On Thu, Mar 02, 2023 at 09:15:30AM +0000, Dov Murik wrote: > AMD SEV and SEV-ES support measured direct boot with > kernel/initrd/cmdline hashes injected by QEMU and verified by OVMF > during boot. > > To enable the same approach for AMD SEV-SNP, we declare the kernel > hashes page in the SNP metadata list as a new region type. When QEMU > encounters that region in the list, it will insert the hashes of > kernel/initrd/cmdline and encrypt the page (or, if the user turned off > kernel hashes, it will validate the page as a zero page). > > The first patch rearranges the pages in AmdSevX64's MEMFD so they are in > the same order both as in the main target (OvmfPkgX64), with the > exception of the SEV Launch Secret page which isn't defined in > OvmfPkgX64. > > The second patch modifies the SNP metadata structure such that on > AmdSev target the SEV Launch Secret page is explicitly defined in SNP > metadata list, and therefore it is not included in the ranges that are > pre-validated (zero pages) by the VMM; instead the VMM will insert > content into this page (the hashes table), or mark it explicitly as a > zero page if no hashes are added. > > This series is available at: > https://github.com/confidential-containers-demo/edk2/tree/snp-kernel-hashes-v3 > > A corresponding QEMU RFC series will be published soon in qemu-devel, or > use this tree: > https://github.com/confidential-containers-demo/qemu/tree/snp-kernel-hashes-v3
For the series: Acked-by: Gerd Hoffmann <kra...@redhat.com> -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101429): https://edk2.groups.io/g/devel/message/101429 Mute This Topic: https://groups.io/mt/97335488/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-