In QemuKernelLoaderFsDxeEntrypoint we use FetchBlob to read the content of the kernel/initrd/cmdline from the QEMU fw_cfg interface. Insert a call to VerifyBlob after fetching to allow BlobVerifierLib implementations to add a verification step for these blobs.
This will allow confidential computing OVMF builds to add verification mechanisms for these blobs that originate from an untrusted source (QEMU). The null implementation of BlobVerifierLib does nothing in VerifyBlob, and therefore no functional change is expected. Cc: Ard Biesheuvel <[email protected]> Cc: Jordan Justen <[email protected]> Cc: Ashish Kalra <[email protected]> Cc: Brijesh Singh <[email protected]> Cc: Erdem Aktas <[email protected]> Cc: James Bottomley <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Min Xu <[email protected]> Cc: Tom Lendacky <[email protected]> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457 Co-developed-by: James Bottomley <[email protected]> Signed-off-by: James Bottomley <[email protected]> Signed-off-by: Dov Murik <[email protected]> Reviewed-by: Brijesh Singh <[email protected]> --- OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c index c7ddd86f5c75..6832d563bcb0 100644 --- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c @@ -17,6 +17,7 @@ #include <Guid/QemuKernelLoaderFsMedia.h> #include <Library/BaseLib.h> #include <Library/BaseMemoryLib.h> +#include <Library/BlobVerifierLib.h> #include <Library/DebugLib.h> #include <Library/DevicePathLib.h> #include <Library/MemoryAllocationLib.h> @@ -1039,6 +1040,14 @@ QemuKernelLoaderFsDxeEntrypoint ( if (EFI_ERROR (Status)) { goto FreeBlobs; } + Status = VerifyBlob ( + CurrentBlob->Name, + CurrentBlob->Data, + CurrentBlob->Size + ); + if (EFI_ERROR (Status)) { + goto FreeBlobs; + } mTotalBlobBytes += CurrentBlob->Size; } KernelBlob = &mKernelBlob[KernelBlobTypeKernel]; -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77963): https://edk2.groups.io/g/devel/message/77963 Mute This Topic: https://groups.io/mt/84328260/21656 Group Owner: [email protected] Unsubscribe: https://edk2.groups.io/g/devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
