|
| From: | Tom Lendacky |
| Subject: | Re: [PATCH v4 1/2] sev/i386: Introduce sev_add_kernel_loader_hashes for measured linux boot |
| Date: | Mon, 18 Oct 2021 13:02:37 -0500 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 |
On 9/30/21 12:49 AM, Dov Murik wrote: ...
+/*
+ * Add the hashes of the linux kernel/initrd/cmdline to an encrypted guest page
+ * which is included in SEV's initial memory measurement.
+ */
+bool sev_add_kernel_loader_hashes(SevKernelLoaderContext *ctx, Error **errp)
+{
+ uint8_t *data;
+ SevHashTableDescriptor *area;
+ SevHashTable *ht;
+ uint8_t cmdline_hash[HASH_SIZE];
+ uint8_t initrd_hash[HASH_SIZE];
+ uint8_t kernel_hash[HASH_SIZE];
+ uint8_t *hashp;
+ size_t hash_len = HASH_SIZE;
+ int aligned_len;
+
+ if (!pc_system_ovmf_table_find(SEV_HASH_TABLE_RV_GUID, &data, NULL)) {
+ error_setg(errp, "SEV: kernel specified but OVMF has no hash table
guid");
+ return false;
+ }
This breaks backwards compatibility with an older OVMF image. Any older OVMF image with SEV support that doesn't have the hash table GUID will now fail to boot using -kernel/-initrd/-append, where it used to be able to boot before.
Is that anything we need to be concerned about? Thanks, Tom
| [Prev in Thread] | Current Thread | [Next in Thread] |