On 8/14/25 11:21, Xiaoyao Li wrote:
Update the header makes it different from the original kernel that user
provides via "-kernel", which leads to a different hash and breaks the
attestation, e.g., for TDX.
We already skip it for SEV VMs. Instead of adding another check of
is_tdx_vm() to cover the TDX case, check machine->cgs to cover all the
confidential computing case for x86.
Reported-by: Vikrant Garg <vikrant1g...@gmail.com>
Signed-off-by: Xiaoyao Li <xiaoyao...@intel.com>
Applied for 10.2, thanks!
Paolo
hw/i386/x86-common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/i386/x86-common.c b/hw/i386/x86-common.c
index b1b5f11e7396..7512be64d67b 100644
--- a/hw/i386/x86-common.c
+++ b/hw/i386/x86-common.c
@@ -952,7 +952,7 @@ void x86_load_linux(X86MachineState *x86ms,
* kernel on the other side of the fw_cfg interface matches the hash of
the
* file the user passed in.
*/
- if (!sev_enabled() && protocol > 0) {
+ if (!MACHINE(x86ms)->cgs && protocol > 0) {
memcpy(setup, header, MIN(sizeof(header), setup_size));
}
