| Message ID | 20180207160638.98872-17-brijesh.singh@amd.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v7,01/26] memattrs: add debug attribute | expand |
* Brijesh Singh (brijesh.singh@amd.com) wrote: > SEV requires that guest bios must be encrypted before booting the guest. I'm curious; is it just the main BIOS that needs encryption - what about things like device/PXE rom images? Dave > > Cc: "Michael S. Tsirkin" <mst@redhat.com> > Cc: Paolo Bonzini <pbonzini@redhat.com> > Cc: Richard Henderson <rth@twiddle.net> > Cc: Eduardo Habkost <ehabkost@redhat.com> > Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> > --- > hw/i386/pc_sysfw.c | 13 +++++++++++++ > 1 file changed, 13 insertions(+) > > diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c > index 6b183747fcea..8ddbbf74d330 100644 > --- a/hw/i386/pc_sysfw.c > +++ b/hw/i386/pc_sysfw.c > @@ -112,6 +112,8 @@ static void pc_system_flash_init(MemoryRegion *rom_memory) > pflash_t *system_flash; > MemoryRegion *flash_mem; > char name[64]; > + void *flash_ptr; > + int ret, flash_size; > > sector_bits = 12; > sector_size = 1 << sector_bits; > @@ -168,6 +170,17 @@ static void pc_system_flash_init(MemoryRegion *rom_memory) > if (unit == 0) { > flash_mem = pflash_cfi01_get_memory(system_flash); > pc_isa_bios_init(rom_memory, flash_mem, size); > + > + /* Encrypt the pflash boot ROM */ > + if (kvm_memcrypt_enabled()) { > + flash_ptr = memory_region_get_ram_ptr(flash_mem); > + flash_size = memory_region_size(flash_mem); > + ret = kvm_memcrypt_encrypt_data(flash_ptr, flash_size); > + if (ret) { > + error_report("failed to encrypt pflash rom"); > + exit(1); > + } > + } > } > } > } > -- > 2.14.3 > -- Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
On 2/9/18 12:28 PM, Dr. David Alan Gilbert wrote: > * Brijesh Singh (brijesh.singh@amd.com) wrote: >> SEV requires that guest bios must be encrypted before booting the guest. > I'm curious; is it just the main BIOS that needs encryption - what about > things like device/PXE rom images? SEV feature is available in OVMF BIOS only. EDKII core contains UEFI firmware driver for several things including PXE and most of time we don't need ROMs. If we do, I think typically ROMs from which the guest firmware reads the binaries are not guest RAM, they are MMIO. Guest BIOSes copies the ROM from MMIO to guest RAM -- it will get encrypted during copy (because MMIO is mapped with C=0 and guest RAM is mapped with C=1). In other words, I don't see any need for encrypting the ROM images during the launch flow. But passing an arbitrary option ROM can be security concerns hence I believe a guest owner wanting to pass a option ROM will use secure boot, then option roms can be verified before executing. > Dave > >> Cc: "Michael S. Tsirkin" <mst@redhat.com> >> Cc: Paolo Bonzini <pbonzini@redhat.com> >> Cc: Richard Henderson <rth@twiddle.net> >> Cc: Eduardo Habkost <ehabkost@redhat.com> >> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> >> --- >> hw/i386/pc_sysfw.c | 13 +++++++++++++ >> 1 file changed, 13 insertions(+) >> >> diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c >> index 6b183747fcea..8ddbbf74d330 100644 >> --- a/hw/i386/pc_sysfw.c >> +++ b/hw/i386/pc_sysfw.c >> @@ -112,6 +112,8 @@ static void pc_system_flash_init(MemoryRegion *rom_memory) >> pflash_t *system_flash; >> MemoryRegion *flash_mem; >> char name[64]; >> + void *flash_ptr; >> + int ret, flash_size; >> >> sector_bits = 12; >> sector_size = 1 << sector_bits; >> @@ -168,6 +170,17 @@ static void pc_system_flash_init(MemoryRegion *rom_memory) >> if (unit == 0) { >> flash_mem = pflash_cfi01_get_memory(system_flash); >> pc_isa_bios_init(rom_memory, flash_mem, size); >> + >> + /* Encrypt the pflash boot ROM */ >> + if (kvm_memcrypt_enabled()) { >> + flash_ptr = memory_region_get_ram_ptr(flash_mem); >> + flash_size = memory_region_size(flash_mem); >> + ret = kvm_memcrypt_encrypt_data(flash_ptr, flash_size); >> + if (ret) { >> + error_report("failed to encrypt pflash rom"); >> + exit(1); >> + } >> + } >> } >> } >> } >> -- >> 2.14.3 >> > -- > Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c index 6b183747fcea..8ddbbf74d330 100644 --- a/hw/i386/pc_sysfw.c +++ b/hw/i386/pc_sysfw.c @@ -112,6 +112,8 @@ static void pc_system_flash_init(MemoryRegion *rom_memory) pflash_t *system_flash; MemoryRegion *flash_mem; char name[64]; + void *flash_ptr; + int ret, flash_size; sector_bits = 12; sector_size = 1 << sector_bits; @@ -168,6 +170,17 @@ static void pc_system_flash_init(MemoryRegion *rom_memory) if (unit == 0) { flash_mem = pflash_cfi01_get_memory(system_flash); pc_isa_bios_init(rom_memory, flash_mem, size); + + /* Encrypt the pflash boot ROM */ + if (kvm_memcrypt_enabled()) { + flash_ptr = memory_region_get_ram_ptr(flash_mem); + flash_size = memory_region_size(flash_mem); + ret = kvm_memcrypt_encrypt_data(flash_ptr, flash_size); + if (ret) { + error_report("failed to encrypt pflash rom"); + exit(1); + } + } } } }
SEV requires that guest bios must be encrypted before booting the guest. Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Richard Henderson <rth@twiddle.net> Cc: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> --- hw/i386/pc_sysfw.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)