From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38738) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ekDPg-0002Rd-OB for qemu-devel@nongnu.org; Fri, 09 Feb 2018 13:28:45 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekDPc-0006xA-9m for qemu-devel@nongnu.org; Fri, 09 Feb 2018 13:28:44 -0500 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:55272 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ekDPc-0006wX-4n for qemu-devel@nongnu.org; Fri, 09 Feb 2018 13:28:40 -0500 Date: Fri, 9 Feb 2018 18:28:20 +0000 From: "Dr. David Alan Gilbert" Message-ID: <20180209182819.GH2428@work-vm> References: <20180207160638.98872-17-brijesh.singh@amd.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180207160638.98872-17-brijesh.singh@amd.com> Subject: Re: [Qemu-devel] [PATCH v7 17/26] target/i386: encrypt bios rom List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Brijesh Singh Cc: qemu-devel@nongnu.org, Alistair Francis , Christian Borntraeger , Cornelia Huck , "Daniel P . Berrange" , "Michael S. Tsirkin" , "Edgar E. Iglesias" , Eduardo Habkost , Eric Blake , kvm@vger.kernel.org, Marcel Apfelbaum , Markus Armbruster , Paolo Bonzini , Peter Crosthwaite , Peter Maydell , Richard Henderson , Stefan Hajnoczi , Thomas Lendacky , Borislav Petkov , Richard Henderson * Brijesh Singh (brijesh.singh@amd.com) wrote: > SEV requires that guest bios must be encrypted before booting the guest. I'm curious; is it just the main BIOS that needs encryption - what about things like device/PXE rom images? Dave > > Cc: "Michael S. Tsirkin" > Cc: Paolo Bonzini > Cc: Richard Henderson > Cc: Eduardo Habkost > Signed-off-by: Brijesh Singh > --- > hw/i386/pc_sysfw.c | 13 +++++++++++++ > 1 file changed, 13 insertions(+) > > diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c > index 6b183747fcea..8ddbbf74d330 100644 > --- a/hw/i386/pc_sysfw.c > +++ b/hw/i386/pc_sysfw.c > @@ -112,6 +112,8 @@ static void pc_system_flash_init(MemoryRegion *rom_memory) > pflash_t *system_flash; > MemoryRegion *flash_mem; > char name[64]; > + void *flash_ptr; > + int ret, flash_size; > > sector_bits = 12; > sector_size = 1 << sector_bits; > @@ -168,6 +170,17 @@ static void pc_system_flash_init(MemoryRegion *rom_memory) > if (unit == 0) { > flash_mem = pflash_cfi01_get_memory(system_flash); > pc_isa_bios_init(rom_memory, flash_mem, size); > + > + /* Encrypt the pflash boot ROM */ > + if (kvm_memcrypt_enabled()) { > + flash_ptr = memory_region_get_ram_ptr(flash_mem); > + flash_size = memory_region_size(flash_mem); > + ret = kvm_memcrypt_encrypt_data(flash_ptr, flash_size); > + if (ret) { > + error_report("failed to encrypt pflash rom"); > + exit(1); > + } > + } > } > } > } > -- > 2.14.3 > -- Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK