Re: [Qemu-devel] [PATCH v7 17/26] target/i386: encrypt bios rom

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v7 17/26] target/i386: encrypt bios rom

From:	Brijesh Singh
Subject:	Re: [Qemu-devel] [PATCH v7 17/26] target/i386: encrypt bios rom
Date:	Fri, 9 Feb 2018 14:49:17 -0600
User-agent:	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.4.0


On 2/9/18 12:28 PM, Dr. David Alan Gilbert wrote:
> * Brijesh Singh (address@hidden) wrote:
>> SEV requires that guest bios must be encrypted before booting the guest.
> I'm curious; is it just the main BIOS that needs encryption - what about
> things like device/PXE rom images?


SEV feature is available in OVMF BIOS only. EDKII core contains UEFI
firmware driver for several things including PXE and most of time we
don't need ROMs. If we do, I think typically ROMs from which the guest
firmware reads the binaries are not guest RAM, they are MMIO. Guest
BIOSes copies the ROM from MMIO to guest RAM -- it will get encrypted
during copy (because MMIO is mapped with C=0 and guest RAM is mapped
with C=1).  In other words, I don't see any need for encrypting the ROM
images during the launch flow. But passing an arbitrary option ROM can
be security concerns hence I believe a guest owner wanting to pass a
option ROM will use secure boot, then option roms can be verified before
executing.


> Dave
>
>> Cc: "Michael S. Tsirkin" <address@hidden>
>> Cc: Paolo Bonzini <address@hidden>
>> Cc: Richard Henderson <address@hidden>
>> Cc: Eduardo Habkost <address@hidden>
>> Signed-off-by: Brijesh Singh <address@hidden>
>> ---
>>  hw/i386/pc_sysfw.c | 13 +++++++++++++
>>  1 file changed, 13 insertions(+)
>>
>> diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c
>> index 6b183747fcea..8ddbbf74d330 100644
>> --- a/hw/i386/pc_sysfw.c
>> +++ b/hw/i386/pc_sysfw.c
>> @@ -112,6 +112,8 @@ static void pc_system_flash_init(MemoryRegion 
>> *rom_memory)
>>      pflash_t *system_flash;
>>      MemoryRegion *flash_mem;
>>      char name[64];
>> +    void *flash_ptr;
>> +    int ret, flash_size;
>>  
>>      sector_bits = 12;
>>      sector_size = 1 << sector_bits;
>> @@ -168,6 +170,17 @@ static void pc_system_flash_init(MemoryRegion 
>> *rom_memory)
>>          if (unit == 0) {
>>              flash_mem = pflash_cfi01_get_memory(system_flash);
>>              pc_isa_bios_init(rom_memory, flash_mem, size);
>> +
>> +            /* Encrypt the pflash boot ROM */
>> +            if (kvm_memcrypt_enabled()) {
>> +                flash_ptr = memory_region_get_ram_ptr(flash_mem);
>> +                flash_size = memory_region_size(flash_mem);
>> +                ret = kvm_memcrypt_encrypt_data(flash_ptr, flash_size);
>> +                if (ret) {
>> +                    error_report("failed to encrypt pflash rom");
>> +                    exit(1);
>> +                }
>> +            }
>>          }
>>      }
>>  }
>> -- 
>> 2.14.3
>>
> --
> Dr. David Alan Gilbert / address@hidden / Manchester, UK

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH v7 08/26] docs: add AMD Secure Encrypted Virtualization (SEV), (continued)
- [Qemu-devel] [PATCH v7 08/26] docs: add AMD Secure Encrypted Virtualization (SEV), Brijesh Singh, 2018/02/07
- [Qemu-devel] [PATCH v7 11/26] sev: register the guest memory range which may contain encrypted data, Brijesh Singh, 2018/02/07
- [Qemu-devel] [PATCH v7 09/26] accel: add Secure Encrypted Virtulization (SEV) object, Brijesh Singh, 2018/02/07
- [Qemu-devel] [PATCH v7 10/26] sev: add command to initialize the memory encryption context, Brijesh Singh, 2018/02/07
- [Qemu-devel] [PATCH v7 13/26] qmp: add query-sev command, Brijesh Singh, 2018/02/07
  - Re: [Qemu-devel] [PATCH v7 13/26] qmp: add query-sev command, Eric Blake, 2018/02/07
    - Re: [Qemu-devel] [PATCH v7 13/26] qmp: add query-sev command, Brijesh Singh, 2018/02/07
- [Qemu-devel] [PATCH v7 14/26] hmp: add 'info sev' command, Brijesh Singh, 2018/02/07
- [Qemu-devel] [PATCH v7 17/26] target/i386: encrypt bios rom, Brijesh Singh, 2018/02/07
  - Re: [Qemu-devel] [PATCH v7 17/26] target/i386: encrypt bios rom, Dr. David Alan Gilbert, 2018/02/09
    - Re: [Qemu-devel] [PATCH v7 17/26] target/i386: encrypt bios rom, Brijesh Singh <=
- [Qemu-devel] [PATCH v7 19/26] sev: Finalize the SEV guest launch flow, Brijesh Singh, 2018/02/07
- [Qemu-devel] [PATCH v7 22/26] target/i386: clear C-bit when walking SEV guest page table, Brijesh Singh, 2018/02/07
- [Qemu-devel] [PATCH v7 16/26] sev: add command to encrypt guest memory region, Brijesh Singh, 2018/02/07
- [Qemu-devel] [PATCH v7 15/26] sev: add command to create launch memory encryption context, Brijesh Singh, 2018/02/07
- [Qemu-devel] [PATCH v7 18/26] sev: add support to LAUNCH_MEASURE command, Brijesh Singh, 2018/02/07
- [Qemu-devel] [PATCH v7 20/26] hw: i386: set ram_debug_ops when memory encryption is enabled, Brijesh Singh, 2018/02/07
- [Qemu-devel] [PATCH v7 12/26] kvm: introduce memory encryption APIs, Brijesh Singh, 2018/02/07
- [Qemu-devel] [PATCH v7 21/26] sev: add debug encrypt and decrypt commands, Brijesh Singh, 2018/02/07
- [Qemu-devel] [PATCH v7 23/26] include: add psp-sev.h header file, Brijesh Singh, 2018/02/07
- [Qemu-devel] [PATCH v7 25/26] sev: add support to KVM_SEV_GUEST_STATUS, Brijesh Singh, 2018/02/07

Prev by Date: Re: [Qemu-devel] [PATCH] block: unify blocksize types
Next by Date: Re: [Qemu-devel] [PATCH] dump: Show custom message for ENOSPC
Previous by thread: Re: [Qemu-devel] [PATCH v7 17/26] target/i386: encrypt bios rom
Next by thread: [Qemu-devel] [PATCH v7 19/26] sev: Finalize the SEV guest launch flow
Index(es):
- Date
- Thread