Re: [libvirt] [Qemu-devel] libvirt/QEMU/SEV interaction
On Wed, Sep 27, 2017 at 02:06:10PM -0500, Richard Relph wrote:
Whether the "BIOS" is a "static shim" as Michael
suggests, or a full BIOS,
or even a BIOS+kernel+initrd is really not too significant. What is
significant is that the GO has a basis for trusting all code that is
imported in to their VM by the CP. And that NONE of the code provided by the
CP is "unknown" and unauditable by the GO. If the CP has a way to inject
code unknown to the GO in to the guest VM, the trust model is broken and
both GO and CP suffer the consequences.
Absolutely.
When the CP needs to update the BIOS image, they will have to inform
the GO
and allow the GO to establish trust in the CP's new BIOS image somehow.
This GO update on every BIOS change is imho is not a workable model. You
want something like checking the BIOS signature instead. And since
hardware is all hash based, you need the shim to do it in software.
--
MST