On 31/01/2022 16:26, Daniel P. Berrangé wrote:
[...]
>
> IOW, I think there's only two scenarios that make sense
>
> 1. The combined launch digest over firmware, kernel hashes
> and VMSA state.
>
> 2. Individual hashes for each of firmware, kernel hashes table and
> VMSA state
>
Just one more data point relevant to this discussion: in SNP the guest
asks the PSP for a signed attestation report (MSG_REPORT_REQ). The
returned report (ATTESTATION_REPORT structure; see section 7.3 of [1])
includes a MEASUREMENT field which is the measurement calculated at
launch (it's a SHA384-based chain of hashes and not a hash of the entire
content as in SEV-ES; and GPAs are also included. Details in section
8.17). The entire report is signed with the signature appearing in a
separate SIGNATURE field.
Mimicking that in QEMU for SEV-ES would be in my opinion closer to
option (1) above.
Again, the proposed patch here doesn't yet include the VMSAs in the
GCTX.LD and therefore is lacking. Dave mentioned adding ioctl in KVM; I
think that Daniel once suggested adding a virtual file like
/sys/kernel/debug/kvm/617063-12/vcpu0/launch_vmsa with the 4KB VMSA content.
Note that AFAIK measured direct boot with -kernel is not yet supported
in SNP but we plan to add it (with similar hashes table) after the SNP
patches are accepted in OVMF.
[1] https://www.amd.com/system/files/TechDocs/56860.pdf
-Dov