From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.52]) by mx.groups.io with SMTP id smtpd.web10.191.1626801563256766303 for ; Tue, 20 Jul 2021 10:19:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=NP0onxo4; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.223.52, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VqW/8RvXZk/69remQB5jqOjLXfw/ehWIq1gZItvqLmOU71ofHggAJzgI/Axl2U0x3hMkFszfvoo+vpuHqohvan/MVFLAneoMvFJOvF1r6Y3YcUHh7ZFP0ik+slsEghoZsjnY2ARLk5Qb2HywGxTHT/TvAn9RhbSV6Y+Ukckb+JxRFnqivpx21IYR+23ofDiSEFFVuRl5XEDw6RJ7t3YKcS66q4KTJFaV8dv0QEKweX4n5wPaSBV9qAriAhw7LQjQtmffTLuP7xpPiqmVanTM3FFR/szkobo8dQth6imHs/vSTnS+dt9gL4w/9/XYAyeUkmM2vSGeQ4Y+5jtm3Xr8wQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QKYGRnkZcKZwEYGpcFe6UgNQ2DSLBQIeZwQSHuTfQL8=; b=Vso1LxeJsQEG0I/R8wToCDwKNx0nKETKwT24BgHY3Y+WBzwfErRxkqmeX38+m+lRt9Zyt1JTGdBG2zROPrl44JWmDXSYd8Qu9ZVx0nh8x7SlU4KThLTq3VXE1VZ7ppJHIH3XS/NT5fTIPx9XdRtcULqeb4zmnHux7Sv22z6YvH1Zpkmf1FjXcSHHKLkjPKK1YnRNx4e7efTMA7O0oI6XBJCysd2ZtZcHp07w2vRbd3aomUSYX67hMgtUbq+hM31n7WDJCCFACjqFYnV7JPBHOdMin1DOg+wejMchftqArm8h/FIudlIcFtDXNDUSEC/wpOBdtHl8HDTkX9t0SfxYNQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QKYGRnkZcKZwEYGpcFe6UgNQ2DSLBQIeZwQSHuTfQL8=; b=NP0onxo4n939SH91QhaD2/p7lkZVTudsAi93Q1jxf5ihOFG8LVyjuGJbtj/ukAOTHwiJJTlA1aMHVQkddmFVHOrjWgYuuQ+tGnqa7HWf1Gycd1tT0j1IdgUzBnFeTp9a8TH3dS3+R6d9Hv/ad3MaY+0+8f/OHQm2M05VE777Md4= Authentication-Results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=amd.com; Received: from DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) by DM4PR12MB5358.namprd12.prod.outlook.com (2603:10b6:5:39c::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.30; Tue, 20 Jul 2021 17:19:22 +0000 Received: from DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::73:2581:970b:3208]) by DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::73:2581:970b:3208%3]) with mapi id 15.20.4331.034; Tue, 20 Jul 2021 17:19:22 +0000 Subject: Re: [PATCH v3 11/11] OvmfPkg/AmdSev: Enforce hash verification of kernel blobs To: Dov Murik , devel@edk2.groups.io Cc: Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu References: <20210720080401.3662854-1-dovmurik@linux.ibm.com> <20210720080401.3662854-12-dovmurik@linux.ibm.com> From: "Lendacky, Thomas" Message-ID: Date: Tue, 20 Jul 2021 12:19:19 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 In-Reply-To: <20210720080401.3662854-12-dovmurik@linux.ibm.com> X-ClientProxiedBy: SA0PR13CA0022.namprd13.prod.outlook.com (2603:10b6:806:130::27) To DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [10.236.30.241] (165.204.77.1) by SA0PR13CA0022.namprd13.prod.outlook.com (2603:10b6:806:130::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.24 via Frontend Transport; Tue, 20 Jul 2021 17:19:21 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 8f9e5c0b-d6fd-452d-bf28-08d94ba283cc X-MS-TrafficTypeDiagnostic: DM4PR12MB5358: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2150; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 34fLkEQRQMlSJiVI0AAQsKSHlDPi+ffeLFdQWFHaFI9oOgqACd3O7rbQtTgapKpXmvHqUrY8X/9GCFbjVqlS/UxXRdqH8FNkOow0U+speYGs6bljPnyLJnNHMBsbD9FLz2NpLczifx59FajhraN8e7pcqcEmk3aBQKzF3U8XH5r1HHYqeSeP+aEZ9W9mCBF076ll9wIbtWTHWD3OgAos4UuamLhEMRPar62nXQU3g2YUIY/4BEMUxVShlLVcymbXUxYbEBViXL59ozz+X7q69eL4NHxacc+OA/m92hFB9pEDLubE0X6jzNTpUL52/shqYaX/yr30qBZFtwggiQFo5twZtoIgiJSBzIqUpUyjp+0b9P1129IeKZLzQowOhrrepIAJTlbd9wjs4VJ1xsZOWehUjkxxgzlFm6TPmnq6o6xqeYF1vCvy2qeMzdHv/Gt0GoPKMIftmVEslm718QIxHpv7EoNPtogvu0vYM61LOVOnCwX3gPafBgElcbWqPFY2xNPWbVT2Vr5XDOMaq/vrvgBLX1TSe9SjqAFF6DNn13221rbyNgTTqHOqCVZwvszk3f9QBVadgJi4kaDaIU7wYaAn0fE3SwKDwFm7+5Qw3WMqEQwj+6SZ3PLMXpgPz+oMH2T4qWHA4zHnrE9eUNcMT2wZoaXozzQJGlu0LpUDrNs2CFb1OxBsDqe1l/BvaJhdoccaifJG6oqEmRpJumOXiWyBOjHisO25uG02xAtOrpLiF4rOOJaTw9FqFGW4zfMvzDuPYJFHbsMwZWaOZo2+WegfuPJqtV1+toGdD07YbYluEuVhV3d+z9u2XQgf2c18 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR12MB5229.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(376002)(396003)(136003)(39860400002)(346002)(38100700002)(966005)(478600001)(31696002)(19627235002)(16576012)(956004)(6486002)(2616005)(54906003)(36756003)(86362001)(2906002)(31686004)(8676002)(53546011)(83380400001)(66946007)(186003)(8936002)(66476007)(15650500001)(4326008)(316002)(66556008)(26005)(5660300002)(7416002)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?Vk5GN2pxekRoK1ZnN1VRd0g2Yk9tRk5ybTJjQU16ZDllbmtYSXk0ZXVicHNI?= =?utf-8?B?OUlmcmJjZzZnOFhKbUR1TFkwSGFOUkRDZG10SzFKQmpLUDZWWEUzMCt5VE9L?= =?utf-8?B?SHI4Rm1ZUlNPcmpiTVB2SUswNXhhSXFaUkk0Rzh3ZFpVV21nK0tlUW1Za3lW?= =?utf-8?B?dnRQYityUlJvR0NHSkExM1Rsa3Z5blE1cEl1RlJUc1ZHVXpGRHg0aWRmMjMx?= =?utf-8?B?ZlZTTVpmWmFIbWRPRTI2NTRMWWhjUWNtbFdQOEdqVHg1UFdzejJ0Qk5JTm94?= =?utf-8?B?dGNmemt0RVJHN1FZMzBFeThrM21GSWNncTJISXBCWFJZT0QxcDhlTklaeTEx?= =?utf-8?B?ampBVC9KbGlWMTJIendUc3lVSjNCZWJaWEM4QmRmalVSd1JqSFBIRlkwUS9D?= =?utf-8?B?a2grL1BEWTZrYldGeTVmcU8wQ0ZJaGRSbDlUWWNNeGJOWE9XSWNCZHhTR1VU?= =?utf-8?B?RHRDckVoRHFGRzRKY01yWnhXUnFQd1FXdWVaSlN2K1pXTVF0MERhTWpweTdS?= =?utf-8?B?aDNaUDYvZzdHVEF0NFg5Z3Qrc0tvL2oxNm1MNjhEblJVUlVXRXJwNzZZd0dH?= =?utf-8?B?YWc2YmRTMFZJQWgwZWhleWNUZDY0bWhMbnNYVlp4b240UUN1TVJYWGFkTGE4?= =?utf-8?B?OXQ3eXo1TUpIK2RGczZsU2tLaDZBYUpubHZXTUhmWE5VbVBESXBNOVhZT0VZ?= =?utf-8?B?SzZIQzFKQWU5UUw1eVcxN0FqQUVYODh5OEphRXpFaFpUYm50SUlCN0V6ci9K?= =?utf-8?B?ekMxNVRLMUZFb0l0eGlJR1hKenBtQ3BEVXp4aWx3YTdhQUlzZDZQMVJJbUtH?= =?utf-8?B?Si9TdU0zbHIzMWEwWC9VcjdCMnpMbnNXZVhBeHdKcm0xWFdhOUF4aHdEdHBs?= =?utf-8?B?Z1h2Q3pSMUF3VnI0SE5qUFNCL0dudFNSblI4eW5TcHd0SlRsVnZnM3lLQ3c5?= =?utf-8?B?ZDZaaCtNRXUybDU5UDhHNmVpVk03OWJiZkczWk1VbEZyUUkxSTJYMFZHZEFS?= =?utf-8?B?VVVHQVVFQ1lGS0RxUFhldlhCTk9kNGdDTHUyUGJkWldqQUtscnFzY0QzaXJZ?= =?utf-8?B?SGJrc2UyYTFsVzdkQzE1MzZoeDVyT0JvV2xNbzJNVmVQZmNBbm1admFIbThy?= =?utf-8?B?S004WkRqbTlBQm1JekdhL0Q0OWsrZXNhYmZ2b1BLcVRuVmdvRkxTMTdRQnNx?= =?utf-8?B?U1ZTQzFZakEvZUNzMFBpOUoxZzlaeDlONjNwV3RCZ3pwRG1oZEFPekJUWTIw?= =?utf-8?B?VGZSSmJvcHJQOXcrVDgvYkdqMlk0SUpKWHQwYXUwWlVrcW5TRjFpcEZ4QWdr?= =?utf-8?B?OS9Kc0xNNGRJdmdNclJidHpYaWNjK2F1YlJwdHdtWFp3WEV0dnRadWRmbUo1?= =?utf-8?B?a2VvWjVJMlh2L0tFdUU1UlN2S1ZsTHlxaW84MzVJUW9uYzlCZzg3RnhIeldB?= =?utf-8?B?ZFAzaTBTUTN6bCtkNFJtb1YxUXlVRVVwWkJlTzRXdGNBOTRkai9ieklVZlZ6?= =?utf-8?B?RVRtMWduS3RWR0xzU2NhVGNpZXFCQ2tWQVpOTi96a2dvTXdEOHZkL3BmOHli?= =?utf-8?B?ek9mLzQ1ejVrUE0xWWR1RWs3SmFqWlN5a0Z1Wld1Z3g1L1Z6L0tidENTcStU?= =?utf-8?B?NDE0ZDVHK1V6c0ZGOGVRaHNJbW1tSG9MZnYrN2YzV096MSthUXlzTmlQUXE4?= =?utf-8?B?RUxTSjB6SG9UQ2VJeGhiWU9EenRQL3FqNzJBVHJqL2s4K1Zwa2Z5TUY3MElO?= =?utf-8?Q?f0bL2CPVD6RYLbtvu1esu8QTEgB5fLEx1awHlTw?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8f9e5c0b-d6fd-452d-bf28-08d94ba283cc X-MS-Exchange-CrossTenant-AuthSource: DM4PR12MB5229.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jul 2021 17:19:21.8889 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: h2gMwdVetySo3MRV6v2lpW+dG1ozOS4x7UcyM+BhaY/h82zurjzdpqIjART1SNg3F8gXmDtFGaszW6E/Yr9wtA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB5358 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 7/20/21 3:04 AM, Dov Murik wrote: > In the AmdSevX64 build, use BlobVerifierLibSevHashes to enforce > verification of hashes of the kernel/initrd/cmdline blobs fetched from > firmware config. > > This allows for secure (measured) boot of SEV guests with QEMU's > -kernel/-initrd/-append switches (with the corresponding QEMU support > for injecting the hashes table into initial measured guest memory). > > Cc: Ard Biesheuvel > Cc: Jordan Justen > Cc: Ashish Kalra > Cc: Brijesh Singh > Cc: Erdem Aktas > Cc: James Bottomley > Cc: Jiewen Yao > Cc: Min Xu > Cc: Tom Lendacky > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457 > Signed-off-by: Dov Murik Reviewed-by: Tom Lendacky > --- > OvmfPkg/AmdSev/AmdSevX64.dsc | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) >