Securing Linux VM boot with AMD SEV measurement
Abstract
Booting Linux guests with AMD SEV using a kernel and initrd supplied by the VMM currently breaks the Confidential Computing promise: the binaries are supplied by the VMM which is outside the trusted domain. However, this mode of guest booting is convenient for both the platform provider and the guest owner, as usually the kernel and initrd binaries are not confidential. We introduce a way to harness SEV memory measurement and secret injection at startup to verify that the kernel and initrd supplied by the VMM are indeed approved by the guest owner, thus making this way of booting SEV guests secure for Confidential Computing workloads. The presentation will explain the boot process in the VMM and guest, the added integrity checks added in OVMF, and layouts of secret injection memory areas. We will present the current upstream status of OVMF and QEMU patches, as well as cover possible attack scenarios and mitigations.