aboutsummaryrefslogtreecommitdiff
path: root/target/i386
diff options
context:
space:
mode:
authorDov Murik <dovmurik@linux.ibm.com>2021-11-11 10:00:44 +0000
committerDaniel P. Berrangé <berrange@redhat.com>2021-11-18 11:07:50 +0000
commit9dbe0c93f00d3aef9ac386c390595d370cfad677 (patch)
tree0145add29931778ebe0106c714eea04154386d69 /target/i386
parent55cdf566412695b4fc052065c7970632129cd65b (diff)
downloadqemu-9dbe0c93f00d3aef9ac386c390595d370cfad677.zip
qemu-9dbe0c93f00d3aef9ac386c390595d370cfad677.tar.gz
qemu-9dbe0c93f00d3aef9ac386c390595d370cfad677.tar.bz2
target/i386/sev: Add kernel hashes only if sev-guest.kernel-hashes=on
Commit cff03145ed3c ("sev/i386: Introduce sev_add_kernel_loader_hashes for measured linux boot", 2021-09-30) introduced measured direct boot with -kernel, using an OVMF-designated hashes table which QEMU fills. However, if OVMF doesn't designate such an area, QEMU would completely abort the VM launch. This breaks launching with -kernel using older OVMF images which don't publish the SEV_HASH_TABLE_RV_GUID. Fix that so QEMU will only look for the hashes table if the sev-guest kernel-hashes option is set to on. Otherwise, QEMU won't look for the designated area in OVMF and won't fill that area. To enable addition of kernel hashes, launch the guest with: -object sev-guest,...,kernel-hashes=on Signed-off-by: Dov Murik <dovmurik@linux.ibm.com> Reported-by: Tom Lendacky <thomas.lendacky@amd.com> Acked-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Diffstat (limited to 'target/i386')
-rw-r--r--target/i386/sev.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/target/i386/sev.c b/target/i386/sev.c
index cad3281..e3abbee 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -1223,6 +1223,14 @@ bool sev_add_kernel_loader_hashes(SevKernelLoaderContext *ctx, Error **errp)
size_t hash_len = HASH_SIZE;
int aligned_len;
+ /*
+ * Only add the kernel hashes if the sev-guest configuration explicitly
+ * stated kernel-hashes=on.
+ */
+ if (!sev_guest->kernel_hashes) {
+ return false;
+ }
+
if (!pc_system_ovmf_table_find(SEV_HASH_TABLE_RV_GUID, &data, NULL)) {
error_setg(errp, "SEV: kernel specified but OVMF has no hash table guid");
return false;