Hi Daniel, On Thu, Aug 4, 2022 at 2:01 PM Daniel P. Berrangé <berra...@redhat.com> wrote: > > On Thu, Jul 21, 2022 at 06:36:21PM +0200, Paolo Bonzini wrote: > > From: "Jason A. Donenfeld" <ja...@zx2c4.com> > > > > Tiny machines optimized for fast boot time generally don't use EFI, > > which means a random seed has to be supplied some other way. For this > > purpose, Linux (≥5.20) supports passing a seed in the setup_data table > > with SETUP_RNG_SEED, specially intended for hypervisors, kexec, and > > specialized bootloaders. The linked commit shows the upstream kernel > > implementation. > > > > At Paolo's request, we don't pass these to versioned machine types ≤7.0. > > > This change has also broken direct kernel measured boot with AMD SEV > confidential virtualization. > > The vmlinuz that we pass in with -kernel is measured by the BIOS and > since that gets munged with a random seed, the measurement no longer > matches the expected measurements the person attesting boot will > have pre-calculated. > > The kernel binary passed to the firmware must be 100% unchanged > from what the user provided in order for boot measurements to > succeed. > > So at the very least this codes needs to be conditionalized to > not run when AMD SEV is active.
If you look at the v2 patch, I move all of the setup_data stuff outside of the kernel image, so the kernel image itself doesn't get modified. So SEV should still work. Can you test that patch and see? Jason
