On Tue, May 21, 2019 at 07:13:26AM +0200, Christoph Hellwig wrote: > On Tue, May 21, 2019 at 01:49:02AM -0300, Thiago Jung Bauermann wrote: > > From: Benjamin Herrenschmidt <b...@kernel.crashing.org> > > > > For secure VMs, the signing tool will create a ticket called the "ESM blob" > > for the Enter Secure Mode ultravisor call with the signatures of the kernel > > and initrd among other things. > > > > This adds support to the wrapper script for adding that blob via the "-e" > > option to the zImage.pseries. > > > > It also adds code to the zImage wrapper itself to retrieve and if necessary > > relocate the blob, and pass its address to Linux via the device-tree, to be > > later consumed by prom_init. > > Where does the "BLOB" come from? How is it licensed and how can we > satisfy the GPL with it?
The blob is data, not code, and it will be created by a tool that will be open source. My understanding is that most of it will be encrypted with a session key that is encrypted with the secret key of the ultravisor. Ram Pai's KVM Forum talk last year explained how this works. Paul.
