[svsm-devel] Linux and QEMU branches updated

Stefano Garzarella sgarzare at redhat.com
Wed Dec 18 12:09:17 CET 2024 

Hi Jörg,

On Tue, Dec 17, 2024 at 5:24 PM Jörg Rödel <joro at 8bytes.org> wrote:
>
> Hi everyone,
>
> A few weeks ago we discussed the plan to update the Linux and QEMU
> development branches for the SVSM to the versions Roy provided.
>
> Today I made this change and updated the `svsm` branches in both
> repositories. I also updated the SVSM tree to work with the new KVM
> base, which includes updated documentation, launch script, and disabling
> one of the unit-tests[1].
>
> So hereby I ask everyone to update their development/test environments
> to use the latest Linux, QEMU and SVSM branches from the project.
>
> Why is this important?
>
> There is a PR pending for the SVSM which introduces the use of the TPR
> for managing IRQ priorities. This is part of the ongoing work to enable
> IRQs in the SVSM and add the ability to send IPIs, which is required to
> enable other platforms besides AMD SEV-SNP.
>
> With the old 6.8-based kernel the TPR was shared across VMPLs, which
> made the SVSM observe values set by the Linux kernel. This breaks the
> SVSM as soon as Linux initialized the local APIC.
>
> Going forward, when the SVSM TPR PR gets merged, the SVSM will no longer
> work on the 6.8 kernel, so please everyone make sure to update your
> development/test environments and let me know in case you run into any
> problems.

I tested all components, I can boot the guest OS and use the vTPM, but
PCRs were strange:

# tpm2_pcrread
  sha1:
  sha256:
    0 : 0x0000000000000000000000000000000000000000000000000000000000000000
    1 : 0x0000000000000000000000000000000000000000000000000000000000000000
    2 : 0x0000000000000000000000000000000000000000000000000000000000000000
    3 : 0x0000000000000000000000000000000000000000000000000000000000000000
    4 : 0x0000000000000000000000000000000000000000000000000000000000000000
    5 : 0x0000000000000000000000000000000000000000000000000000000000000000
    6 : 0x0000000000000000000000000000000000000000000000000000000000000000
    7 : 0x0000000000000000000000000000000000000000000000000000000000000000
    8 : 0x0000000000000000000000000000000000000000000000000000000000000000
    9 : 0x0000000000000000000000000000000000000000000000000000000000000000
    10: 0xBF0D858E3904704B36740BC2DDCF4820B93A9323C1098338B7C38E338735257B
    11: 0x0000000000000000000000000000000000000000000000000000000000000000
    12: 0x0000000000000000000000000000000000000000000000000000000000000000
    13: 0x0000000000000000000000000000000000000000000000000000000000000000
    14: 0x0000000000000000000000000000000000000000000000000000000000000000
    15: 0x0000000000000000000000000000000000000000000000000000000000000000
    16: 0x0000000000000000000000000000000000000000000000000000000000000000
    17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    23: 0x0000000000000000000000000000000000000000000000000000000000000000

I noticed that in the svsm branch of edk2 the TPM driver is no longer
there, so I tried the PR [1] that Oliver opened upstream, and it seems
to be working:

# tpm2_pcrread
  sha1:
  sha256:
    0 : 0xEE32461432E54C50E78118642B66B770AEDE2DDBE86256AD39BF6C1E3A0C2270
    1 : 0x3E56433CCE1C5ADE10DFBEB087645E4E4CE1440D9623F9106841B660812B9E95
    2 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
    3 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
    4 : 0xE202304E038D4985F817949AC2BEC2A6E969B81BA893AFC2E92C5158292C587E
    5 : 0x5CD9240D9D327C6907507075091BAF761CB81D95571C8A49F72B317B2A1A3F31
    6 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
    7 : 0x127C18EBA2300E30767FAFE71F4E5975776F665D22C7CA9017C7C24846B96FA1
    8 : 0x5AD47B20CE56F0ED9985BA9E338D833C2E7C29981B158C1BCD15B616579D5555
    9 : 0x9269DA5E4B8F2CA44BE308734FC233C9603F090EADFB4C2E5CBF30331AFB0BC3
    10: 0x32A87359AFD16F31B3C13BE34054D16C11562A4B2FEC0837B8E24CD2374E3F44
    11: 0x0000000000000000000000000000000000000000000000000000000000000000
    12: 0x0000000000000000000000000000000000000000000000000000000000000000
    13: 0x0000000000000000000000000000000000000000000000000000000000000000
    14: 0x17CDEFD9548F4383B67A37A901673BF3C8DED6F619D36C8007562DE1D93C81CC
    15: 0x0000000000000000000000000000000000000000000000000000000000000000
    16: 0x0000000000000000000000000000000000000000000000000000000000000000
    17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    23: 0x0000000000000000000000000000000000000000000000000000000000000000

Should we include that PR in our fork?

Thanks,
Stefano

[1] https://github.com/tianocore/edk2/pull/6527

More information about the Svsm-devel mailing list