[edk2-devel] [PATCH v2 07/11] OvmfPkg/QemuKernelLoaderFsDxe: call VerifyBlob after fetch from fw_cfg
Dov Murik
dovmurik at linux.ibm.com
Mon Jul 19 12:22:36 UTC 2021
On 18/07/2021 18:47, Brijesh Singh wrote:
>
> On 7/6/21 3:54 AM, Dov Murik wrote:
>> In QemuKernelLoaderFsDxeEntrypoint we use FetchBlob to read the content
>> of the kernel/initrd/cmdline from the QEMU fw_cfg interface. Insert a
>> call to VerifyBlob after fetching to allow BlobVerifierLib
>> implementations to add a verification step for these blobs.
>>
>> This will allow confidential computing OVMF builds to add verification
>> mechanisms for these blobs that originate from an untrusted source
>> (QEMU).
>>
>> The null implementation of BlobVerifierLib does nothing in VerifyBlob,
>> and therefore no functional change is expected.
>>
>> Cc: Laszlo Ersek <lersek at redhat.com>
>> Cc: Ard Biesheuvel <ardb+tianocore at kernel.org>
>> Cc: Jordan Justen <jordan.l.justen at intel.com>
>> Cc: Ashish Kalra <ashish.kalra at amd.com>
>> Cc: Brijesh Singh <brijesh.singh at amd.com>
>> Cc: Erdem Aktas <erdemaktas at google.com>
>> Cc: James Bottomley <jejb at linux.ibm.com>
>> Cc: Jiewen Yao <jiewen.yao at intel.com>
>> Cc: Min Xu <min.m.xu at intel.com>
>> Cc: Tom Lendacky <thomas.lendacky at amd.com>
>> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
>> Co-developed-by: James Bottomley <jejb at linux.ibm.com>
>> Signed-off-by: James Bottomley <jejb at linux.ibm.com>
>> Signed-off-by: Dov Murik <dovmurik at linux.ibm.com>
>
> The patch itself is okay. Just curious, do we also need to add a
> verification for the QEMU FW cfg file ?
>
I don't really understand. This patch adds the VerifyBlob() call on
blobs that were read by FetchBlob(), which in turn reads the contents of
kernel/initrd/cmdline from QEMU FW cfg (using QemuFwCfgReadBytes for
example).
We currently *don't* add verification for all other FW cfg settings,
like number of CPUs, E820 memory entries, ... similar to what we (don't)
do in SEV boot with encrypted root image (in which only OVMF is measured).
What else do you think we should verify?
-Dov
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#77892): https://edk2.groups.io/g/devel/message/77892
Mute This Topic: https://groups.io/mt/84016359/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list