From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 8299DAC0B98 for ; Tue, 28 Nov 2023 11:07:46 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=EXBTiE4/zRwBVotlELan2uMiMt0ALDOzIpXZ0skWCR0=; c=relaxed/simple; d=groups.io; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:To:Cc:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type; s=20140610; t=1701169665; v=1; b=qA7DcZ4XMxIZerN+X1zWz9KU/ma902L6+bG7TYyra4Zn/gSh8HqN6Izej2a4RivH4pQ3zoah VDZvPGNFsuN2VRFWf5T4mRGkYX43JAPUjYwlKZqA4N+UYSOKHpLzVbny/NCZwCVkSAkW1Eww6L2 9kbBPeYpnSq3bToSL/Ae5f0s= X-Received: by 127.0.0.2 with SMTP id cyWpYY7687511xCzkMeayAHJ; Tue, 28 Nov 2023 03:07:45 -0800 X-Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mx.groups.io with SMTP id smtpd.web10.30202.1701169663886284326 for ; Tue, 28 Nov 2023 03:07:44 -0800 X-Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by ams.source.kernel.org (Postfix) with ESMTP id E974AB839A6 for ; Tue, 28 Nov 2023 11:07:41 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4F0D3C433CA for ; Tue, 28 Nov 2023 11:07:41 +0000 (UTC) X-Received: by mail-lj1-f177.google.com with SMTP id 38308e7fff4ca-2c5b7764016so60339241fa.1 for ; Tue, 28 Nov 2023 03:07:41 -0800 (PST) X-Gm-Message-State: cWy9H6ensgNvIzczQd7DPxfBx7686176AA= X-Google-Smtp-Source: AGHT+IHco8ydfPTEhzNH0Zfp8GJQyG4Wb360YKx0YRP9+fAEExhf7nsP3rxyeck6Bp6A98wexpnRCupACnDeCIAEJOs= X-Received: by 2002:a2e:9258:0:b0:2c9:b8a0:8675 with SMTP id v24-20020a2e9258000000b002c9b8a08675mr434014ljg.16.1701169659542; Tue, 28 Nov 2023 03:07:39 -0800 (PST) MIME-Version: 1.0 References: <20230302091532.1985238-1-dovmurik@linux.ibm.com> <20230320100625.ucpickm42jl3lffq@sirius.home.kraxel.org> <88ff7ce3-cf1c-4e6e-a7d0-8dd5c064f2e4@amd.com> In-Reply-To: <88ff7ce3-cf1c-4e6e-a7d0-8dd5c064f2e4@amd.com> From: "Ard Biesheuvel" Date: Tue, 28 Nov 2023 12:07:28 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [edk2-devel] [PATCH v3 0/2] OvmfPkg: Enable measured direct boot on AMD SEV-SNP To: Tom Lendacky Cc: Ard Biesheuvel , Jiewen Yao , Jordan Justen , devel@edk2.groups.io, Erdem Aktas , James Bottomley , Min Xu , Michael Roth , Ashish Kalra , Mario Smarduch , Tobin Feldman-Fitzthum , Gerd Hoffmann Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Type: text/plain; charset="UTF-8" X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=qA7DcZ4X; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=kernel.org (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io On Mon, 27 Nov 2023 at 21:04, Tom Lendacky wrote: > > On 3/20/23 05:06, Gerd Hoffmann wrote: > > On Thu, Mar 02, 2023 at 09:15:30AM +0000, Dov Murik wrote: > >> AMD SEV and SEV-ES support measured direct boot with > >> kernel/initrd/cmdline hashes injected by QEMU and verified by OVMF > >> during boot. > >> > >> To enable the same approach for AMD SEV-SNP, we declare the kernel > >> hashes page in the SNP metadata list as a new region type. When QEMU > >> encounters that region in the list, it will insert the hashes of > >> kernel/initrd/cmdline and encrypt the page (or, if the user turned off > >> kernel hashes, it will validate the page as a zero page). > >> > >> The first patch rearranges the pages in AmdSevX64's MEMFD so they are in > >> the same order both as in the main target (OvmfPkgX64), with the > >> exception of the SEV Launch Secret page which isn't defined in > >> OvmfPkgX64. > >> > >> The second patch modifies the SNP metadata structure such that on > >> AmdSev target the SEV Launch Secret page is explicitly defined in SNP > >> metadata list, and therefore it is not included in the ranges that are > >> pre-validated (zero pages) by the VMM; instead the VMM will insert > >> content into this page (the hashes table), or mark it explicitly as a > >> zero page if no hashes are added. > >> > >> This series is available at: > >> https://github.com/confidential-containers-demo/edk2/tree/snp-kernel-hashes-v3 > >> > >> A corresponding QEMU RFC series will be published soon in qemu-devel, or > >> use this tree: > >> https://github.com/confidential-containers-demo/qemu/tree/snp-kernel-hashes-v3 > > > > For the series: > > Acked-by: Gerd Hoffmann > > I've noticed that series was never picked up. Any chance that this can be > merged? > Queued up now Apologies for the delay. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#111808): https://edk2.groups.io/g/devel/message/111808 Mute This Topic: https://groups.io/mt/97335488/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-