Add SNP kernel hash support#5073
Open
CookieComputing wants to merge 2 commits intoproject-oak:mainfrom
Open
Conversation
This allows users to supply kernel hashes which contain hashes of the kernel, kernel cmdline, initrd, and bootloader provided to the guest at CVM launch time. These changes are reflected in the launch digest of the CVM.
andrisaar
reviewed
Mar 17, 2026
| let dest = &mut self.inner.hdr.as_mut_bytes()[..src.len()]; | ||
| dest.copy_from_slice(src); | ||
| Some(measurement) | ||
| Some((buf.to_vec(), measurement)) |
Collaborator
There was a problem hiding this comment.
This would always create a copy of the buf.
Given that we load the setup data into there, and will not move it, just return a &'static [u8] pointing to that chunk of memory.
| log::debug!("validating measured boot primitives"); | ||
| // This address is well-defined by UEFI: | ||
| // https://github.com/tianocore/edk2/blob/f98662c5e35b6ab60f46ee4350fa0e6eab0497cf/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm#L88-L91 | ||
| let sev_hash_table = 0x10c00 as *mut kernel_hash_tables::PaddedSevHashTable; |
Collaborator
There was a problem hiding this comment.
You declare the SEV_HASH_TABLE already, and the linker section should guarantee it goes into the correct place, why do you need this here?
| // This address is well-defined by UEFI: | ||
| // https://github.com/tianocore/edk2/blob/f98662c5e35b6ab60f46ee4350fa0e6eab0497cf/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm#L88-L91 | ||
| let sev_hash_table = 0x10c00 as *mut kernel_hash_tables::PaddedSevHashTable; | ||
| let sev_hash_table = unsafe { &mut *sev_hash_table }; |
Collaborator
There was a problem hiding this comment.
For all uses of unsafe add a comment why it is safe.
Contributor
Author
|
I'll rebase after getting our internal stage0 upgraded, it's been a while |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
At Meta, we've been using the
kernel-hashesmeasurement feature provided in QEMU to cover the launch components of our CVMs. This is computed as part of the launch digest.The reason you'd consider using this is because this will include the bootloader, initrd, kernel, and kernel cmdline into your launch digest, making these components attested. At least from Private Processing's point of view, we then allow the kernel to run dm-verity to do disk integrity checks to trust our rootfs.
We've been using some variant of this patch for a while in production now and wanted to share this with you if you wanted to support kernel hashes! I've modified the patch so that enabling this feature is optional, as I know this is not the intended DICE attestation method you folks use.
We base this implementation from the OVMF GUID table structure defined here and the layout of the OVMF binary here
Testing
All tests were done on our own servers, I'd recommend doing a positive/negative test with your own hypervisor just to double check that the change doesn't break the existing flow at Google (at the very least, I would expect that not including the feature should function as normal).
Tests were done on an AMD Bergamo host to ensure we had a v3 attestation report. I used basically vanilla QEMU 9.2 to run these jobs.
Positive test
I built
stage0_binon master and uncommented thesev_kernel_hashesfeatures to enable the build. I then ran the following QEMU command (with paste here):positive_case.txt
The most important parts to note in this invocation and log:
This showcases that stage0 found the kernel hashes in the provided table, and then compared them to the
fw_cfgcomponents.Negative test
I built
stage0_binon master with this diff, and did not do anything (i.e. did not uncomment the sev_kernel_hashes feature). I then ran the following QEMU command (with paste here):negative_case.txt
Most important things to note:
The validation call in
stage0/lib.rsis not invoked, so we do not see any logs w.r.t. kernel hashesMatches sev-snp-measure launch digest
This attestation is only really useful if we check it against an open source tool. At Meta, we use the open source
virTEE/sev-snp-measuretool, as this is widely accessible and AMD also makes updates to this tool whenever they make updates to firmware attestationattestation_report.txt
The launch digest is:
When running this against the
sev-snp-measuretool, we see the following:Upon visual inspection, we can see that these two measurements match up