On 7/19/21 7:22 AM, Dov Murik wrote:
The patch itself is okay. Just curious, do we also need to add a
verification for the QEMU FW cfg file ?
I don't really understand. This patch adds the VerifyBlob() call on
blobs that were read by FetchBlob(), which in turn reads the contents of
kernel/initrd/cmdline from QEMU FW cfg (using QemuFwCfgReadBytes for
example).
We currently *don't* add verification for all other FW cfg settings,
like number of CPUs, E820 memory entries, ... similar to what we (don't)
do in SEV boot with encrypted root image (in which only OVMF is measured).
What else do you think we should verify?
As I understand that your series is attempting to add more security
checks in the SEV boot sequence; i.e. after this series is merged, we
can verify the kernel,cmdline and initrd passed through qemu. But there
are several other configuration parameters (such as e820, acpi) that
gets passed by the qemu and consumed by the ovmf. Are you considering to
add the checks to cover those blobs in the future series? To me it seems
that the framework built here can be extended to cover those as well.
Reviewed-by: Brijesh Singh <brijesh.si...@amd.com>
thanks!
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#77900): https://edk2.groups.io/g/devel/message/77900
Mute This Topic: https://groups.io/mt/84016359/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
