Re: [PATCH] x86: fix q35 kernel measurements broken due to rng seeding

[Dov Murik]

Hi Jason, James,


On 01/02/2023 17:24, James Bottomley wrote:
> On Wed, 2023-02-01 at 10:10 -0500, Jason A. Donenfeld wrote:
>> This is already fixed via the patch that MST just sent in his pull.
>> So wait a few days for that to be merged and it'll be all set.
>>
>> No need for this patch here. Do not merge.
> 
> If it's not a secret, would it be too much trouble to point to the
> branch so we can actually test it?  It does seem that the biggest
> problem this issue shows is that there wasn't wide enough configuration
> testing done on the prior commits before they were merged.
> 

I assume it is:

----
... are available in the Git repository at:

  https://git.kernel.org/pub/scm/virt/kvm/mst/qemu.git tags/for_upstream

for you to fetch changes up to f5cb612867d3b10b86d6361ba041767e02c1b127:

  docs/pcie.txt: Replace ioh3420 with pcie-root-port (2023-01-28 06:21:30 -0500)
----

I checked out this branch and started an SEV guest with measured boot
and it fails during hash verification in OVMF:

BlobVerifierLibSevHashesConstructor: Found injected hashes table in secure 
location
VerifyBlob: Found GUID 4DE79437-ABD2-427F-B835-D5B172D2045B in table
VerifyBlob: Hash comparison succeeded for "kernel"
VerifyBlob: Found GUID 44BAF731-3A2F-4BD7-9AF1-41E29169781D in table
VerifyBlob: Hash comparison succeeded for "initrd"
VerifyBlob: Found GUID 97D02DD8-BD20-4C94-AA78-E7714D36AB2A in table
VerifyBlob: Hash comparison failed for "cmdline"


(before that patch it was failing on the "kernel" hash.)

I haven't yet examined the suggested fix patch
("[PULL 10/56] x86: don't let decompressed kernel image clobber setup_data") -
just ran the simple test above.


-Dov