On 7/8/21 6:41 PM, Connor Kuehl wrote: > Hi Paolo, > > Please consider this series[1] for inclusion into your next pull request. > > Just a note that this series has a companion series that is getting > upstreamed into OVMF[2]
Shouldn't we get the OVMF part merged first? > > [1] Patchwork link, if convenient: > https://patchwork.kernel.org/project/qemu-devel/cover/20210624102040.2015280-1-dovmu...@linux.ibm.com/ > [2] https://bugzilla.tianocore.org/show_bug.cgi?id=3457#c6 > > Thank you, > > Connor > > On 6/24/21 3:20 AM, Dov Murik wrote: >> Currently booting with -kernel/-initrd/-append is not supported in SEV >> confidential guests, because the content of these blobs is not measured >> and therefore not trusted by the SEV guest. >> >> However, in some cases the kernel, initrd, and cmdline are not secret >> but should not be modified by the host. In such a case, we want to >> verify inside the trusted VM that the kernel, initrd, and cmdline are >> indeed the ones expected by the Guest Owner, and only if that is the >> case go on and boot them up (removing the need for grub inside OVMF in >> that mode). >> >> To support that, OVMF adds a special area for hashes of >> kernel/initrd/cmdline; that area is expected to be filled by QEMU and >> encrypted as part of the initial SEV guest launch. This in turn makes >> the hashes part of the PSP measured content, and OVMF can trust these >> inputs if they match the hashes. >> >> This series adds an SEV function to generate the table of hashes for >> OVMF and encrypt it (patch 1/2), and calls this function if SEV is >> enabled when the kernel/initrd/cmdline are prepared (patch 2/2). >> >> Corresponding OVMF support was submitted to edk2-devel [1] (patch series >> "Measured SEV boot with kernel/initrd/cmdline"); it's still under >> review. >> >> [1] https://edk2.groups.io/g/devel/topic/patch_v1_0_8_measured_sev/83074450 >> >> ---
