The AmdSev package has a so-called BlobVerifier, which is meant to extend the TCB of a confidential guest (SEV or SNP) to include components provided via fw_cfg such as initrd, kernel, kernel params.
This series fixes a few implementation errors in the blob verifier. One common theme is that the verifier currently fails to halt the boot when an invalid blob is detected. This can lead to a confidential guest having a launch measurement that does not reflect the guest TCB. This series could also help us move towards consolidating the AmdSev package back into the OvmfPkg although more discussion will be needed on this. Thank you for Ryan Savino at AMD for pointing out some of these issues. Tobin Feldman-Fitzthum (2): AmdSev: Rework Blob Verifier AmdSev: Halt on failed blob allocation .../BlobVerifierSevHashes.c | 56 ++++++++++++++++--- OvmfPkg/Include/Library/BlobVerifierLib.h | 14 +++-- .../BlobVerifierLibNull/BlobVerifierNull.c | 13 +++-- .../QemuKernelLoaderFsDxe.c | 9 ++- 4 files changed, 69 insertions(+), 23 deletions(-) -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118661): https://edk2.groups.io/g/devel/message/118661 Mute This Topic: https://groups.io/mt/105977013/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
