On 7/31/21 3:44 AM, Erdem Aktas wrote:
On Wed, Jun 30, 2021 at 5:54 AM Brijesh Singh <brijesh.si...@amd.com> wrote:
a) Enhance the OVMF reset vector code to validate the pages as described
above (go through step 2 - 3).
OR
b) Validate the pages during the guest creation time. The SEV firmware
provides a command which can be used by the VMM to validate the pages
without affecting the measurement of the launch.
Are you referring to the PAGE_TYPE_UNMEASURED? Does it not affect the
measurement , PAGE_INFO will be still measured, right?
Yes. The unmeasured here means the contents of the page is not measured
but the PAGE_INFO is measured for all the pages added before the VM launch.
Approach #b seems much simpler; it does not require any changes to the
OVMF reset vector code.
I am worried about verifying the measurement. I understand the secret
page and cpuid page being part of measurement because both of them are
mentioned in the AMD SNP SPEC but now we are introducing a new
parameters (all the 4KB page addresses between SNP_HV_VALIDATED_START
and SNP_HV_VALIDATED_END) that VM owner needs to know to calculate the
measurement and verify the attestation.
The page info of both the secrets and cpuid page also need to be
measured. In order to calculate the expected measurement, a caller need
to know the page_info for the secrets and cpuid. To get the page_info
for the CPUID and Secrets they must read the OVMF reset GUID. While at
it, they can also get the the range of the unmeasured pages. I don't see
that being a big issue. Having said so, as I described in the patch, its
not only option. It was easier for implementation without compromising
the security.
Sorry if I am overthinking or missing something here.
-Erdem
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78610): https://edk2.groups.io/g/devel/message/78610
Mute This Topic: https://groups.io/mt/83891520/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
