Normally the SEV measurement only covers the firmware loader contents. When doing a direct kernel boot, however, with new enough OVMF it is possible to ask for the measurement to cover the kernel, ramdisk and command line. It can't be done automatically as that would break existing guests using direct kernel boot with old firmware, so there is a new XML setting allowing this behaviour to be toggled. Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> --- docs/formatdomain.rst | 7 ++++++- docs/schemas/domaincommon.rng | 5 +++++ src/conf/domain_conf.c | 8 ++++++++ src/conf/domain_conf.h | 1 + 4 files changed, 20 insertions(+), 1 deletion(-) diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst index eb8c973cf1..c6e1f2226a 100644 --- a/docs/formatdomain.rst +++ b/docs/formatdomain.rst @@ -8191,7 +8191,7 @@ spec <https://support.amd.com/TechDocs/55766_SEV-KM_API_Specification.pdf>`__ <domain> ... - <launchSecurity type='sev'> + <launchSecurity type='sev' kernelHashes='yes'> <policy>0x0001</policy> <cbitpos>47</cbitpos> <reducedPhysBits>1</reducedPhysBits> @@ -8201,6 +8201,11 @@ spec <https://support.amd.com/TechDocs/55766_SEV-KM_API_Specification.pdf>`__ ... </domain> +``kernelHashes`` + The optional ``kernelHashes`` attribute indicates whether the + hashes of the kernel, ramdisk and command line should be included + in the measurement done by the firmware. This is only valid if + using direct kernel boot. :since:`Since 8.0.0` ``cbitpos`` The required ``cbitpos`` element provides the C-bit (aka encryption bit) location in guest page table entry. The value of ``cbitpos`` is hypervisor diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index f01b7a6470..8fe6134935 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -499,6 +499,11 @@ <attribute name="type"> <value>sev</value> </attribute> + <optional> + <attribute name="kernelHashes"> + <ref name="virYesNo"/> + </attribute> + </optional> <interleave> <optional> <element name="cbitpos"> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 107d2a4f5d..86cd124c4a 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -14793,6 +14793,10 @@ virDomainSEVDefParseXML(virDomainSEVDef *def, unsigned long policy; int rc; + if (virXMLPropTristateBool(ctxt->node, "kernelHashes", VIR_XML_PROP_NONE, + &def->kernel_hashes) < 0) + return -1; + if (virXPathULongHex("string(./policy)", ctxt, &policy) < 0) { virReportError(VIR_ERR_XML_ERROR, "%s", _("failed to get launch security policy")); @@ -27056,6 +27060,10 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec) case VIR_DOMAIN_LAUNCH_SECURITY_SEV: { virDomainSEVDef *sev = &sec->data.sev; + if (sev->kernel_hashes != VIR_TRISTATE_BOOL_ABSENT) + virBufferAsprintf(&attrBuf, " kernelHashes='%s'", + virTristateBoolTypeToString(sev->kernel_hashes)); + if (sev->haveCbitpos) virBufferAsprintf(&childBuf, "<cbitpos>%d</cbitpos>\n", sev->cbitpos); diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index c0c07ea6ba..8e576c00f8 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -2692,6 +2692,7 @@ struct _virDomainSEVDef { unsigned int cbitpos; bool haveReducedPhysBits; unsigned int reduced_phys_bits; + virTristateBool kernel_hashes; }; struct _virDomainSecDef { -- 2.33.1
