To achieve encrypted disk images in the AMD SEV encrypted virtual
machine, we need to add the ability for grub to retrieve the disk
passphrase from the SEV launch secret. To do this, we've modified
OVMF to set aside an area for the injected secret and pass up a
configuration table for it:
https:/
For AMD SEV environments, the grub boot password has to be retrieved
from a given memory location rather than prompted for. This means
that the standard password getter needs to be replaced with one that
gets the passphrase from the SEV area and uses that instead. Adding
the password getter as a
This module is designed to provide a sevsecret command which
interrogates the EFI configuration table to find the location of the
sev secret injection and tries to register the secret with the
cryptodisk.
The secret is stored in an injection area, usually a page in size. The layout
of the secret
Make use of the new OS provided secrets API so that if the new '-s'
option is passed in we try to extract the secret from the API rather
than prompting for it.
The primary consumer of this is AMD SEV, which has been programmed to
provide an injectable secret to the encrypted virtual machine. OVMF
On Thu, 12 Nov 2020 17:22:04 -0800
James Bottomley wrote:
> For AMD SEV environments, the grub boot password has to be retrieved
> from a given memory location rather than prompted for. This means
> that the standard password getter needs to be replaced with one that
> gets the passphrase from t
