Daniel P. Berrangé <berra...@redhat.com> writes:
> On Thu, Jul 21, 2022 at 06:36:21PM +0200, Paolo Bonzini wrote: >> From: "Jason A. Donenfeld" <ja...@zx2c4.com> >> >> Tiny machines optimized for fast boot time generally don't use EFI, >> which means a random seed has to be supplied some other way. For this >> purpose, Linux (≥5.20) supports passing a seed in the setup_data table >> with SETUP_RNG_SEED, specially intended for hypervisors, kexec, and >> specialized bootloaders. The linked commit shows the upstream kernel >> implementation. >> >> At Paolo's request, we don't pass these to versioned machine types ≤7.0. > > > This change has also broken direct kernel measured boot with AMD SEV > confidential virtualization. FWIW this is why we had to introduce the dtb-randomness control knob for ARM -M virt machines. Although we have deprecated the old dtb-kaslr-seed knob and it has always enabled by default because the measured boot was sufficiently new the few people working with it could just add it to their command lines. -- Alex Bennée
