From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Gerd Hoffman <kraxel@redhat.com>
Cc: "Jörg Rödel" <joro@8bytes.org>,
"Alexander Graf" <graf@amazon.com>,
"Ani Sinha" <anisinha@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Eduardo Habkost" <eduardo@habkost.net>,
"Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Yanan Wang" <wangyanan55@huawei.com>,
"Zhao Liu" <zhao1.liu@intel.com>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Fabiano Rosas" <farosas@suse.de>,
"Laurent Vivier" <lvivier@redhat.com>,
"Igor Mammedov" <imammedo@redhat.com>,
"Vitaly Kuznetsov" <vkuznets@redhat.com>,
qemu-devel@nongnu.org
Subject: Re: [PATCH v6] hw/misc/vmfwupdate: Introduce hypervisor fw-cfg interface support
Date: Mon, 24 Mar 2025 16:08:06 +0000 [thread overview]
Message-ID: <Z-GDZkkyLsXFzk5b@redhat.com> (raw)
In-Reply-To: <mimxt26hwxn4kkdt6fgx4dpuejx2667edfenx6jirpuxtnkfqz@r3uybu6g5e44>
On Fri, Mar 21, 2025 at 09:22:59AM +0100, Gerd Hoffman wrote:
> On Thu, Mar 20, 2025 at 09:34:26AM +0100, Jörg Rödel wrote:
> > On Tue, Mar 18, 2025 at 12:11:02PM +0100, Gerd Hoffman wrote:
> > > Open questions:
> > >
> > > - Does the idea to use igvm parameters for the kernel hashes makes
> > > sense? Are parameters part of the launch measurement?
> >
> > Parameters itself are fully measured, their presence is, but not their
> > data. This is to keep the same launch measurements across different
> > platform configurations.
> >
> > So for hashes it is best to put some on some measured page and let the
> > parameters point to it.
>
> Had a look at the kernel hashes details this week.
>
> So, the story is this: It's essentially a private arrangement between
> ovmf (the amdsev build variant only) and qemu. The hashes are placed in
> a specific page, together with "launch secrets" (that is not the sev-snp
> "secrets" page). That page is part of the lanuch measurement. That
> effectively makes the kernel + initrd + cmdline part of the launch
> measurement too (ovmf verifies the hashes), but without the relatively
> slow secure processor hashing kernel + initrd + cmdline, which reduces
> the time needed to launch a VM.
>
> The "launch secret" is intended to hold things like a luks secret to
> unlock the root filesystem. OVMF doesn't touch it but reserves the page
> and registers a EFI table for it so the linux kernel can find it.
>
> As far I know these are more experimental bits than something actually
> used in production. It's also clearly a pre-UKI design. That IMHO
> opens up the question whenever we actually want carry forward with that,
> or if we better check out what alternatives we have. We'll have a
> signed UKI after all, so going for secure boot and/or measured boot for
> the UKI verification looks attractive compared to passing around hashes
> for the elements inside the UKI.
Although it has been extended to SNP in QEMU, personally I'd consider
the QEMU 'kernel hashes' functionality to be an niche feature.
From a virt mgmt POV we know in general that direct kernel boot while
useful, is somewhat limited in usage. Most of the time it is saner to
have the guest decide what kernel to boot without interaction of the
host. So by extension, the kernel hashes feature is also going to be
a similarly (or even more) niche use case. The UKI with system extensions
and secureboot model gives much greater flexibility for defining policy
around valid configurations than using fixed hashes - especially when
it comes to kernel command line which has potentially many valid configs.
> Not fully sure what to do about the "launch secrets". IIRC the initial
> design of this is for sev-es, i.e. pre-snp, so maybe the sev-snp secrets
> page can be used instead. I see the spec has 0x60 bytes (offset 0xa0)
> reserved for guest os usage. In any case this probably is only needed
> as temporary stopgap until we have a complete vTPM implementation for
> the svsm.
I view the launch secrets feature as a crutch to cope with the HW
limitations of SEV/SEV-ES. You have the host initiated attestation
dance and after verification can pass data back to the host, which
will inject it into the guest. The inability to have a secure TPM
in SEV/SEV-ES forces you down this road. It is highly undesirable
as a feature going forward because we're better served by having
a boot workflow that is common to traditional virt, confidential
virt, and bare metal, and TPM delivers on that.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2025-03-24 16:09 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-13 12:05 [PATCH v6] hw/misc/vmfwupdate: Introduce hypervisor fw-cfg interface support Gerd Hoffman
2025-03-13 13:31 ` Jörg Rödel
2025-03-13 14:06 ` Ani Sinha
2025-03-14 11:27 ` Gerd Hoffman
2025-03-14 12:47 ` Alexander Graf
2025-03-14 14:08 ` Gerd Hoffman
2025-03-14 14:50 ` Alexander Graf
2025-03-17 9:56 ` Gerd Hoffman
2025-03-17 17:29 ` Alexander Graf
2025-03-18 7:00 ` Gerd Hoffman
2025-03-18 11:11 ` Gerd Hoffman
2025-03-20 8:34 ` Jörg Rödel
2025-03-21 8:22 ` Gerd Hoffman
2025-03-24 16:08 ` Daniel P. Berrangé [this message]
2025-03-20 13:53 ` Alexander Graf
2025-03-21 3:36 ` Ani Sinha
2025-03-21 8:09 ` Alexander Graf
2025-03-21 9:14 ` Gerd Hoffman
2025-03-20 8:31 ` Jörg Rödel
2025-03-21 10:08 ` Gerd Hoffman
2025-03-21 12:44 ` Ani Sinha
2025-03-24 7:43 ` Gerd Hoffman
2025-03-24 11:12 ` Ani Sinha
2025-03-24 15:48 ` Gerd Hoffman
2025-03-24 16:31 ` Alexander Graf
2025-03-24 17:53 ` Gerd Hoffman
2025-03-24 18:07 ` Daniel P. Berrangé
2025-03-25 8:04 ` Alexander Graf
2025-03-26 12:27 ` Gerd Hoffman
2025-03-26 15:22 ` Alexander Graf
2025-03-26 21:51 ` Gerd Hoffman
2025-04-07 16:21 ` Dionna Amalie Glaze
2025-04-08 8:33 ` Gerd Hoffman
2025-04-08 21:42 ` Dionna Amalie Glaze
2025-04-09 6:21 ` Gerd Hoffman
2025-04-10 6:31 ` Ani Sinha
2025-04-10 10:44 ` Gerd Hoffmann
2025-04-16 11:40 ` Ani Sinha
2025-04-09 11:59 ` Ani Sinha
2025-03-27 12:12 ` Ani Sinha
2025-04-08 8:11 ` Gerd Hoffman
2025-05-21 7:50 ` Ani Sinha
2025-03-21 12:45 ` Daniel P. Berrangé
2025-03-14 15:16 ` Jörg Rödel
2025-03-15 6:08 ` Ani Sinha
-- strict thread matches above, loose matches on Subject: below --
2025-02-14 15:34 Ani Sinha
2025-02-24 15:47 ` Gerd Hoffman
2025-02-25 5:21 ` Ani Sinha
2025-02-25 8:39 ` Gerd Hoffman
2025-02-25 9:54 ` Ani Sinha
2025-02-25 10:23 ` Gerd Hoffman
2025-02-25 10:28 ` Igor Mammedov
2025-02-25 11:00 ` Gerd Hoffman
2025-02-25 11:33 ` Igor Mammedov
2025-03-13 9:02 ` Jörg Rödel
2025-03-13 9:37 ` Ani Sinha
2025-03-13 10:10 ` Jörg Rödel
2025-03-13 10:32 ` Ani Sinha
2025-03-13 10:59 ` Jörg Rödel
2025-03-13 11:09 ` Ani Sinha
2025-03-13 11:27 ` Jörg Rödel
2025-03-13 11:28 ` Jörg Rödel
2025-03-13 11:56 ` Ani Sinha
2025-03-13 14:53 ` Ani Sinha
2025-03-13 15:39 ` Jörg Rödel
2025-03-13 16:30 ` Alexander Graf
2025-03-13 17:38 ` Jörg Rödel
2025-03-13 17:49 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z-GDZkkyLsXFzk5b@redhat.com \
--to=berrange@redhat.com \
--cc=anisinha@redhat.com \
--cc=eduardo@habkost.net \
--cc=farosas@suse.de \
--cc=graf@amazon.com \
--cc=imammedo@redhat.com \
--cc=joro@8bytes.org \
--cc=kraxel@redhat.com \
--cc=lvivier@redhat.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=vkuznets@redhat.com \
--cc=wangyanan55@huawei.com \
--cc=zhao1.liu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).