Re: [RFC PATCH 02/12] powerpc: Add support for adding an ESM blob to the zImage wrapper
On Tue, May 21, 2019 at 07:13:26AM +0200, Christoph Hellwig wrote: > On Tue, May 21, 2019 at 01:49:02AM -0300, Thiago Jung Bauermann wrote: > > From: Benjamin Herrenschmidt > > > > For secure VMs, the signing tool will create a ticket called the "ESM blob" > > for the Enter Secure Mode ultravisor call with the signatures of the kernel > > and initrd among other things. > > > > This adds support to the wrapper script for adding that blob via the "-e" > > option to the zImage.pseries. > > > > It also adds code to the zImage wrapper itself to retrieve and if necessary > > relocate the blob, and pass its address to Linux via the device-tree, to be > > later consumed by prom_init. > > Where does the "BLOB" come from? How is it licensed and how can we > satisfy the GPL with it? The blob is data, not code, and it will be created by a tool that will be open source. My understanding is that most of it will be encrypted with a session key that is encrypted with the secret key of the ultravisor. Ram Pai's KVM Forum talk last year explained how this works. Paul.
Re: Re: [RFC PATCH 02/12] powerpc: Add support for adding an ESM blob to the zImage wrapper
On Tue, May 21, 2019 at 07:13:26AM +0200, Christoph Hellwig wrote: > On Tue, May 21, 2019 at 01:49:02AM -0300, Thiago Jung Bauermann wrote: > > From: Benjamin Herrenschmidt > > > > For secure VMs, the signing tool will create a ticket called the "ESM blob" > > for the Enter Secure Mode ultravisor call with the signatures of the kernel > > and initrd among other things. > > > > This adds support to the wrapper script for adding that blob via the "-e" > > option to the zImage.pseries. > > > > It also adds code to the zImage wrapper itself to retrieve and if necessary > > relocate the blob, and pass its address to Linux via the device-tree, to be > > later consumed by prom_init. > > Where does the "BLOB" come from? How is it licensed and how can we > satisfy the GPL with it? The "BLOB" is not a piece of code. Its just a piece of data that gets generated by our build tools. This data contains the signed hash of the kernel, initrd, and kernel command line parameters. Also it contains any information that the creator the the BLOB wants to be made available to anyone needing it, inside the secure-virtual-machine. All of this is integrity-protected and encrypted to safegaurd it when at rest and at runtime. Bottomline -- Blob is data, and hence no licensing implication. And due to some reason, even data needs to have licensing statement, we can make it available to have no conflicts with GPL. -- Ram Pai
Re: [RFC PATCH 02/12] powerpc: Add support for adding an ESM blob to the zImage wrapper
On Tue, May 21, 2019 at 01:49:02AM -0300, Thiago Jung Bauermann wrote: > From: Benjamin Herrenschmidt > > For secure VMs, the signing tool will create a ticket called the "ESM blob" > for the Enter Secure Mode ultravisor call with the signatures of the kernel > and initrd among other things. > > This adds support to the wrapper script for adding that blob via the "-e" > option to the zImage.pseries. > > It also adds code to the zImage wrapper itself to retrieve and if necessary > relocate the blob, and pass its address to Linux via the device-tree, to be > later consumed by prom_init. Where does the "BLOB" come from? How is it licensed and how can we satisfy the GPL with it?