From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web11.10272.1607533502031204030 for ; Wed, 09 Dec 2020 09:05:02 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=ID3f3iUR; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: jejb@linux.ibm.com) Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 0B9H229B057190; Wed, 9 Dec 2020 12:04:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject : from : reply-to : to : cc : date : in-reply-to : references : content-type : mime-version : content-transfer-encoding; s=pp1; bh=GNBsRaAqVMx3BDW7w3fKiC/q/u2T9Ee/FXio4CxK8nk=; b=ID3f3iUR+jSleTg4GnkcRRnHNUyZdH4d2OCvY5npTT0cPx+uO4jM877qk7VkhiRJnXTG sLb39rkQgvfqEDEwqM9uOlXEOsQcOFXaVSx7J5jZ+4NcXkANJBVChN74pKi21xXvDhgl 5Xbf6Akg2UVp1HEBcYan9kForSO6xz237edZNpZ6kt/jSWA8K4izyXQq8+4PdwnqkJ/4 TlCEePHAsLU/XCc1vaOlUUhOI9QiOhsEvGY0xS5UhIeB3JvCunswSBwnxD0UKFrBjZPn IYNYLfhKwV8LoBbR2ad3LtkD3Z1vmiUSY6Jf5d3qw6ALb5ypPutldWvTSQEc8KBj6Q56 gg== Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 35amchh8jv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 09 Dec 2020 12:04:57 -0500 Received: from m0098419.ppops.net (m0098419.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 0B9H2Vib059235; Wed, 9 Dec 2020 12:04:56 -0500 Received: from ppma03wdc.us.ibm.com (ba.79.3fa9.ip4.static.sl-reverse.com [169.63.121.186]) by mx0b-001b2d01.pphosted.com with ESMTP id 35amchh8j5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 09 Dec 2020 12:04:56 -0500 Received: from pps.filterd (ppma03wdc.us.ibm.com [127.0.0.1]) by ppma03wdc.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 0B9H1f9P011269; Wed, 9 Dec 2020 17:04:55 GMT Received: from b03cxnp08027.gho.boulder.ibm.com (b03cxnp08027.gho.boulder.ibm.com [9.17.130.19]) by ppma03wdc.us.ibm.com with ESMTP id 3581u99305-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 09 Dec 2020 17:04:55 +0000 Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp08027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 0B9H4qxi10813778 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 9 Dec 2020 17:04:52 GMT Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8D3A37805E; Wed, 9 Dec 2020 17:04:52 +0000 (GMT) Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 00CE57805C; Wed, 9 Dec 2020 17:04:49 +0000 (GMT) Received: from jarvis.int.hansenpartnership.com (unknown [9.85.183.17]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP; Wed, 9 Dec 2020 17:04:49 +0000 (GMT) Message-ID: Subject: Re: [edk2-devel] [PATCH v3 6/6] OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table From: "James Bottomley" Reply-To: jejb@linux.ibm.com To: "Yao, Jiewen" , "devel@edk2.groups.io" Cc: "dovmurik@linux.vnet.ibm.com" , "Dov.Murik1@il.ibm.com" , "ashish.kalra@amd.com" , "brijesh.singh@amd.com" , "tobin@ibm.com" , "david.kaplan@amd.com" , "jon.grimm@amd.com" , "thomas.lendacky@amd.com" , "frankeh@us.ibm.com" , "Dr . David Alan Gilbert" , Laszlo Ersek , "Justen, Jordan L" , Ard Biesheuvel Date: Wed, 09 Dec 2020 09:04:48 -0800 In-Reply-To: References: <20201130202819.3910-1-jejb@linux.ibm.com> <20201130202819.3910-7-jejb@linux.ibm.com> <78d5f9704e4a643d1c6d4669c2c5cae672cfaecf.camel@linux.ibm.com> User-Agent: Evolution 3.34.4 MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343,18.0.737 definitions=2020-12-09_14:2020-12-09,2020-12-09 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 mlxlogscore=999 priorityscore=1501 bulkscore=0 phishscore=0 spamscore=0 lowpriorityscore=0 mlxscore=0 impostorscore=0 suspectscore=0 clxscore=1015 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012090116 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit On Wed, 2020-12-09 at 16:51 +0000, Yao, Jiewen wrote: > > To be clear: grub is just using it to get the disk password. I do > > anticipate we'll also use it for provisioning keys directly into > > the linux kernel as well, so multiple consumers were anticipated. > > Would you please share more information about the GUIDed key usage, > except disk password? I think the point here is I don't define it. I only define the one grub disk password use case. The GUIDed table format means that anyone can define a GUID and a data format for their use case. Not actually pre-specifying allows the use case to develop with the code. > What is the usage of the provisioning key for kernel? The usual problem is that you need an additional trusted public key in the kernel primary keyring, so having the secret area inject a trusted public key we can later use for things like third party module signing and the like seems to be a good idea. James