device: 0.885 boot: 0.849 kernel: 0.825 i386: 0.805 files: 0.803 ppc: 0.795 socket: 0.793 architecture: 0.758 graphic: 0.745 register: 0.740 vnc: 0.704 performance: 0.703 permissions: 0.681 PID: 0.655 risc-v: 0.626 network: 0.618 semantic: 0.577 debug: 0.519 hypervisor: 0.516 KVM: 0.504 arm: 0.500 virtual: 0.498 VMM: 0.487 TCG: 0.469 mistranslation: 0.441 peripherals: 0.408 x86: 0.404 assembly: 0.398 user-level: 0.216 Measurements fail with direct kernel boot for AMD SEV confidential virtualization with 7.1 machine type Description of problem: When booting the QEMU with the 'kernel-hashes:true' property set for 'sev-guest' confidential virtualization, the contents of the `-kernel` file are measured by the firmware. A remote tenant can then validate the measurement against its expected contents to see if the boot was trustworthy. With the pc-q35-7.1 machine type the measurement always fails to validate against expected state. Making the following code change ``` diff --git a/hw/i386/pc.c b/hw/i386/pc.c index 7280c02ce3..3a4bf5cba3 100644 --- a/hw/i386/pc.c +++ b/hw/i386/pc.c @@ -1899,6 +1899,8 @@ static void pc_machine_class_init(ObjectClass *oc, void *data) pcmc->rsdp_in_ram = true; pcmc->smbios_defaults = true; pcmc->smbios_uuid_encoded = true; + pcmc->legacy_no_rng_seed = true; + pcmc->gigabyte_align = true; pcmc->has_reserved_memory = true; pcmc->kvmclock_enabled = true; ``` results in successfully validating the measurement. THis is not surprising, the RNG seed patch introduced in ``` commit 67f7e426e53833a5db75b0d813e8d537b8a75bd2 Author: Jason A. Donenfeld Date: Thu Jul 21 14:56:36 2022 +0200 hw/i386: pass RNG seed via setup_data entry ``` intentionally modifies the contents of the kernel image before passing it to the firmware, to inject a random seed. This will ensure the boot measuremnts are different every time. This RNG seed functionality must NOT be used when AMD SEV is active. Steps to reproduce: 1. Create an AMD SEV guest with kernel-hashes=true and pc-q35-7.1 machine type 2. Attempt to validate the boot measurement Additional information: