From: "Jörg Rödel" <joro@8bytes.org>
To: Ani Sinha <anisinha@redhat.com>
Cc: "Alex Graf" <graf@amazon.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Eduardo Habkost" <eduardo@habkost.net>,
"Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Yanan Wang" <wangyanan55@huawei.com>,
"Zhao Liu" <zhao1.liu@intel.com>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Fabiano Rosas" <farosas@suse.de>,
"Laurent Vivier" <lvivier@redhat.com>,
"Gerd Hoffman" <kraxel@redhat.com>,
"Igor Mammedov" <imammedo@redhat.com>,
"Vitaly Kuznetsov" <vkuznets@redhat.com>,
qemu-devel@nongnu.org
Subject: Re: [PATCH v6] hw/misc/vmfwupdate: Introduce hypervisor fw-cfg interface support
Date: Thu, 13 Mar 2025 11:10:02 +0100 [thread overview]
Message-ID: <Z9Ku-o8zJUWgXoYE@8bytes.org> (raw)
In-Reply-To: <CAK3XEhNHoLvK7zSb1ZYeaz_BCCU2bv+d5qguKaadaWqT55YqKQ@mail.gmail.com>
Hi Ani,
On Thu, Mar 13, 2025 at 03:07:42PM +0530, Ani Sinha wrote:
> The state before reset is the state that uses stock firmware from the
> hyperscaler. The state after reset is a fresh new state that uses the
> "trusted and known firmware" from the end user. So the launch
> measurements would not match between the state before reset and the
> state after reset and there is no guarantee that there would be
> "predictable launch measurements" across the reset.
Right, I understand that the state before and after reset will have
different launch measurements, that is expected when booting with a
different firmware :)
> What we do guarantee is that after reset, the launch measurements that
> include the "trusted and known firmware" (whatever that is, not
> necessarily edk2), is understood and expected. If you were to
> calculate offline the measurements that include this "trusted and
> known firmware" using the same order of setup calls as the target
> system and then derive the launch digest, it should match that of what
> the hardware would produce in the target.
The devil lies in "same order of setup calls". Without a way to define
this order through the vmfwupdate interface there is a lot of implicit
knowledge required about how KVM/QEMU setup the TEE context to calculate
the expected after-reset launch measurement. Even worse, the exact way
this setup is done then becomes ABI, because any change in this process
will lead to a different launch measurement.
Some examples of initial memory layout calls which influence the launch
measurment:
1) Launch VMSA(s) (SEV-SNP only, though I believe on TDX the
initial register state can also be changed to some
degree).
2) Pre-Validated/Accepted memory regions (TDX and SEV-SNP). This
is especially important, as different FWs have different
requirements on what memory is pre-validated, zeroed, etc.
3) Zero-pages, measured and unmeasured (TDX and SEV-SNP).
4) Position of the CPUID page, secrets page, and id-blob
(SEV-SNP).
5) Pre-populated data (TDX and SEV-SNP).
If I understand the vmfwupdate interface correctly, and please let me
know if I am wrong here, it only allows to specify a call for part 5) of
the above list. Some of the other parts can be specified in architecture
dependent ways in the FW image itself, but not all of them.
So the question is, is the plan to hardcode everything else (including
the order of calls) and make the behavior ABI?
Regards,
Joerg
next prev parent reply other threads:[~2025-03-13 10:10 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-14 15:34 [PATCH v6] hw/misc/vmfwupdate: Introduce hypervisor fw-cfg interface support Ani Sinha
2025-02-24 15:47 ` Gerd Hoffman
2025-02-25 5:21 ` Ani Sinha
2025-02-25 8:39 ` Gerd Hoffman
2025-02-25 9:54 ` Ani Sinha
2025-02-25 10:23 ` Gerd Hoffman
2025-02-25 10:28 ` Igor Mammedov
2025-02-25 11:00 ` Gerd Hoffman
2025-02-25 11:33 ` Igor Mammedov
2025-03-13 9:02 ` Jörg Rödel
2025-03-13 9:37 ` Ani Sinha
2025-03-13 10:10 ` Jörg Rödel [this message]
2025-03-13 10:32 ` Ani Sinha
2025-03-13 10:59 ` Jörg Rödel
2025-03-13 11:09 ` Ani Sinha
2025-03-13 11:27 ` Jörg Rödel
2025-03-13 11:28 ` Jörg Rödel
2025-03-13 11:56 ` Ani Sinha
2025-03-13 14:53 ` Ani Sinha
2025-03-13 15:39 ` Jörg Rödel
2025-03-13 16:30 ` Alexander Graf
2025-03-13 17:38 ` Jörg Rödel
2025-03-13 17:49 ` Daniel P. Berrangé
-- strict thread matches above, loose matches on Subject: below --
2025-03-13 12:05 Gerd Hoffman
2025-03-13 13:31 ` Jörg Rödel
2025-03-13 14:06 ` Ani Sinha
2025-03-14 11:27 ` Gerd Hoffman
2025-03-14 12:47 ` Alexander Graf
2025-03-14 14:08 ` Gerd Hoffman
2025-03-14 14:50 ` Alexander Graf
2025-03-17 9:56 ` Gerd Hoffman
2025-03-17 17:29 ` Alexander Graf
2025-03-18 7:00 ` Gerd Hoffman
2025-03-18 11:11 ` Gerd Hoffman
2025-03-20 8:34 ` Jörg Rödel
2025-03-21 8:22 ` Gerd Hoffman
2025-03-24 16:08 ` Daniel P. Berrangé
2025-03-20 13:53 ` Alexander Graf
2025-03-21 3:36 ` Ani Sinha
2025-03-21 8:09 ` Alexander Graf
2025-03-21 9:14 ` Gerd Hoffman
2025-03-20 8:31 ` Jörg Rödel
2025-03-21 10:08 ` Gerd Hoffman
2025-03-21 12:44 ` Ani Sinha
2025-03-24 7:43 ` Gerd Hoffman
2025-03-24 11:12 ` Ani Sinha
2025-03-24 15:48 ` Gerd Hoffman
2025-03-24 16:31 ` Alexander Graf
2025-03-24 17:53 ` Gerd Hoffman
2025-03-24 18:07 ` Daniel P. Berrangé
2025-03-25 8:04 ` Alexander Graf
2025-03-26 12:27 ` Gerd Hoffman
2025-03-26 15:22 ` Alexander Graf
2025-03-26 21:51 ` Gerd Hoffman
2025-04-07 16:21 ` Dionna Amalie Glaze
2025-04-08 8:33 ` Gerd Hoffman
2025-04-08 21:42 ` Dionna Amalie Glaze
2025-04-09 6:21 ` Gerd Hoffman
2025-04-10 6:31 ` Ani Sinha
2025-04-10 10:44 ` Gerd Hoffmann
2025-04-16 11:40 ` Ani Sinha
2025-04-09 11:59 ` Ani Sinha
2025-03-27 12:12 ` Ani Sinha
2025-04-08 8:11 ` Gerd Hoffman
2025-05-21 7:50 ` Ani Sinha
2025-03-21 12:45 ` Daniel P. Berrangé
2025-03-14 15:16 ` Jörg Rödel
2025-03-15 6:08 ` Ani Sinha
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z9Ku-o8zJUWgXoYE@8bytes.org \
--to=joro@8bytes.org \
--cc=anisinha@redhat.com \
--cc=eduardo@habkost.net \
--cc=farosas@suse.de \
--cc=graf@amazon.com \
--cc=imammedo@redhat.com \
--cc=kraxel@redhat.com \
--cc=lvivier@redhat.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=vkuznets@redhat.com \
--cc=wangyanan55@huawei.com \
--cc=zhao1.liu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).