summary refs log tree commit diff stats
path: root/results/classifier/deepseek-2/output/hypervisor/1142
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/deepseek-2/output/hypervisor/1142')
-rw-r--r--results/classifier/deepseek-2/output/hypervisor/114247
1 files changed, 47 insertions, 0 deletions
diff --git a/results/classifier/deepseek-2/output/hypervisor/1142 b/results/classifier/deepseek-2/output/hypervisor/1142
new file mode 100644
index 000000000..116875789
--- /dev/null
+++ b/results/classifier/deepseek-2/output/hypervisor/1142
@@ -0,0 +1,47 @@
+
+Measurements fail with direct kernel boot for AMD SEV confidential virtualization with 7.1 machine type
+Description of problem:
+When booting the QEMU with the 'kernel-hashes:true' property set for 'sev-guest' confidential virtualization, the contents of the `-kernel` file are measured by the firmware.
+
+A remote tenant can then validate the measurement against its expected contents to see if the boot was trustworthy.
+
+With the pc-q35-7.1 machine type the measurement always fails to validate against expected state.
+
+Making the following code change 
+
+```
+diff --git a/hw/i386/pc.c b/hw/i386/pc.c
+index 7280c02ce3..3a4bf5cba3 100644
+--- a/hw/i386/pc.c
++++ b/hw/i386/pc.c
+@@ -1899,6 +1899,8 @@ static void pc_machine_class_init(ObjectClass *oc, void *data)
+     pcmc->rsdp_in_ram = true;
+     pcmc->smbios_defaults = true;
+     pcmc->smbios_uuid_encoded = true;
++    pcmc->legacy_no_rng_seed = true;
++
+     pcmc->gigabyte_align = true;
+     pcmc->has_reserved_memory = true;
+     pcmc->kvmclock_enabled = true;
+```
+
+results in successfully validating the measurement.
+
+THis is not surprising, the RNG seed patch introduced in 
+
+```
+commit 67f7e426e53833a5db75b0d813e8d537b8a75bd2
+Author: Jason A. Donenfeld <Jason@zx2c4.com>
+Date:   Thu Jul 21 14:56:36 2022 +0200
+
+    hw/i386: pass RNG seed via setup_data entry
+```
+
+intentionally modifies the contents of the kernel image before passing it to the firmware, to inject a random seed. This will ensure the boot measuremnts are different every time.
+
+This RNG seed functionality must NOT be used when AMD SEV is active.
+Steps to reproduce:
+1. Create an AMD SEV guest with kernel-hashes=true and pc-q35-7.1 machine type
+2. Attempt to validate the boot measurement
+Additional information:
+