[edk2-devel] [PATCH v8 08/32] OvmfPkg/ResetVector: use SEV-SNP-validated CPUID values
Gerd Hoffmann
kraxel at redhat.com
Thu Sep 23 08:25:53 UTC 2021
Hi,
> One issue with that is that the contents of the CPUID page are not part
> of guest measurement that will be checked later during attestation (only
> the metadata such as page type/location is recorded in the measurement).
>
> [ more details snipped ]
Thanks, that makes sense.
> That said, for the !SNP case, additional handling *could* be added to make
> use of the CPUID page, but in that case it wouldn't be validated by firmware,
> so isn't much better security-wise than asking KVM.
Well, the intention would be more to (a) be able to test the code
without SNP hardware (for example in public CI) and (b) avoid trapping
into kvm if we don't have to.
It is clearly not a priority though, we can look into that once all the
SNP bits are merged in edk2 and qemu.
take care,
Gerd
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#81017): https://edk2.groups.io/g/devel/message/81017
Mute This Topic: https://groups.io/mt/85749022/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list