From: Dov Murik <dovmurik@xxxxxxxxxxxxx>
Introduce new boolean 'kernel-hashes' option on the sev-guest object.
It will be used to to decide whether to add the hashes of
kernel/initrd/cmdline to SEV guest memory when booting with -kernel.
The default value is 'off'.
Signed-off-by: Dov Murik <dovmurik@xxxxxxxxxxxxx>
Acked-by: Brijesh Singh <brijesh.singh@xxxxxxx>
Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
---
qapi/qom.json | 7 ++++++-
qemu-options.hx | 6 +++++-
target/i386/sev.c | 20 ++++++++++++++++++++
3 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/qapi/qom.json b/qapi/qom.json
index ccd1167808..eeb5395ff3 100644
--- a/qapi/qom.json
+++ b/qapi/qom.json
@@ -769,6 +769,10 @@
# @reduced-phys-bits: number of bits in physical addresses that become
# unavailable when SEV is enabled
#
+# @kernel-hashes: if true, add hashes of kernel/initrd/cmdline to a
+# designated guest firmware page for measured boot
+# with -kernel (default: false) (since 6.2)
+#
# Since: 2.12
##
{ 'struct': 'SevGuestProperties',
@@ -778,7 +782,8 @@
'*policy': 'uint32',
'*handle': 'uint32',
'*cbitpos': 'uint32',
- 'reduced-phys-bits': 'uint32' } }
+ 'reduced-phys-bits': 'uint32',
+ '*kernel-hashes': 'bool' } }
##
# @ObjectType:
diff --git a/qemu-options.hx b/qemu-options.hx
index 7749f59300..ae2c6dbbfc 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -5189,7 +5189,7 @@ SRST
-object secret,id=sec0,keyid=secmaster0,format=base64,\\
data=$SECRET,iv=$(<iv.b64)
- ``-object sev-guest,id=id,cbitpos=cbitpos,reduced-phys-bits=val,[sev-device=string,policy=policy,handle=handle,dh-cert-file=file,session-file=file]``
+ ``-object sev-guest,id=id,cbitpos=cbitpos,reduced-phys-bits=val,[sev-device=string,policy=policy,handle=handle,dh-cert-file=file,session-file=file,kernel-hashes=on|off]``
Create a Secure Encrypted Virtualization (SEV) guest object,
which can be used to provide the guest memory encryption support
on AMD processors.
@@ -5229,6 +5229,10 @@ SRST
session with the guest owner to negotiate keys used for
attestation. The file must be encoded in base64.
+ The ``kernel-hashes`` adds the hashes of given kernel/initrd/
+ cmdline to a designated guest firmware page for measured Linux
+ boot with -kernel. The default is off. (Since 6.2)
+
e.g to launch a SEV guest
.. parsed-literal::
diff --git a/target/i386/sev.c b/target/i386/sev.c
index eede07f11d..cad32812f5 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -62,6 +62,7 @@ struct SevGuestState {
char *session_file;
uint32_t cbitpos;
uint32_t reduced_phys_bits;
+ bool kernel_hashes;
/* runtime state */
uint32_t handle;
@@ -327,6 +328,20 @@ sev_guest_set_sev_device(Object *obj, const char *value, Error **errp)
sev->sev_device = g_strdup(value);
}
+static bool sev_guest_get_kernel_hashes(Object *obj, Error **errp)
+{
+ SevGuestState *sev = SEV_GUEST(obj);
+
+ return sev->kernel_hashes;
+}
+
+static void sev_guest_set_kernel_hashes(Object *obj, bool value, Error **errp)
+{
+ SevGuestState *sev = SEV_GUEST(obj);
+
+ sev->kernel_hashes = value;
+}
+
static void
sev_guest_class_init(ObjectClass *oc, void *data)
{
@@ -345,6 +360,11 @@ sev_guest_class_init(ObjectClass *oc, void *data)
sev_guest_set_session_file);
object_class_property_set_description(oc, "session-file",
"guest owners session parameters (encoded with base64)");
+ object_class_property_add_bool(oc, "kernel-hashes",
+ sev_guest_get_kernel_hashes,
+ sev_guest_set_kernel_hashes);
+ object_class_property_set_description(oc, "kernel-hashes",
+ "add kernel hashes to guest firmware for measured Linux boot");
}
static void
--
2.31.1
