| Message ID | 20211108134840.2757206-3-dovmurik@linux.ibm.com |
|---|---|
| State | New |
| Headers | show |
| Series | SEV: add kernel-hashes=on for measured -kernel launch | expand |
On Mon, Nov 08, 2021 at 01:48:36PM +0000, Dov Murik wrote: > Commit cff03145ed3c ("sev/i386: Introduce sev_add_kernel_loader_hashes > for measured linux boot", 2021-09-30) introduced measured direct boot > with -kernel, using an OVMF-designated hashes table which QEMU fills. > > However, if OVMF doesn't designate such an area, QEMU would completely > abort the VM launch. This breaks launching with -kernel using older > OVMF images which don't publish the SEV_HASH_TABLE_RV_GUID. > > Fix that so QEMU will only look for the hashes table if the sev-guest > kernel-hashes option is set to on. Otherwise, QEMU won't look for the > designated area in OVMF and won't fill that area. > > To enable addition of kernel hashes, launch the guest with: > > -object sev-guest,...,kernel-hashes=on > > Signed-off-by: Dov Murik <dovmurik@linux.ibm.com> > Reported-by: Tom Lendacky <thomas.lendacky@amd.com> > --- > target/i386/sev.c | 8 ++++++++ > 1 file changed, 8 insertions(+) Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel
diff --git a/target/i386/sev.c b/target/i386/sev.c index cad32812f5..e3abbeef68 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -1223,6 +1223,14 @@ bool sev_add_kernel_loader_hashes(SevKernelLoaderContext *ctx, Error **errp) size_t hash_len = HASH_SIZE; int aligned_len; + /* + * Only add the kernel hashes if the sev-guest configuration explicitly + * stated kernel-hashes=on. + */ + if (!sev_guest->kernel_hashes) { + return false; + } + if (!pc_system_ovmf_table_find(SEV_HASH_TABLE_RV_GUID, &data, NULL)) { error_setg(errp, "SEV: kernel specified but OVMF has no hash table guid"); return false;
Commit cff03145ed3c ("sev/i386: Introduce sev_add_kernel_loader_hashes for measured linux boot", 2021-09-30) introduced measured direct boot with -kernel, using an OVMF-designated hashes table which QEMU fills. However, if OVMF doesn't designate such an area, QEMU would completely abort the VM launch. This breaks launching with -kernel using older OVMF images which don't publish the SEV_HASH_TABLE_RV_GUID. Fix that so QEMU will only look for the hashes table if the sev-guest kernel-hashes option is set to on. Otherwise, QEMU won't look for the designated area in OVMF and won't fill that area. To enable addition of kernel hashes, launch the guest with: -object sev-guest,...,kernel-hashes=on Signed-off-by: Dov Murik <dovmurik@linux.ibm.com> Reported-by: Tom Lendacky <thomas.lendacky@amd.com> --- target/i386/sev.c | 8 ++++++++ 1 file changed, 8 insertions(+)