From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: thomas.lendacky@amd.com, ashish.kalra@amd.com,
brijesh.singh@amd.com, david.kaplan@amd.com,
James Bottomley <jejb@linux.ibm.com>,
jon.grimm@amd.com, tobin@ibm.com, qemu-devel@nongnu.org,
"Dr . David Alan Gilbert" <dgilbert@redhat.com>,
frankeh@us.ibm.com, Dov.Murik1@il.ibm.com,
dovmurik@linux.vnet.ibm.com
Subject: Re: [PATCH v3 2/2] sev: update sev-inject-launch-secret to make gpa optional
Date: Fri, 5 Feb 2021 11:37:38 +0000 [thread overview]
Message-ID: <20210205113738.GH908621@redhat.com> (raw)
In-Reply-To: <e11240d0-d325-336b-f43b-3cee6cf94b76@redhat.com>
On Fri, Feb 05, 2021 at 11:58:26AM +0100, Paolo Bonzini wrote:
> On 05/02/21 10:51, Daniel P. Berrangé wrote:
> > > + if (!pc_system_ovmf_table_find(SEV_SECRET_GUID, &data, NULL)) {
> > > + error_setg(errp, "SEV: no secret area found in OVMF,"
> > > + " gpa must be specified.");
> > > + return;
> > > + }
> > IIUC, historically QEMU has gone out of its way to avoid creating a
> > direct dependancy on specific firmware implementation details such
> > as this, so this whole approach makes me feel really uneasy.
>
> The problem here is that this secret must be measured and therefore cannot
> be extracted by the guest out of fw_cfg. Note that there's no reason why
> other firmware than OVMF could not adopt the same interface.
I didn't mean to store the secret in fw_cfg. Rather to use fw_cfg as a
way for OVMF to tell QEMU where to store it
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2021-02-05 11:39 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-04 19:39 [PATCH v3 0/2] sev: enable secret injection to a self described area in OVMF James Bottomley
2021-02-04 19:39 ` [PATCH v3 1/2] pc: add parser for OVMF reset block James Bottomley
2021-02-04 19:58 ` Dr. David Alan Gilbert
2021-02-04 19:39 ` [PATCH v3 2/2] sev: update sev-inject-launch-secret to make gpa optional James Bottomley
2021-02-04 20:00 ` Dr. David Alan Gilbert
2021-02-05 9:51 ` Daniel P. Berrangé
2021-02-05 10:58 ` Paolo Bonzini
2021-02-05 11:37 ` Daniel P. Berrangé [this message]
2021-02-05 11:45 ` Paolo Bonzini
2021-02-05 11:51 ` Daniel P. Berrangé
2021-02-08 9:38 ` Dr. David Alan Gilbert
2021-02-05 10:58 ` [PATCH v3 0/2] sev: enable secret injection to a self described area in OVMF Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210205113738.GH908621@redhat.com \
--to=berrange@redhat.com \
--cc=Dov.Murik1@il.ibm.com \
--cc=ashish.kalra@amd.com \
--cc=brijesh.singh@amd.com \
--cc=david.kaplan@amd.com \
--cc=dgilbert@redhat.com \
--cc=dovmurik@linux.vnet.ibm.com \
--cc=frankeh@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jon.grimm@amd.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=thomas.lendacky@amd.com \
--cc=tobin@ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).