[tianocore/edk2] 560599: AmdSev: Rework Blob Verifier

Tue, 25 Jun 2024 08:28:27 -0700 

  Branch: refs/heads/master
  Home:   https://github.com/tianocore/edk2
  Commit: 56059941ec8c2f4d8fb126227b1154f8a869ac2b
      
https://github.com/tianocore/edk2/commit/56059941ec8c2f4d8fb126227b1154f8a869ac2b
  Author: Tobin Feldman-Fitzthum <to...@linux.ibm.com>
  Date:   2024-06-25 (Tue, 25 Jun 2024)

  Changed paths:
    M OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierSevHashes.c

  Log Message:
  -----------
  AmdSev: Rework Blob Verifier

The Blob Verifier checks boot artifacts against a hash table
injected by the hypervisor and measured by hardware.

Update the Blob Verifier to enter a dead loop if the artifacts
do not match.

The verifier still returns ACCESS_DENIED in some cases, but this
is considered non-fatal. These non-fatal cases occur when the
artifact cannot be verified because the hashes table makes no
claims about the artifiact (e.g. if the hashes table is not present
or if there is no entry for the blob in question).
Since the hash table is reflected in the launch measurement,
it is okay to continue the boot in these cases.

If the hash table does contain expected hash values, the boot cannot
continue if the provided blobs do not match.
In these cases we enter a dead loop to make sure no guest can boot
with a TCB that does not reflect the launch measurement.

Signed-off-by: Tobin Feldman-Fitzthum <to...@linux.ibm.com>


  Commit: 10b4bb8d6d0c515ed9663691aea3684be8f7b0fc
      
https://github.com/tianocore/edk2/commit/10b4bb8d6d0c515ed9663691aea3684be8f7b0fc
  Author: Tobin Feldman-Fitzthum <to...@linux.ibm.com>
  Date:   2024-06-25 (Tue, 25 Jun 2024)

  Changed paths:
    M OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierSevHashes.c
    M OvmfPkg/Include/Library/BlobVerifierLib.h
    M OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierNull.c
    M OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c

  Log Message:
  -----------
  AmdSev: Halt on failed blob allocation

A malicious host may be able to undermine the fw_cfg
interface such that loading a blob fails.

In this case rather than continuing to the next boot
option, the blob verifier should halt.

For non-confidential guests, the error should be non-fatal.

Signed-off-by: Tobin Feldman-Fitzthum <to...@linux.ibm.com>


Compare: https://github.com/tianocore/edk2/compare/be38c01da2dd...10b4bb8d6d0c

To unsubscribe from these emails, change your notification settings at 
https://github.com/tianocore/edk2/settings/notifications


_______________________________________________
edk2-commits mailing list
edk2-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-commits

Reply via email to