From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (NAM11-CO1-obe.outbound.protection.outlook.com [40.107.220.82])
 by mx.groups.io with SMTP id smtpd.web10.513.1626715904620237407
 for <devel@edk2.groups.io>;
 Mon, 19 Jul 2021 10:31:44 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@amd.com header.s=selector1 header.b=kB1vQuGW;
 spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.220.82, mailfrom: thomas.lendacky@amd.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=kQ345WvA1TpLVIZoshfxJkRas0zJrs9I7HSH4z3ebmny7dFiDcuUxsB1nlbnJRssKgKBqVKN0KRycYM6Qkc/Jesz+630xL3QFMI7xjpY2D13fU+G4FSVN266Ygr/1sOLma6rKzg/SPm/aCg80i7ft6LxvC0wOzuGs0BuNa/RwncQmfDBJESoozI88i9OW1BtNKoMiZC88YipSMVtCnJR0wAvTsxFc5Rq512SUSu3y4MlBro7gLaJ0pJIZARMaxLeAjXjPRs9UDPOyjFWPru9WHz4tcqn9YAMzMPwbXE9oPkWOUZhgV0EJIkDW0IkcRo3b8kg3jhEnbCG7tev2wMsRA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=umzqk7o7rO8pLkywB/0/No5PEZCXSs4YIuBKWsgARfM=;
 b=aveORH9AS10HDsia3InoeD1lhgcIfTJSVltcmEp7HOSG/Jkl2m0ug7a8EbzJTRYPkliZC7YNSyVMXY1RhhnewICG8RY6PKIWk+H2X1s9F9+jWN2Lmt2scgk8BbJXsSE5ElE27ZfELyxeDmuP5C33s/qeEDazGcvqW8+am/uIqyaQvj/UmccS7eVYp2bGqN7prT04/16CvOZbkec9C6CKZlfOySW5Q+D5pk9Kmqj5EEip5RpUAyRqD+tpVNShoX4SIi/68lh7ZgpFUkCmU8mYd71JcMc8R2uuUgLEvEf0WaU4rlszCYXPq9BH9tYzRetOklj2/8/3Eb9hZYS+KOHdcQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass
 header.d=amd.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=umzqk7o7rO8pLkywB/0/No5PEZCXSs4YIuBKWsgARfM=;
 b=kB1vQuGWC4RMENl1ATTnkLZB/kPbb6pu7taB9rZ4lnnQn4Sb7EfdBpxLX8MmRehwkFX/sIMiCxlKlVFoDkFUwucaRgdBwV2nAB1oz88uf97gfJBdkk+zwHvZEboOlKq5Mc1H0uBKNBj3sHqvR9XrwqyV75ndXLOH9WuSRG3LeNc=
Authentication-Results: intel.com; dkim=none (message not signed)
 header.d=none;intel.com; dmarc=none action=none header.from=amd.com;
Received: from DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12)
 by DM4PR12MB5342.namprd12.prod.outlook.com (2603:10b6:5:39f::5) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.32; Mon, 19 Jul
 2021 17:31:42 +0000
Received: from DM4PR12MB5229.namprd12.prod.outlook.com
 ([fe80::73:2581:970b:3208]) by DM4PR12MB5229.namprd12.prod.outlook.com
 ([fe80::73:2581:970b:3208%3]) with mapi id 15.20.4331.032; Mon, 19 Jul 2021
 17:31:42 +0000
Subject: Re: [PATCH v2 11/11] OvmfPkg/AmdSev: Enforce hash verification of kernel blobs
To: Dov Murik <dovmurik@linux.ibm.com>, devel@edk2.groups.io
Cc: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
 Tobin Feldman-Fitzthum <tobin@ibm.com>, Jim Cadden <jcadden@ibm.com>,
 James Bottomley <jejb@linux.ibm.com>, Hubertus Franke <frankeh@us.ibm.com>,
 Laszlo Ersek <lersek@redhat.com>, Ard Biesheuvel
 <ardb+tianocore@kernel.org>, Jordan Justen <jordan.l.justen@intel.com>,
 Ashish Kalra <ashish.kalra@amd.com>, Brijesh Singh <brijesh.singh@amd.com>,
 Erdem Aktas <erdemaktas@google.com>, Jiewen Yao <jiewen.yao@intel.com>,
 Min Xu <min.m.xu@intel.com>
References: <20210706085501.1260662-1-dovmurik@linux.ibm.com>
 <20210706085501.1260662-12-dovmurik@linux.ibm.com>
From: "Lendacky, Thomas" <thomas.lendacky@amd.com>
Message-ID: <5b48c54d-b3db-d0cb-72c2-7bd340ec9d61@amd.com>
Date: Mon, 19 Jul 2021 12:31:40 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.11.0
In-Reply-To: <20210706085501.1260662-12-dovmurik@linux.ibm.com>
X-ClientProxiedBy: SA0PR11CA0049.namprd11.prod.outlook.com
 (2603:10b6:806:d0::24) To DM4PR12MB5229.namprd12.prod.outlook.com
 (2603:10b6:5:398::12)
Return-Path: thomas.lendacky@amd.com
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [10.236.30.241] (165.204.77.1) by SA0PR11CA0049.namprd11.prod.outlook.com (2603:10b6:806:d0::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.23 via Frontend Transport; Mon, 19 Jul 2021 17:31:41 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: f2ba3fea-930b-42dd-c638-08d94adb1302
X-MS-TrafficTypeDiagnostic: DM4PR12MB5342:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: 
	<DM4PR12MB534283F67D5EB7857B2B2243ECE19@DM4PR12MB5342.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:2399;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	Ur3QjQK7lrzYYGV+TEIsU1E2dBQY3uC8vwr5fmgvnYcr18NqtniChETKuzCYxWc4qblWlGiz2RhkcQNCzxDpzPmep3o11ihW7LRsgC0QeFp7mNsPyZ94y5J1pXDsKuLwHdoT8Qk/5bMmVzyRaIHOt649h5KoE78fjhkM3NK3oF+v0zwHYgBcqB3AGfANl8a7JjNoAKYVfshH4cSUQQu675Sr50VNnrB7DW13HCb9zVxWNi9XvaOyML5NBP0en3HAv7lQdGR1Uxf0mR2XQx78ZUFh5+6aafXgxxUFFekEOhRjjS/jBjCJsLdUHr7NuLx08eND7VSHRp5ijLkitV+BgB2PxfHYZ/bngdai6TknuSoUSV4HUCaCtD+cFgLd50JnOg40bc+zwgd8tkmRgdl5HoJZyJOyvcllg1xRPl4XzMOdEhMSffCh6GesTREd5OR6FmItjhi0fjbdMNKLcwjRVHQvcop1/gaaLJNYse1XEjv7hzkRPmrG8tdVH9PnbFZsjcD1Qb/dDnQSZ8Qs5AYwbw1g+3yiptBnLAKwbxcNQDlLiV6zdRdpKgWCe7trSY05X2A/44IVCHBvBPUJ1Umbn3UwgiKWSE84hVXiRyWXJp0p0Re81IkjM9W6ZYAP5neMpcRth+jW0tkiDEg8v0RZpayfV78n1r4N3VI2lQhq5lo9yP7IHgBjwfR2+edj8+YNRLVubXWJQ7kQ+8H6977EBsjyKcmebG9XeDZoKMqVhwIKfrxe5qH2BmIa223j1YC1R0qWT4EfrUute5ffbE7TCumSWQ0I3vVrgM/PE2OxfDf+HnOePbvwlvy9nCg5wkEG
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR12MB5229.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(39860400002)(376002)(346002)(396003)(136003)(366004)(966005)(86362001)(31696002)(8936002)(4326008)(478600001)(2616005)(956004)(8676002)(2906002)(38100700002)(15650500001)(6486002)(83380400001)(26005)(31686004)(5660300002)(54906003)(53546011)(186003)(66556008)(66476007)(66946007)(316002)(36756003)(16576012)(7416002)(19627235002)(45980500001)(43740500002);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
	=?utf-8?B?YXpiK3Q3WW9waWZJYTJqRG1IYkdpUkdScGQ2ZnE2clIvWGJ2U0JkNE9QYmlk?=
 =?utf-8?B?bmlsZm1uaG1keDgrbVYxVklwdTAySm9BWnA0K2lJS0lpN2pqM1g4akhQZXc4?=
 =?utf-8?B?WUtHWjJNWm1XRnFqT2N5YUFUMzArQ0o0V1c3Vkx2SHVEZER0L2xyWnpYdU92?=
 =?utf-8?B?RTdlMHViVkVvcy9BZlRCQllKNDhRZFptRDdiS3M0Yk9HbTVyajMzK1c0cmFt?=
 =?utf-8?B?T1FvL0srdzVFZWJYclh3SENycDZhVndOZWxnYTZ3UVByNklBeWR0VGZRcmJn?=
 =?utf-8?B?Q241MHJWM0FwN2U0YzVlanFwa0hLM256WjdvUHJCbC9LV1JuUEJGWStNV3F3?=
 =?utf-8?B?VFhVZzdBT1ZxWHlzUFRWbjhVU0VMb2ZVek5WeWV5VllsWTlqVHJMbFZhbG1Y?=
 =?utf-8?B?LzVhZGhqRytUY3JraGhkSUxxSUpzNm9zWERQOVNWRmRCR1JabUN5MDkyNUs3?=
 =?utf-8?B?K1g0YldKRkdEaUIza3BHU2dzU0hiWHBKc1BnbnhUdWxteElkakRXVEMrV2Jl?=
 =?utf-8?B?a0w5aUxFekJTejlGZFVIOC8xUjZ6MWZkdjJ3QlBac3llZ05leGx3dDRSSHFw?=
 =?utf-8?B?RVFreWNUVzR6MGdXUnQwdEVhaklFNnNZemxCbVhuVU5ITWcrTDk2ZXNiemc5?=
 =?utf-8?B?cXI5aE4zQS9DYWZjM3BCYncvV0trN3htM2JBdWtXbU82RTBqZTAzcFErMmxO?=
 =?utf-8?B?UTdHWHlsc1R1OWViNGlvUytLdEJjMzg5RkhoWHMwVlByZlN2d2k3S3NCc0p5?=
 =?utf-8?B?SjhMZVMyNHdVRlZOTDcrM1pNZlVycG5pbCs4bGl6eW5EYmt0ZXBYcFVQWEQy?=
 =?utf-8?B?MHRwZ0EwZDk3bXlLbzgwajZiNWZPai9GWkF5QVZkZFp2SXQ0ZDF6YUlNSWpo?=
 =?utf-8?B?Z0o5WnZ4cFVoK2NVbG5DYnl3bnJEY01FV2daaURuNG9KVU92NmJpMEFPZ0xy?=
 =?utf-8?B?dGJVdVhqNEJlYzJRUjlDMjZMZlpsRm12a2pjMTNsY2JwNEhRd3dWMGpCTmpt?=
 =?utf-8?B?MkpheDhWRkxMaVpOckdReG5JakVYTVE5TVFoVUFDN2RMdnNrNldNY1FuVWNi?=
 =?utf-8?B?T1YzYlZvWXRvZExyUjJtU29wbE5NYngwOUhJUWtSM1ZiK1ZKcUVwUzBVeTZD?=
 =?utf-8?B?bVp6NW1xbmJZbFhNVlhzdjRhay9JOFU4OWx0bDdDQjV0WUFyWTllMURrSmQ1?=
 =?utf-8?B?TUl0ZEpxTzVGZG92eldRck4vQzNwb3dNYm1LeVVRaktkZkgvL1NkY3d6enBz?=
 =?utf-8?B?ZVF1R0ZQd0lsKzk5blNzNWorK0k4Z2FUQVlEUE16elkxZG5MWVVSdEYyN0xr?=
 =?utf-8?B?NExydUk1cDI0eERqZE10WUNpbnFnbmFySVlpQTBaVEFsbTNXWXl3aXd0WTgx?=
 =?utf-8?B?UVFyaWw4M0tOSDNHK1lGR1A4MGtRckNrVjJoRkc3KzVPWVl3QjEyK3lLRHBu?=
 =?utf-8?B?djlnSkRVSDk5RVNpRFNtRGlFV3VVeGoxZXRyVjRpSGpMb3BrSGcrNzkzL1gy?=
 =?utf-8?B?bmlHdTRvYzlqcWF6cWwxalVrK1NCZjFMMnhCZDR0L3JLRzVkZXJCdTJkSW5L?=
 =?utf-8?B?LzF3cGNUWHFKa3NSSCtIRmhBQ3N3YWU1MFhwTGgvTXBSZWNHQlEvSms1OGQy?=
 =?utf-8?B?dVh2eHZHNG0rTXgwbjVNMndOTlVRZWZWenEzNVlJM2E3cEpZbDdjeUpCTC9O?=
 =?utf-8?B?Ynh2cDc1S0lVKzhwZkpkbEJxLzUwc1dLYSsrV0w3L3cvNGhiQktUWFpBYUtO?=
 =?utf-8?Q?QdueNFay//vnvlpDodXAiCYW21jLDTX943XGPgl?=
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f2ba3fea-930b-42dd-c638-08d94adb1302
X-MS-Exchange-CrossTenant-AuthSource: DM4PR12MB5229.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jul 2021 17:31:42.7714
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: Bzw4aJV3UK/VV08pg4guGMzFcx7XcNQysGGGW31TT6a0WuzEyeA44kHfav4r+BsX0NAcTdzr2KF77lpHPTGeSQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB5342
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit

On 7/6/21 3:55 AM, Dov Murik wrote:
> In the AmdSevX86 build, use SevHashesBlobVerifierLib to enforce
> verification of hashes of the kernel/initrd/cmdline blobs fetched from
> firmware config.
> 
> This allows for secure (measured) boot of SEV guests with QEMU's
> -kernel/-initrd/-append switches (with the corresponding QEMU support
> for injecting the hashes table into initial measured guest memory).
> 
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Ashish Kalra <ashish.kalra@amd.com>
> Cc: Brijesh Singh <brijesh.singh@amd.com>
> Cc: Erdem Aktas <erdemaktas@google.com>
> Cc: James Bottomley <jejb@linux.ibm.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
> Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>

Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>

> ---
>  OvmfPkg/AmdSev/AmdSevX64.dsc | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
> index 8b260df114e3..d1ed0abbd0fb 100644
> --- a/OvmfPkg/AmdSev/AmdSevX64.dsc
> +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
> @@ -173,7 +173,7 @@ [LibraryClasses]
>    LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf
>    CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf
>    FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf
> -  BlobVerifierLib|OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf
> +  BlobVerifierLib|OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifierLib.inf
>  
>  !if $(SOURCE_DEBUG_ENABLE) == TRUE
>    PeCoffExtraActionLib|SourceLevelDebugPkg/Library/PeCoffExtraActionLibDebug/PeCoffExtraActionLibDebug.inf
> @@ -696,7 +696,7 @@ [Components]
>    }
>    OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
>      <LibraryClasses>
> -      NULL|OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf
> +      NULL|OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifierLib.inf
>    }
>    OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
>    OvmfPkg/Virtio10Dxe/Virtio10.inf
>