|
From: | Brijesh Singh |
Subject: | Re: [Qemu-devel] [RFC PATCH v1 22/22] loader: reload bios image on ROM reset in SEV-enabled guest |
Date: | Wed, 14 Sep 2016 15:29:35 -0500 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 |
On 09/13/2016 05:59 PM, Paolo Bonzini wrote:
On 13/09/2016 16:50, Brijesh Singh wrote:In SEV-enabled mode we need to reload the BIOS image on loader reset, this will ensure that BIOS image gets encrypted and included as part of launch meausrement on guest reset.Just to check if I understand correctly, the secure processor cannot split the encryption and measuring, which is why you need to redo the copy on every reset.
That is right, after LAUNCH_FINISH is called the secure processor cleanup the LAUNCH_START context so that hypervisor can not call LAUNCH_UPDATE to inject a new data into guest memory. After LAUNCH_FINISH only thing we can call is SEV_DEBUG_* or SEV_RECEIVE_* commands.
Does the guest have to check the measured data (e.g. with a hash) too, to check that it hasn't been tampered with outside the secure processor's control? Of course this would result in garbage written to the modified page, but that might be a valid attack vector.
Guest does not need to check the measurement.
[Prev in Thread] | Current Thread | [Next in Thread] |