Hi, > > Ok, assuming we allow the guest submit a IGVM image (which makes sense > > indeed, otherwise we'll probably end up re-inventing IGVM). How will > > the kernel hashes be handled then? I assume they will not be part of > > the igvm image, but they must be part of the launch measurement ... > > The kernel hashes must be embedded in the IGVM image by the time you invoke > vmfwupdate. That means when you generate the FUKI, you take 4 inputs: > Generic firmware image, kernel, initramfs, cmdline. Out of those, you > generate and embed an IGVM image that consists of the firmware image as well > as the kernel hash page.
If your input firmware image already is an IGVM (say coconut), what is supposed to happen? take care, Gerd
