On 2/9/18 12:28 PM, Dr. David Alan Gilbert wrote:
> * Brijesh Singh (brijesh.singh@xxxxxxx) wrote:
>> SEV requires that guest bios must be encrypted before booting the guest.
> I'm curious; is it just the main BIOS that needs encryption - what about
> things like device/PXE rom images?
SEV feature is available in OVMF BIOS only. EDKII core contains UEFI
firmware driver for several things including PXE and most of time we
don't need ROMs. If we do, I think typically ROMs from which the guest
firmware reads the binaries are not guest RAM, they are MMIO. Guest
BIOSes copies the ROM from MMIO to guest RAM -- it will get encrypted
during copy (because MMIO is mapped with C=0 and guest RAM is mapped
with C=1). In other words, I don't see any need for encrypting the ROM
images during the launch flow. But passing an arbitrary option ROM can
be security concerns hence I believe a guest owner wanting to pass a
option ROM will use secure boot, then option roms can be verified before
executing.
> Dave
>
>> Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
>> Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
>> Cc: Richard Henderson <rth@xxxxxxxxxxx>
>> Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
>> Signed-off-by: Brijesh Singh <brijesh.singh@xxxxxxx>
>> ---
>> hw/i386/pc_sysfw.c | 13 +++++++++++++
>> 1 file changed, 13 insertions(+)
>>
>> diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c
>> index 6b183747fcea..8ddbbf74d330 100644
>> --- a/hw/i386/pc_sysfw.c
>> +++ b/hw/i386/pc_sysfw.c
>> @@ -112,6 +112,8 @@ static void pc_system_flash_init(MemoryRegion *rom_memory)
>> pflash_t *system_flash;
>> MemoryRegion *flash_mem;
>> char name[64];
>> + void *flash_ptr;
>> + int ret, flash_size;
>>
>> sector_bits = 12;
>> sector_size = 1 << sector_bits;
>> @@ -168,6 +170,17 @@ static void pc_system_flash_init(MemoryRegion *rom_memory)
>> if (unit == 0) {
>> flash_mem = pflash_cfi01_get_memory(system_flash);
>> pc_isa_bios_init(rom_memory, flash_mem, size);
>> +
>> + /* Encrypt the pflash boot ROM */
>> + if (kvm_memcrypt_enabled()) {
>> + flash_ptr = memory_region_get_ram_ptr(flash_mem);
>> + flash_size = memory_region_size(flash_mem);
>> + ret = kvm_memcrypt_encrypt_data(flash_ptr, flash_size);
>> + if (ret) {
>> + error_report("failed to encrypt pflash rom");
>> + exit(1);
>> + }
>> + }
>> }
>> }
>> }
>> --
>> 2.14.3
>>
> --
> Dr. David Alan Gilbert / dgilbert@xxxxxxxxxx / Manchester, UK
