On 13/09/2016 16:50, Brijesh Singh wrote: > In SEV-enabled mode we need to reload the BIOS image on loader reset, this > will ensure that BIOS image gets encrypted and included as part of launch > meausrement on guest reset.
Just to check if I understand correctly, the secure processor cannot split the encryption and measuring, which is why you need to redo the copy on every reset. Does the guest have to check the measured data (e.g. with a hash) too, to check that it hasn't been tampered with outside the secure processor's control? Of course this would result in garbage written to the modified page, but that might be a valid attack vector. Paolo
