blob: 7813e980375f5df240517ff1307bdb283522452d (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
id = 1142
title = "Measurements fail with direct kernel boot for AMD SEV confidential virtualization with 7.1 machine type"
state = "closed"
created_at = "2022-08-04T12:08:56.036Z"
closed_at = "2022-11-07T12:53:17.474Z"
labels = ["kind::Bug"]
url = "https://gitlab.com/qemu-project/qemu/-/issues/1142"
host-os = "n/a"
host-arch = "x86_64"
qemu-version = "git 2480f3bbd03814b0651a1f74959f5c6631ee5819"
guest-os = "n/a"
guest-arch = "n/a"
description = """When booting the QEMU with the 'kernel-hashes:true' property set for 'sev-guest' confidential virtualization, the contents of the `-kernel` file are measured by the firmware.
A remote tenant can then validate the measurement against its expected contents to see if the boot was trustworthy.
With the pc-q35-7.1 machine type the measurement always fails to validate against expected state.
Making the following code change
```
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 7280c02ce3..3a4bf5cba3 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -1899,6 +1899,8 @@ static void pc_machine_class_init(ObjectClass *oc, void *data)
pcmc->rsdp_in_ram = true;
pcmc->smbios_defaults = true;
pcmc->smbios_uuid_encoded = true;
+ pcmc->legacy_no_rng_seed = true;
+
pcmc->gigabyte_align = true;
pcmc->has_reserved_memory = true;
pcmc->kvmclock_enabled = true;
```
results in successfully validating the measurement.
THis is not surprising, the RNG seed patch introduced in
```
commit 67f7e426e53833a5db75b0d813e8d537b8a75bd2
Author: Jason A. Donenfeld <Jason@zx2c4.com>
Date: Thu Jul 21 14:56:36 2022 +0200
hw/i386: pass RNG seed via setup_data entry
```
intentionally modifies the contents of the kernel image before passing it to the firmware, to inject a random seed. This will ensure the boot measuremnts are different every time.
This RNG seed functionality must NOT be used when AMD SEV is active."""
reproduce = """1. Create an AMD SEV guest with kernel-hashes=true and pc-q35-7.1 machine type
2. Attempt to validate the boot measurement"""
additional = """"""
|