Pinging again -- Daniel said this should be added to 6.2. Is there anything I should do?
Thanks, -Dov On 14/11/2021 20:02, Dov Murik wrote: > Paolo, > > Can you please add this series (already reviewed) to the fixes in 6.2? > > Thanks, > -Dov > > > On 11/11/2021 12:00, Dov Murik wrote: >> Tom Lendacky and Brijesh Singh reported two issues with launching SEV >> guests with the -kernel QEMU option when an old [1] or wrongly configured [2] >> OVMF images are used. >> >> To fix these issues, these series "hides" the whole kernel hashes >> additions behind a kernel-hashes=on option (with default value of >> "off"). This allows existing scenarios to work without change, and >> explicitly forces kernel hashes additions for guests that require that. >> >> Patch 1 introduces a new boolean option "kernel-hashes" on the sev-guest >> object, and patch 2 causes QEMU to add kernel hashes only if its >> explicitly set to "on". This will mitigate both experienced issues >> because the default of the new setting is off, and therefore is backward >> compatible with older OVMF images (which don't have a designated hashes >> table area) or with guests that don't wish to measure the kernel/initrd. >> >> Patch 3 fixes the wording on the error message displayed when no hashes >> table is found in the guest firmware. >> >> Patch 4 detects incorrect address and length of the guest firmware >> hashes table area and fails the boot. >> >> Patch 5 is a refactoring of parts of the same function >> sev_add_kernel_loader_hashes() to calculate all padding sizes at >> compile-time. Patch 6 also changes the same function and replaces the >> call to qemu_map_ram_ptr() with address_space_map() to allow for error >> detection. Patches 5-6 are not required to fix the issues above, but >> are suggested as an improvement (no functional change intended). >> >> To enable addition of kernel/initrd/cmdline hashes into the SEV guest at >> launch time, specify: >> >> qemu-system-x86_64 ... -object sev-guest,...,kernel-hashes=on >> >> >> [1] >> https://lore.kernel.org/qemu-devel/3b9d10d9-5d9c-da52-f18c-cd93c1931...@amd.com/ >> [2] >> https://lore.kernel.org/qemu-devel/001dd81a-282d-c307-a657-e228480d4...@amd.com/ >> >> >> Changes in v3: >> - Patch 1/6: Add "(since 6.2)" in the documentation of the >> kernel-hashes option (thanks Markus) >> - Patch 3/6: Change error string use "kernel" instead of "-kernel" >> (thanks Daniel) >> >> v2: >> https://lore.kernel.org/qemu-devel/20211108134840.2757206-1-dovmu...@linux.ibm.com/ >> Changes in v2: >> - Instead of trying to figure out whether to add hashes or not, >> explicity declare an option (kernel-hashes=on) for that. When that >> option is turned on, fail if the hashes cannot be added. >> - Rephrase error message when no hashes table GUID is found. >> - Replace qemu_map_ram_ptr with address_space_map >> >> v1: >> https://lore.kernel.org/qemu-devel/20211101102136.1706421-1-dovmu...@linux.ibm.com/ >> >> >> Dov Murik (6): >> qapi/qom,target/i386: sev-guest: Introduce kernel-hashes=on|off option >> target/i386/sev: Add kernel hashes only if sev-guest.kernel-hashes=on >> target/i386/sev: Rephrase error message when no hashes table in guest >> firmware >> target/i386/sev: Fail when invalid hashes table area detected >> target/i386/sev: Perform padding calculations at compile-time >> target/i386/sev: Replace qemu_map_ram_ptr with address_space_map >> >> qapi/qom.json | 7 ++++- >> target/i386/sev.c | 77 +++++++++++++++++++++++++++++++++++++++-------- >> qemu-options.hx | 6 +++- >> 3 files changed, 75 insertions(+), 15 deletions(-) >> >> >> base-commit: af531756d25541a1b3b3d9a14e72e7fedd941a2e >>
