From 514b3aa08ece52140b769a8676595655691c7cb3 Mon Sep 17 00:00:00 2001 From: Dov Murik Date: Mon, 5 Jul 2021 07:25:35 +0000 Subject: [PATCH] OvmfPkg/AmdSev: Enforce hash verification of kernel blobs In the AmdSevX64 build, use BlobVerifierLibSevHashes to enforce verification of hashes of the kernel/initrd/cmdline blobs fetched from firmware config. This allows for secure (measured) boot of SEV guests with QEMU's -kernel/-initrd/-append switches (with the corresponding QEMU support for injecting the hashes table into initial measured guest memory). Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457 Signed-off-by: Dov Murik Reviewed-by: Tom Lendacky Reviewed-by: Jiewen Yao --- OvmfPkg/AmdSev/AmdSevX64.dsc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index db8bd59579..e6cd10b759 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -173,7 +173,7 @@ LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf - BlobVerifierLib|OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierLibNull.inf + BlobVerifierLib|OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierLibSevHashes.inf !if $(SOURCE_DEBUG_ENABLE) == TRUE PeCoffExtraActionLib|SourceLevelDebugPkg/Library/PeCoffExtraActionLibDebug/PeCoffExtraActionLibDebug.inf @@ -696,7 +696,7 @@ } OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf { - NULL|OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierLibNull.inf + NULL|OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierLibSevHashes.inf } OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf OvmfPkg/Virtio10Dxe/Virtio10.inf