[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v3 1/2] sev/i386: Introduce sev_add_kernel_loader_hashes for
From: |
Daniel P . Berrangé |
Subject: |
Re: [PATCH v3 1/2] sev/i386: Introduce sev_add_kernel_loader_hashes for measured linux boot |
Date: |
Mon, 27 Sep 2021 18:00:12 +0100 |
User-agent: |
Mutt/2.0.7 (2021-05-04) |
On Wed, Aug 25, 2021 at 07:35:37AM +0000, Dov Murik wrote:
> Add the sev_add_kernel_loader_hashes function to calculate the hashes of
> the kernel/initrd/cmdline and fill a designated OVMF encrypted hash
> table area. For this to work, OVMF must support an encrypted area to
> place the data which is advertised via a special GUID in the OVMF reset
> table.
>
> The hashes of each of the files is calculated (or the string in the case
> of the cmdline with trailing '\0' included). Each entry in the hashes
> table is GUID identified and since they're passed through the
> sev_encrypt_flash interface, the hashes will be accumulated by the PSP
> measurement (SEV_LAUNCH_MEASURE).
>
> Co-developed-by: James Bottomley <jejb@linux.ibm.com>
> Signed-off-by: James Bottomley <jejb@linux.ibm.com>
> Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
> Reviewed-by: Connor Kuehl <ckuehl@redhat.com>
> ---
> target/i386/sev_i386.h | 12 ++++
> target/i386/sev-stub.c | 5 ++
> target/i386/sev.c | 137 +++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 154 insertions(+)
>
> diff --git a/target/i386/sev_i386.h b/target/i386/sev_i386.h
> index ae6d840478..deb3eec409 100644
> --- a/target/i386/sev_i386.h
> +++ b/target/i386/sev_i386.h
> @@ -28,6 +28,17 @@
> #define SEV_POLICY_DOMAIN 0x10
> #define SEV_POLICY_SEV 0x20
>
> +typedef struct KernelLoaderContext {
> + char *setup_data;
> + size_t setup_size;
> + char *kernel_data;
> + size_t kernel_size;
> + char *initrd_data;
> + size_t initrd_size;
> + char *cmdline_data;
> + size_t cmdline_size;
> +} KernelLoaderContext;
I'd expect the struct to have 'Sev' as its name prefix, in common
with everything else SEV related that's exported here.
> +
> extern bool sev_es_enabled(void);
> extern uint64_t sev_get_me_mask(void);
> extern SevInfo *sev_get_info(void);
> @@ -37,5 +48,6 @@ extern char *sev_get_launch_measurement(void);
> extern SevCapability *sev_get_capabilities(Error **errp);
> extern SevAttestationReport *
> sev_get_attestation_report(const char *mnonce, Error **errp);
> +extern bool sev_add_kernel_loader_hashes(KernelLoaderContext *ctx, Error
> **errp);
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- Re: [PATCH v3 1/2] sev/i386: Introduce sev_add_kernel_loader_hashes for measured linux boot,
Daniel P . Berrangé <=