From: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
To: devel@edk2.groups.io
Cc: dov.murik@gmail.com, james.bottomley@hansenpartnership.com,
thomas.lendacky@amd.com, tobin@ibm.com,
Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
Subject: [edk2-devel] [PATCH 0/2] AmdSev: Harden SEV Kernel hashes verifier
Date: Mon, 6 May 2024 20:27:34 +0000 [thread overview]
Message-ID: <cover.1715024059.git.tobin@linux.ibm.com> (raw)
The AmdSev package has a so-called BlobVerifier, which
is meant to extend the TCB of a confidential guest
(SEV or SNP) to include components provided via fw_cfg
such as initrd, kernel, kernel params.
This series fixes a few implementation errors in the
blob verifier. One common theme is that the verifier
currently fails to halt the boot when an invalid blob
is detected. This can lead to a confidential guest
having a launch measurement that does not reflect the
guest TCB.
This series could also help us move towards consolidating
the AmdSev package back into the OvmfPkg although more
discussion will be needed on this.
Thank you for Ryan Savino at AMD for pointing out
some of these issues.
Tobin Feldman-Fitzthum (2):
AmdSev: Rework Blob Verifier
AmdSev: Halt on failed blob allocation
.../BlobVerifierSevHashes.c | 56 ++++++++++++++++---
OvmfPkg/Include/Library/BlobVerifierLib.h | 14 +++--
.../BlobVerifierLibNull/BlobVerifierNull.c | 13 +++--
.../QemuKernelLoaderFsDxe.c | 9 ++-
4 files changed, 69 insertions(+), 23 deletions(-)
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118661): https://edk2.groups.io/g/devel/message/118661
Mute This Topic: https://groups.io/mt/105977013/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
next reply other threads:[~2024-05-08 7:35 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-06 20:27 Tobin Feldman-Fitzthum [this message]
2024-05-06 20:27 ` [edk2-devel] [PATCH 1/2] AmdSev: Rework Blob Verifier Tobin Feldman-Fitzthum
2024-05-30 15:46 ` Lendacky, Thomas via groups.io
2024-05-06 20:27 ` [edk2-devel] [PATCH 2/2] AmdSev: Halt on failed blob allocation Tobin Feldman-Fitzthum
2024-05-30 15:51 ` Lendacky, Thomas via groups.io
2024-06-26 8:08 ` [edk2-devel] [PATCH 0/2] AmdSev: Harden SEV Kernel hashes verifier Aithal, Srikanth via groups.io
2024-06-26 13:58 ` Tobin Feldman-Fitzthum
2024-06-26 14:33 ` Aithal, Srikanth via groups.io
2024-06-26 17:14 ` Tobin Feldman-Fitzthum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1715024059.git.tobin@linux.ibm.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox