In the AmdSevX64 build, use BlobVerifierLibSevHashes to enforce verification of hashes of the kernel/initrd/cmdline blobs fetched from firmware config.
This allows for secure (measured) boot of SEV guests with QEMU's -kernel/-initrd/-append switches (with the corresponding QEMU support for injecting the hashes table into initial measured guest memory). Cc: Ard Biesheuvel <[email protected]> Cc: Jordan Justen <[email protected]> Cc: Ashish Kalra <[email protected]> Cc: Brijesh Singh <[email protected]> Cc: Erdem Aktas <[email protected]> Cc: James Bottomley <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Min Xu <[email protected]> Cc: Tom Lendacky <[email protected]> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457 Signed-off-by: Dov Murik <[email protected]> --- OvmfPkg/AmdSev/AmdSevX64.dsc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index b2cc96cc5a97..c01599ea354f 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -173,7 +173,7 @@ [LibraryClasses] LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf - BlobVerifierLib|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf + BlobVerifierLib|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf !if $(SOURCE_DEBUG_ENABLE) == TRUE PeCoffExtraActionLib|SourceLevelDebugPkg/Library/PeCoffExtraActionLibDebug/PeCoffExtraActionLibDebug.inf @@ -696,7 +696,7 @@ [Components] } OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf { <LibraryClasses> - NULL|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf + NULL|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf } OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf OvmfPkg/Virtio10Dxe/Virtio10.inf -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77961): https://edk2.groups.io/g/devel/message/77961 Mute This Topic: https://groups.io/mt/84328242/21656 Group Owner: [email protected] Unsubscribe: https://edk2.groups.io/g/devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
