[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v3 1/6] qapi/qom, target/i386: sev-guest: Introduce kernel-hashes
From: |
Dov Murik |
Subject: |
[PATCH v3 1/6] qapi/qom, target/i386: sev-guest: Introduce kernel-hashes=on|off option |
Date: |
Thu, 11 Nov 2021 10:00:43 +0000 |
Introduce new boolean 'kernel-hashes' option on the sev-guest object.
It will be used to to decide whether to add the hashes of
kernel/initrd/cmdline to SEV guest memory when booting with -kernel.
The default value is 'off'.
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Acked-by: Brijesh Singh <brijesh.singh@amd.com>
---
qapi/qom.json | 7 ++++++-
target/i386/sev.c | 20 ++++++++++++++++++++
qemu-options.hx | 6 +++++-
3 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/qapi/qom.json b/qapi/qom.json
index ccd1167808..eeb5395ff3 100644
--- a/qapi/qom.json
+++ b/qapi/qom.json
@@ -769,6 +769,10 @@
# @reduced-phys-bits: number of bits in physical addresses that become
# unavailable when SEV is enabled
#
+# @kernel-hashes: if true, add hashes of kernel/initrd/cmdline to a
+# designated guest firmware page for measured boot
+# with -kernel (default: false) (since 6.2)
+#
# Since: 2.12
##
{ 'struct': 'SevGuestProperties',
@@ -778,7 +782,8 @@
'*policy': 'uint32',
'*handle': 'uint32',
'*cbitpos': 'uint32',
- 'reduced-phys-bits': 'uint32' } }
+ 'reduced-phys-bits': 'uint32',
+ '*kernel-hashes': 'bool' } }
##
# @ObjectType:
diff --git a/target/i386/sev.c b/target/i386/sev.c
index eede07f11d..cad32812f5 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -62,6 +62,7 @@ struct SevGuestState {
char *session_file;
uint32_t cbitpos;
uint32_t reduced_phys_bits;
+ bool kernel_hashes;
/* runtime state */
uint32_t handle;
@@ -327,6 +328,20 @@ sev_guest_set_sev_device(Object *obj, const char *value,
Error **errp)
sev->sev_device = g_strdup(value);
}
+static bool sev_guest_get_kernel_hashes(Object *obj, Error **errp)
+{
+ SevGuestState *sev = SEV_GUEST(obj);
+
+ return sev->kernel_hashes;
+}
+
+static void sev_guest_set_kernel_hashes(Object *obj, bool value, Error **errp)
+{
+ SevGuestState *sev = SEV_GUEST(obj);
+
+ sev->kernel_hashes = value;
+}
+
static void
sev_guest_class_init(ObjectClass *oc, void *data)
{
@@ -345,6 +360,11 @@ sev_guest_class_init(ObjectClass *oc, void *data)
sev_guest_set_session_file);
object_class_property_set_description(oc, "session-file",
"guest owners session parameters (encoded with base64)");
+ object_class_property_add_bool(oc, "kernel-hashes",
+ sev_guest_get_kernel_hashes,
+ sev_guest_set_kernel_hashes);
+ object_class_property_set_description(oc, "kernel-hashes",
+ "add kernel hashes to guest firmware for measured Linux boot");
}
static void
diff --git a/qemu-options.hx b/qemu-options.hx
index f051536b63..a11c2b29f2 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -5189,7 +5189,7 @@ SRST
-object secret,id=sec0,keyid=secmaster0,format=base64,\\
data=$SECRET,iv=$(<iv.b64)
- ``-object
sev-guest,id=id,cbitpos=cbitpos,reduced-phys-bits=val,[sev-device=string,policy=policy,handle=handle,dh-cert-file=file,session-file=file]``
+ ``-object
sev-guest,id=id,cbitpos=cbitpos,reduced-phys-bits=val,[sev-device=string,policy=policy,handle=handle,dh-cert-file=file,session-file=file,kernel-hashes=on|off]``
Create a Secure Encrypted Virtualization (SEV) guest object,
which can be used to provide the guest memory encryption support
on AMD processors.
@@ -5229,6 +5229,10 @@ SRST
session with the guest owner to negotiate keys used for
attestation. The file must be encoded in base64.
+ The ``kernel-hashes`` adds the hashes of given kernel/initrd/
+ cmdline to a designated guest firmware page for measured Linux
+ boot with -kernel. The default is off. (Since 6.2)
+
e.g to launch a SEV guest
.. parsed-literal::
--
2.25.1
- [PATCH v3 0/6] SEV: add kernel-hashes=on for measured -kernel launch, Dov Murik, 2021/11/11
- [PATCH v3 3/6] target/i386/sev: Rephrase error message when no hashes table in guest firmware, Dov Murik, 2021/11/11
- [PATCH v3 6/6] target/i386/sev: Replace qemu_map_ram_ptr with address_space_map, Dov Murik, 2021/11/11
- [PATCH v3 5/6] target/i386/sev: Perform padding calculations at compile-time, Dov Murik, 2021/11/11
- [PATCH v3 2/6] target/i386/sev: Add kernel hashes only if sev-guest.kernel-hashes=on, Dov Murik, 2021/11/11
- [PATCH v3 1/6] qapi/qom, target/i386: sev-guest: Introduce kernel-hashes=on|off option,
Dov Murik <=
- [PATCH v3 4/6] target/i386/sev: Fail when invalid hashes table area detected, Dov Murik, 2021/11/11
- Re: [PATCH v3 0/6] SEV: add kernel-hashes=on for measured -kernel launch, Dov Murik, 2021/11/14