[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v3 1/2] sev/i386: Introduce sev_add_kernel_loader_hashes for
From: |
Dov Murik |
Subject: |
Re: [PATCH v3 1/2] sev/i386: Introduce sev_add_kernel_loader_hashes for measured linux boot |
Date: |
Wed, 29 Sep 2021 12:39:32 +0300 |
User-agent: |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 |
On 27/09/2021 20:00, Daniel P. Berrangé wrote:
> On Wed, Aug 25, 2021 at 07:35:37AM +0000, Dov Murik wrote:
>> Add the sev_add_kernel_loader_hashes function to calculate the hashes of
>> the kernel/initrd/cmdline and fill a designated OVMF encrypted hash
>> table area. For this to work, OVMF must support an encrypted area to
>> place the data which is advertised via a special GUID in the OVMF reset
>> table.
>>
>> The hashes of each of the files is calculated (or the string in the case
>> of the cmdline with trailing '\0' included). Each entry in the hashes
>> table is GUID identified and since they're passed through the
>> sev_encrypt_flash interface, the hashes will be accumulated by the PSP
>> measurement (SEV_LAUNCH_MEASURE).
>>
>> Co-developed-by: James Bottomley <jejb@linux.ibm.com>
>> Signed-off-by: James Bottomley <jejb@linux.ibm.com>
>> Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
>> Reviewed-by: Connor Kuehl <ckuehl@redhat.com>
>> ---
>> target/i386/sev_i386.h | 12 ++++
>> target/i386/sev-stub.c | 5 ++
>> target/i386/sev.c | 137 +++++++++++++++++++++++++++++++++++++++++
>> 3 files changed, 154 insertions(+)
>>
>> diff --git a/target/i386/sev_i386.h b/target/i386/sev_i386.h
>> index ae6d840478..deb3eec409 100644
>> --- a/target/i386/sev_i386.h
>> +++ b/target/i386/sev_i386.h
>> @@ -28,6 +28,17 @@
>> #define SEV_POLICY_DOMAIN 0x10
>> #define SEV_POLICY_SEV 0x20
>>
>> +typedef struct KernelLoaderContext {
>> + char *setup_data;
>> + size_t setup_size;
>> + char *kernel_data;
>> + size_t kernel_size;
>> + char *initrd_data;
>> + size_t initrd_size;
>> + char *cmdline_data;
>> + size_t cmdline_size;
>> +} KernelLoaderContext;
>
> I'd expect the struct to have 'Sev' as its name prefix, in common
> with everything else SEV related that's exported here.
Yes, you're right. I'll fix that.
-Dov
>
>> +
>> extern bool sev_es_enabled(void);
>> extern uint64_t sev_get_me_mask(void);
>> extern SevInfo *sev_get_info(void);
>> @@ -37,5 +48,6 @@ extern char *sev_get_launch_measurement(void);
>> extern SevCapability *sev_get_capabilities(Error **errp);
>> extern SevAttestationReport *
>> sev_get_attestation_report(const char *mnonce, Error **errp);
>> +extern bool sev_add_kernel_loader_hashes(KernelLoaderContext *ctx, Error
>> **errp);
>
> Regards,
> Daniel
>