qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] x86: fix q35 kernel measurements broken due to rng seeding

From: Jason A. Donenfeld
Subject: Re: [PATCH] x86: fix q35 kernel measurements broken due to rng seeding
Date: Wed, 1 Feb 2023 15:48:28 -0500
Hi James,

On Wed, Feb 1, 2023, 15:39 James Bottomley <jejb@linux.ibm.com> wrote:
On Wed, 2023-02-01 at 12:51 -0500, Jason A. Donenfeld wrote:
> It's not a secret, but I have so little internet right now that I
> can't even load a webpage, and I'm on my phone, hence the short
> HTMLified emails.
>
> In brief, though, it gets rid of all modifications to the kernel
> image all together, so it should fix your issue.

We've already tested it and established it doesn't because you simply
added your rng data to the end of a different integrity protected file
which now fails the integrity check instead of the kernel.

I checked the kernel source as well; I thought you'd have done the
usual thing and bumped the boot protocol version to steal space in
__pad9, but you didn't apparently.  To fix this up after the fact, I
recommend that we still steal space in _pad9[] but we make it have
enough space for a setup_data header as well as the 32 random bytes, so
we've officially reserved the space, but in earlier kernels than this
change gets to you can still use the setup_data_offset method, except
that it now uses the empty space in _pad9 via the setup_data mechanism.
That should find you space and get you out of having to expand any
integrity protected files.  The SEV direct boot will still work because
there's a check further down that doesn't copy the modified header back
over the kernel because it is ignored on efi stub boot anyway.

Ahh, it looks like there's now an integrity check on the cmdline file. Darn.

The patch in that PULL is still good and necessary and fixed a *different* bug, though. So we should still move forward on that.

But it sounds like you might now have a concrete suggestion on something even better. I'm CCing hpa, as this is his wheelhouse, and maybe you two can divise the next step while I'm away. Maybe the pad9 thing you mentioned is the super nice solution we've been searching for this whole time. When I'm home in 10 days and have internet again, I'll take a look at where thing's are out and try to figure out how I can be productive again with it.

And sorry again for the short HTML emails. A day ago I was using mosh from my phone to use mutt on a server to reply to emails downloaded from lore. But today the cloud cover means the best I can do is queue these up in the Android gmail client and hope they eventually send.

Jason 
reply via email to
[Prev in Thread] Current Thread [Next in Thread]