* Brijesh Singh (brijesh.singh@xxxxxxx) wrote:
> SEV requires that guest bios must be encrypted before booting the guest.
I'm curious; is it just the main BIOS that needs encryption - what about
things like device/PXE rom images?
Dave
>
> Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
> Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
> Cc: Richard Henderson <rth@xxxxxxxxxxx>
> Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
> Signed-off-by: Brijesh Singh <brijesh.singh@xxxxxxx>
> ---
> hw/i386/pc_sysfw.c | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c
> index 6b183747fcea..8ddbbf74d330 100644
> --- a/hw/i386/pc_sysfw.c
> +++ b/hw/i386/pc_sysfw.c
> @@ -112,6 +112,8 @@ static void pc_system_flash_init(MemoryRegion *rom_memory)
> pflash_t *system_flash;
> MemoryRegion *flash_mem;
> char name[64];
> + void *flash_ptr;
> + int ret, flash_size;
>
> sector_bits = 12;
> sector_size = 1 << sector_bits;
> @@ -168,6 +170,17 @@ static void pc_system_flash_init(MemoryRegion *rom_memory)
> if (unit == 0) {
> flash_mem = pflash_cfi01_get_memory(system_flash);
> pc_isa_bios_init(rom_memory, flash_mem, size);
> +
> + /* Encrypt the pflash boot ROM */
> + if (kvm_memcrypt_enabled()) {
> + flash_ptr = memory_region_get_ram_ptr(flash_mem);
> + flash_size = memory_region_size(flash_mem);
> + ret = kvm_memcrypt_encrypt_data(flash_ptr, flash_size);
> + if (ret) {
> + error_report("failed to encrypt pflash rom");
> + exit(1);
> + }
> + }
> }
> }
> }
> --
> 2.14.3
>
--
Dr. David Alan Gilbert / dgilbert@xxxxxxxxxx / Manchester, UK
