From 62d3d7c58ffa9c4b87209eafb73589d0085df6e2 Mon Sep 17 00:00:00 2001 From: Niteesh Dubey Date: Fri, 23 Feb 2024 21:02:38 +0000 Subject: [PATCH 1/2] runtime: enable kernel-hashes for SNP confidential container This is required to provide the hashes of kernel, initrd and cmdline needed during the attestation of the coco. Fixes: #9150 Signed-off-by: Niteesh Dubey --- src/runtime/Makefile | 2 +- src/runtime/pkg/govmm/qemu/qemu.go | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 4c14fbc788..23d28085f6 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -149,7 +149,7 @@ FIRMWARETDVFPATH := PLACEHOLDER_FOR_DISTRO_OVMF_WITH_TDX_SUPPORT FIRMWARETDVFVOLUMEPATH := FIRMWARESEVPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd -FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd +FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd ROOTMEASURECONFIG ?= "" KERNELPARAMS += $(ROOTMEASURECONFIG) diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go index 092c0b8ca2..d9c1e21a2c 100644 --- a/src/runtime/pkg/govmm/qemu/qemu.go +++ b/src/runtime/pkg/govmm/qemu/qemu.go @@ -375,12 +375,19 @@ func (object Object) QemuParams(config *Config) []string { objectParams = append(objectParams, prepareObjectWithTdxQgs(object)) config.Bios = object.File case SEVGuest: - fallthrough + objectParams = append(objectParams, string(object.Type)) + objectParams = append(objectParams, fmt.Sprintf("id=%s", object.ID)) + objectParams = append(objectParams, fmt.Sprintf("cbitpos=%d", object.CBitPos)) + objectParams = append(objectParams, fmt.Sprintf("reduced-phys-bits=%d", object.ReducedPhysBits)) + + driveParams = append(driveParams, "if=pflash,format=raw,readonly=on") + driveParams = append(driveParams, fmt.Sprintf("file=%s", object.File)) case SNPGuest: objectParams = append(objectParams, string(object.Type)) objectParams = append(objectParams, fmt.Sprintf("id=%s", object.ID)) objectParams = append(objectParams, fmt.Sprintf("cbitpos=%d", object.CBitPos)) objectParams = append(objectParams, fmt.Sprintf("reduced-phys-bits=%d", object.ReducedPhysBits)) + objectParams = append(objectParams, "kernel-hashes=on") driveParams = append(driveParams, "if=pflash,format=raw,readonly=on") driveParams = append(driveParams, fmt.Sprintf("file=%s", object.File)) From 1dbf5208ac1e016d8df7f38688a91cb016a0c023 Mon Sep 17 00:00:00 2001 From: Niteesh Dubey Date: Thu, 29 Feb 2024 15:50:37 +0000 Subject: [PATCH 2/2] versions: Upgrade ovmf This is required to support SEV-SNP confidential container with kernel-hashes. Since this ovmf is latest stable version, it is good to upgrade for tdx and Vanilaa builds too. Signed-off-by: Niteesh Dubey --- versions.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/versions.yaml b/versions.yaml index a59c86c109..4cf2a4d85a 100644 --- a/versions.yaml +++ b/versions.yaml @@ -324,12 +324,12 @@ externals: url: "https://github.com/tianocore/edk2" x86_64: description: "Vanilla firmware build" - version: "edk2-stable202202" + version: "edk2-stable202402" package: "OvmfPkg/OvmfPkgX64.dsc" package_output_dir: "OvmfX64" sev: description: "AmdSev build needed for SEV measured direct boot." - version: "edk2-stable202302" + version: "edk2-stable202402" package: "OvmfPkg/AmdSev/AmdSevX64.dsc" package_output_dir: "AmdSev"