Re: [PATCH v4 0/4] x86/snp: Add kexec support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey Ashish,

On 09.04.24 22:42, Ashish Kalra wrote:
From: Ashish Kalra <ashish.kalra@xxxxxxx>

The patchset adds bits and pieces to get kexec (and crashkernel) work on
SNP guest.


With this patch set (and similar for the TDX one), you enable the typical kdump case, which is great!

However, if a user is running with direct kernel boot - which is very typical in SEV-SNP setup, especially for Kata Containers and similar - the initial launch measurement is a natural indicator of the target environment. Kexec basically allows them to completely bypass that: You would be able to run a completely different environment than the one you measure through the launch digest. I'm not sure it's a good idea to even allow that by default in CoCo environments - at least not if the kernel is locked down.

Do you have any plans to build a CoCo native kexec where you allow a VM to create a new VM context with a guest provided seed? The new context could rerun all of the attestation and so enable users to generate a new launch digest. If you then atomically swap into the new context, it would in turn enable them to natively "kexec" into a completely new VM context including measurements.

I understand that an SVSM + TPM implementation may help to some extent here by integrating with IMA and adding the new kernel into the IMA log. But that quickly becomes very convoluted (hence difficult to assess correctness for) and the same measurement question arises just one level up then: How do you update your SVSM while maintaining a full measurement and trust chain?


Thanks,

Alex


_______________________________________________
kexec mailing list
kexec@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/kexec



[Index of Archives]     [LM Sensors]     [Linux Sound]     [ALSA Users]     [ALSA Devel]     [Linux Audio Users]     [Linux Media]     [Kernel]     [Gimp]     [Yosemite News]     [Linux Media]

  Powered by Linux