qapi/qom,target/i386: sev-guest: Introduce kernel-hashes=on|off option
Introduce new boolean 'kernel-hashes' option on the sev-guest object. It will be used to to decide whether to add the hashes of kernel/initrd/cmdline to SEV guest memory when booting with -kernel. The default value is 'off'. Signed-off-by: Dov Murik <dovmurik@linux.ibm.com> Acked-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
0055ecca84
commit
55cdf56641
|
@ -769,6 +769,10 @@
|
||||||
# @reduced-phys-bits: number of bits in physical addresses that become
|
# @reduced-phys-bits: number of bits in physical addresses that become
|
||||||
# unavailable when SEV is enabled
|
# unavailable when SEV is enabled
|
||||||
#
|
#
|
||||||
|
# @kernel-hashes: if true, add hashes of kernel/initrd/cmdline to a
|
||||||
|
# designated guest firmware page for measured boot
|
||||||
|
# with -kernel (default: false) (since 6.2)
|
||||||
|
#
|
||||||
# Since: 2.12
|
# Since: 2.12
|
||||||
##
|
##
|
||||||
{ 'struct': 'SevGuestProperties',
|
{ 'struct': 'SevGuestProperties',
|
||||||
|
@ -778,7 +782,8 @@
|
||||||
'*policy': 'uint32',
|
'*policy': 'uint32',
|
||||||
'*handle': 'uint32',
|
'*handle': 'uint32',
|
||||||
'*cbitpos': 'uint32',
|
'*cbitpos': 'uint32',
|
||||||
'reduced-phys-bits': 'uint32' } }
|
'reduced-phys-bits': 'uint32',
|
||||||
|
'*kernel-hashes': 'bool' } }
|
||||||
|
|
||||||
##
|
##
|
||||||
# @ObjectType:
|
# @ObjectType:
|
||||||
|
|
|
@ -5189,7 +5189,7 @@ SRST
|
||||||
-object secret,id=sec0,keyid=secmaster0,format=base64,\\
|
-object secret,id=sec0,keyid=secmaster0,format=base64,\\
|
||||||
data=$SECRET,iv=$(<iv.b64)
|
data=$SECRET,iv=$(<iv.b64)
|
||||||
|
|
||||||
``-object sev-guest,id=id,cbitpos=cbitpos,reduced-phys-bits=val,[sev-device=string,policy=policy,handle=handle,dh-cert-file=file,session-file=file]``
|
``-object sev-guest,id=id,cbitpos=cbitpos,reduced-phys-bits=val,[sev-device=string,policy=policy,handle=handle,dh-cert-file=file,session-file=file,kernel-hashes=on|off]``
|
||||||
Create a Secure Encrypted Virtualization (SEV) guest object,
|
Create a Secure Encrypted Virtualization (SEV) guest object,
|
||||||
which can be used to provide the guest memory encryption support
|
which can be used to provide the guest memory encryption support
|
||||||
on AMD processors.
|
on AMD processors.
|
||||||
|
@ -5229,6 +5229,10 @@ SRST
|
||||||
session with the guest owner to negotiate keys used for
|
session with the guest owner to negotiate keys used for
|
||||||
attestation. The file must be encoded in base64.
|
attestation. The file must be encoded in base64.
|
||||||
|
|
||||||
|
The ``kernel-hashes`` adds the hashes of given kernel/initrd/
|
||||||
|
cmdline to a designated guest firmware page for measured Linux
|
||||||
|
boot with -kernel. The default is off. (Since 6.2)
|
||||||
|
|
||||||
e.g to launch a SEV guest
|
e.g to launch a SEV guest
|
||||||
|
|
||||||
.. parsed-literal::
|
.. parsed-literal::
|
||||||
|
|
|
@ -62,6 +62,7 @@ struct SevGuestState {
|
||||||
char *session_file;
|
char *session_file;
|
||||||
uint32_t cbitpos;
|
uint32_t cbitpos;
|
||||||
uint32_t reduced_phys_bits;
|
uint32_t reduced_phys_bits;
|
||||||
|
bool kernel_hashes;
|
||||||
|
|
||||||
/* runtime state */
|
/* runtime state */
|
||||||
uint32_t handle;
|
uint32_t handle;
|
||||||
|
@ -327,6 +328,20 @@ sev_guest_set_sev_device(Object *obj, const char *value, Error **errp)
|
||||||
sev->sev_device = g_strdup(value);
|
sev->sev_device = g_strdup(value);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static bool sev_guest_get_kernel_hashes(Object *obj, Error **errp)
|
||||||
|
{
|
||||||
|
SevGuestState *sev = SEV_GUEST(obj);
|
||||||
|
|
||||||
|
return sev->kernel_hashes;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void sev_guest_set_kernel_hashes(Object *obj, bool value, Error **errp)
|
||||||
|
{
|
||||||
|
SevGuestState *sev = SEV_GUEST(obj);
|
||||||
|
|
||||||
|
sev->kernel_hashes = value;
|
||||||
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
sev_guest_class_init(ObjectClass *oc, void *data)
|
sev_guest_class_init(ObjectClass *oc, void *data)
|
||||||
{
|
{
|
||||||
|
@ -345,6 +360,11 @@ sev_guest_class_init(ObjectClass *oc, void *data)
|
||||||
sev_guest_set_session_file);
|
sev_guest_set_session_file);
|
||||||
object_class_property_set_description(oc, "session-file",
|
object_class_property_set_description(oc, "session-file",
|
||||||
"guest owners session parameters (encoded with base64)");
|
"guest owners session parameters (encoded with base64)");
|
||||||
|
object_class_property_add_bool(oc, "kernel-hashes",
|
||||||
|
sev_guest_get_kernel_hashes,
|
||||||
|
sev_guest_set_kernel_hashes);
|
||||||
|
object_class_property_set_description(oc, "kernel-hashes",
|
||||||
|
"add kernel hashes to guest firmware for measured Linux boot");
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
|
|
Loading…
Reference in New Issue