(cc Laszlo) On Tue, 6 Sept 2022 at 12:45, Michael S. Tsirkin <[email protected]> wrote: > > On Tue, Sep 06, 2022 at 12:43:55PM +0200, Jason A. Donenfeld wrote: > > On Tue, Sep 6, 2022 at 12:40 PM Michael S. Tsirkin <[email protected]> wrote: > > > > > > On Tue, Sep 06, 2022 at 12:36:56PM +0200, Jason A. Donenfeld wrote: > > > > It's only safe to modify the setup_data pointer on newer kernels where > > > > the EFI stub loader will ignore it. So condition setting that offset on > > > > the newer boot protocol version. While we're at it, gate this on SEV > > > > too. > > > > This depends on the kernel commit linked below going upstream. > > > > > > > > Cc: Gerd Hoffmann <[email protected]> > > > > Cc: Laurent Vivier <[email protected]> > > > > Cc: Michael S. Tsirkin <[email protected]> > > > > Cc: Paolo Bonzini <[email protected]> > > > > Cc: Peter Maydell <[email protected]> > > > > Cc: Philippe Mathieu-Daudé <[email protected]> > > > > Cc: Richard Henderson <[email protected]> > > > > Cc: Ard Biesheuvel <[email protected]> > > > > Link: > > > > https://lore.kernel.org/linux-efi/[email protected]/ > > > > Signed-off-by: Jason A. Donenfeld <[email protected]> > > > > > > BTW what does it have to do with SEV? > > > Is this because SEV is not going to trust the data to be random anyway? > > > > Daniel (now CC'd) pointed out in one of the previous threads that this > > breaks SEV, because the image hash changes. > > > > Jason > > Oh I see. I'd add a comment maybe and definitely mention this > in the commit log. >
This does raise the question (as I mentioned before) how things like secure boot and measured boot are affected when combined with direct kernel boot: AIUI, libvirt uses direct kernel boot at guest installation time, and modifying setup_data will corrupt the image signature.
