From: "Jason A. Donenfeld" <ja...@zx2c4.com> We don't want it to be possible to re-read the RNG seed after ingesting it, because this ruins forward secrecy. Currently, however, the setup data section can just be re-read. Since the kernel is always read after the setup data, use the selection of the kernel as a trigger to re-initialize the RNG seed, just like we do on reboot, to preserve forward secrecy.
Cc: Paolo Bonzini <pbonz...@redhat.com> Signed-off-by: Jason A. Donenfeld <ja...@zx2c4.com> Message-Id: <20220922152847.3670513-1-ja...@zx2c4.com> Signed-off-by: Paolo Bonzini <pbonz...@redhat.com> --- hw/i386/x86.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hw/i386/x86.c b/hw/i386/x86.c index f9a4ddaa4a..1148f70c03 100644 --- a/hw/i386/x86.c +++ b/hw/i386/x86.c @@ -1112,11 +1112,14 @@ void x86_load_linux(X86MachineState *x86ms, setup_data->len = cpu_to_le32(RNG_SEED_LENGTH); qemu_guest_getrandom_nofail(setup_data->data, RNG_SEED_LENGTH); qemu_register_reset(reset_rng_seed, setup_data); + fw_cfg_add_bytes_callback(fw_cfg, FW_CFG_KERNEL_DATA, reset_rng_seed, NULL, + setup_data, kernel, kernel_size, true); + } else { + fw_cfg_add_bytes(fw_cfg, FW_CFG_KERNEL_DATA, kernel, kernel_size); } fw_cfg_add_i32(fw_cfg, FW_CFG_KERNEL_ADDR, prot_addr); fw_cfg_add_i32(fw_cfg, FW_CFG_KERNEL_SIZE, kernel_size); - fw_cfg_add_bytes(fw_cfg, FW_CFG_KERNEL_DATA, kernel, kernel_size); sev_load_ctx.kernel_data = (char *)kernel; sev_load_ctx.kernel_size = kernel_size; -- 2.37.3