacky@amd.com>,
"Ashish Kalra" <ashish.kalra@amd.com>,
"Brijesh Singh" <brijesh.singh@amd.com>,
"Eduardo Habkost" <ehabkost@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Connor Kuehl" <ckuehl@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>,
"James Bottomley" <jejb@linux.ibm.com>,
"Richard Henderson" <richard.henderson@linaro.org>,
qemu-devel@nongnu.org,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
"Hubertus Franke" <frankeh@us.ibm.com>,
"Jim Cadden" <jcadden@ibm.com>,
"Tobin Feldman-Fitzthum" <tobin@linux.ibm.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Laszlo Ersek" <lersek@redhat.com>
Subject: Re: [PATCH v3 1/2] sev/i386: Introduce sev_add_kernel_loader_hashes for measured linux boot
Date: Mon, 27 Sep 2021 18:00:12 +0100 [thread overview]
Message-ID: <YVH4nLO+tuzNIDsC@redhat.com> (raw)
In-Reply-To: <20210825073538.959525-2-dovmurik@linux.ibm.com>
On Wed, Aug 25, 2021 at 07:35:37AM +0000, Dov Murik wrote:
> Add the sev_add_kernel_loader_hashes function to calculate the hashes of
> the kernel/initrd/cmdline and fill a designated OVMF encrypted hash
> table area. For this to work, OVMF must support an encrypted area to
> place the data which is advertised via a special GUID in the OVMF reset
> table.
>
> The hashes of each of the files is calculated (or the string in the case
> of the cmdline with trailing '\0' included). Each entry in the hashes
> table is GUID identified and since they're passed through the
> sev_encrypt_flash interface, the hashes will be accumulated by the PSP
> measurement (SEV_LAUNCH_MEASURE).
>
> Co-developed-by: James Bottomley <jejb@linux.ibm.com>
> Signed-off-by: James Bottomley <jejb@linux.ibm.com>
> Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
> Reviewed-by: Connor Kuehl <ckuehl@redhat.com>
> ---
> target/i386/sev_i386.h | 12 ++++
> target/i386/sev-stub.c | 5 ++
> target/i386/sev.c | 137 +++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 154 insertions(+)
>
> diff --git a/target/i386/sev_i386.h b/target/i386/sev_i386.h
> index ae6d840478..deb3eec409 100644
> --- a/target/i386/sev_i386.h
> +++ b/target/i386/sev_i386.h
> @@ -28,6 +28,17 @@
> #define SEV_POLICY_DOMAIN 0x10
> #define SEV_POLICY_SEV 0x20
>
> +typedef struct KernelLoaderContext {
> + char *setup_data;
> + size_t setup_size;
> + char *kernel_data;
> + size_t kernel_size;
> + char *initrd_data;
> + size_t initrd_size;
> + char *cmdline_data;
> + size_t cmdline_size;
> +} KernelLoaderContext;
I'd expect the struct to have 'Sev' as its name prefix, in common
with everything else SEV related that's exported here.
> +
> extern bool sev_es_enabled(void);
> extern uint64_t sev_get_me_mask(void);
> extern SevInfo *sev_get_info(void);
> @@ -37,5 +48,6 @@ extern char *sev_get_launch_measurement(void);
> extern SevCapability *sev_get_capabilities(Error **errp);
> extern SevAttestationReport *
> sev_get_attestation_report(const char *mnonce, Error **errp);
> +extern bool sev_add_kernel_loader_hashes(KernelLoaderContext *ctx, Error **errp);
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2021-09-27 17:08 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-25 7:35 [PATCH v3 0/2] [RESEND] x86/sev: Measured Linux SEV guest with kernel/initrd/cmdline Dov Murik
2021-08-25 7:35 ` [PATCH v3 1/2] sev/i386: Introduce sev_add_kernel_loader_hashes for measured linux boot Dov Murik
2021-09-27 17:00 ` Daniel P. Berrangé [this message]
2021-09-29 9:39 ` Dov Murik
2021-08-25 7:35 ` [PATCH v3 2/2] x86/sev: generate SEV kernel loader hashes in x86_load_linux Dov Murik
2021-09-27 17:03 ` Daniel P. Berrangé
2021-09-29 9:42 ` Dov Murik
2021-09-02 12:02 ` [PATCH v3 0/2] [RESEND] x86/sev: Measured Linux SEV guest with kernel/initrd/cmdline Dov Murik
-- strict thread matches above, loose matches on Subject: below --
2021-06-24 10:20 [PATCH v3 0/2] " Dov Murik
2021-06-24 10:20 ` [PATCH v3 1/2] sev/i386: Introduce sev_add_kernel_loader_hashes for measured linux boot Dov Murik
2021-07-01 17:23 ` Connor Kuehl
2021-07-02 12:29 ` Dov Murik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YVH4nLO+tuzNIDsC@redhat.com \
--to=berrange@redhat.com \
--cc=ashish.kalra@amd.com \
--cc=brijesh.singh@amd.com \
--cc=ckuehl@redhat.com \
--cc=dgilbert@redhat.com \
--cc=dovmurik@linux.ibm.com \
--cc=ehabkost@redhat.com \
--cc=frankeh@us.ibm.com \
--cc=jcadden@ibm.com \
--cc=jejb@linux.ibm.com \
--cc=lersek@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thomas.lendacky@amd.com \
--cc=tobin@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.