diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-07-03 07:27:52 +0000 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-07-03 07:27:52 +0000 |
| commit | d0c85e36e4de67af628d54e9ab577cc3fad7796a (patch) | |
| tree | f8f784b0f04343b90516a338d6df81df3a85dfa2 /results/classifier/deepseek-2/output/hypervisor/1142 | |
| parent | 7f4364274750eb8cb39a3e7493132fca1c01232e (diff) | |
| download | emulator-bug-study-d0c85e36e4de67af628d54e9ab577cc3fad7796a.tar.gz emulator-bug-study-d0c85e36e4de67af628d54e9ab577cc3fad7796a.zip | |
add deepseek and gemma results
Diffstat (limited to 'results/classifier/deepseek-2/output/hypervisor/1142')
| -rw-r--r-- | results/classifier/deepseek-2/output/hypervisor/1142 | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/results/classifier/deepseek-2/output/hypervisor/1142 b/results/classifier/deepseek-2/output/hypervisor/1142 new file mode 100644 index 00000000..11687578 --- /dev/null +++ b/results/classifier/deepseek-2/output/hypervisor/1142 @@ -0,0 +1,47 @@ + +Measurements fail with direct kernel boot for AMD SEV confidential virtualization with 7.1 machine type +Description of problem: +When booting the QEMU with the 'kernel-hashes:true' property set for 'sev-guest' confidential virtualization, the contents of the `-kernel` file are measured by the firmware. + +A remote tenant can then validate the measurement against its expected contents to see if the boot was trustworthy. + +With the pc-q35-7.1 machine type the measurement always fails to validate against expected state. + +Making the following code change + +``` +diff --git a/hw/i386/pc.c b/hw/i386/pc.c +index 7280c02ce3..3a4bf5cba3 100644 +--- a/hw/i386/pc.c ++++ b/hw/i386/pc.c +@@ -1899,6 +1899,8 @@ static void pc_machine_class_init(ObjectClass *oc, void *data) + pcmc->rsdp_in_ram = true; + pcmc->smbios_defaults = true; + pcmc->smbios_uuid_encoded = true; ++ pcmc->legacy_no_rng_seed = true; ++ + pcmc->gigabyte_align = true; + pcmc->has_reserved_memory = true; + pcmc->kvmclock_enabled = true; +``` + +results in successfully validating the measurement. + +THis is not surprising, the RNG seed patch introduced in + +``` +commit 67f7e426e53833a5db75b0d813e8d537b8a75bd2 +Author: Jason A. Donenfeld <Jason@zx2c4.com> +Date: Thu Jul 21 14:56:36 2022 +0200 + + hw/i386: pass RNG seed via setup_data entry +``` + +intentionally modifies the contents of the kernel image before passing it to the firmware, to inject a random seed. This will ensure the boot measuremnts are different every time. + +This RNG seed functionality must NOT be used when AMD SEV is active. +Steps to reproduce: +1. Create an AMD SEV guest with kernel-hashes=true and pc-q35-7.1 machine type +2. Attempt to validate the boot measurement +Additional information: + |