| Message ID | 20240411094830.1337658-3-kraxel@redhat.com |
|---|---|
| State | New |
| Headers | show
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=FAl1Uf/N; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VFZgF4lpTz1yYL for <incoming@patchwork.ozlabs.org>; Thu, 11 Apr 2024 19:50:01 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <qemu-devel-bounces@nongnu.org>) id 1rur35-0006kd-Kk; Thu, 11 Apr 2024 05:48:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1rur34-0006kO-Pv for qemu-devel@nongnu.org; Thu, 11 Apr 2024 05:48:50 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <kraxel@redhat.com>) id 1rur33-00037R-DC for qemu-devel@nongnu.org; Thu, 11 Apr 2024 05:48:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1712828928; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YFHcsZ9ZU7AzVfrEPYuL5GwinphPuWA3zfMkUzjgx9U=; b=FAl1Uf/NITdxuPNCGVyuQV/GuAobMv4EZKoIBfycVGi1JcCzKTt6Tdei9+6P3nzjb2KLm9 djtmLkGxhTLTeVTKr6VF9IPAWXb19j18fHAvTpfutNdt5wISwXKFHu4t6n0WyL7pMYrF3U SqAfTeF0D5W3em0+RndN6dNQg8IIC9E= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-211-JLV5oFR_MMuqMiI-7xvWFg-1; Thu, 11 Apr 2024 05:48:43 -0400 X-MC-Unique: JLV5oFR_MMuqMiI-7xvWFg-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 927AF1808EE0; Thu, 11 Apr 2024 09:48:42 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.39.192.204]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5E7EB1121306; Thu, 11 Apr 2024 09:48:41 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 5F06918009AA; Thu, 11 Apr 2024 11:48:30 +0200 (CEST) From: Gerd Hoffmann <kraxel@redhat.com> To: qemu-devel@nongnu.org Cc: Eduardo Habkost <eduardo@habkost.net>, Richard Henderson <richard.henderson@linaro.org>, Marcel Apfelbaum <marcel.apfelbaum@gmail.com>, "Michael S. Tsirkin" <mst@redhat.com>, =?utf-8?q?Philippe_Mathieu-Daud?= =?utf-8?q?=C3=A9?= <philmd@linaro.org>, Paolo Bonzini <pbonzini@redhat.com>, Yanan Wang <wangyanan55@huawei.com>, Gerd Hoffmann <kraxel@redhat.com> Subject: [PATCH 2/5] x86/loader: only patch linux kernels Date: Thu, 11 Apr 2024 11:48:26 +0200 Message-ID: <20240411094830.1337658-3-kraxel@redhat.com> In-Reply-To: <20240411094830.1337658-1-kraxel@redhat.com> References: <20240411094830.1337658-1-kraxel@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 Received-SPF: pass client-ip=170.10.129.124; envelope-from=kraxel@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -40 X-Spam_score: -4.1 X-Spam_bar: ---- X-Spam_report: (-4.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-2.049, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: <qemu-devel.nongnu.org> List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>, <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe> List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel> List-Post: <mailto:qemu-devel@nongnu.org> List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help> List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>, <mailto:qemu-devel-request@nongnu.org?subject=subscribe> Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org |
| Series | x86/loader: secure boot support for direct kernel load | expand |
diff --git a/hw/i386/x86.c b/hw/i386/x86.c index ffbda48917fd..765899eebe43 100644 --- a/hw/i386/x86.c +++ b/hw/i386/x86.c @@ -1108,7 +1108,7 @@ void x86_load_linux(X86MachineState *x86ms, * kernel on the other side of the fw_cfg interface matches the hash of the * file the user passed in. */ - if (!sev_enabled()) { + if (!sev_enabled() && protocol > 0) { memcpy(setup, header, MIN(sizeof(header), setup_size)); }
If the binary loaded via -kernel is *not* a linux kernel (in which case protocol == 0), do not patch the linux kernel header fields. It's (a) pointless and (b) might break binaries by random patching and (c) changes the binary hash which in turn breaks secure boot verification. Background: OVMF happily loads and runs not only linux kernels but any efi binary via direct kernel boot. Note: Breaking the secure boot verification is a problem for linux kernels too, but fixed that is left for another day ... Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> --- hw/i386/x86.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)