[v2] x86/loader: secure boot support for direct kernel load

[PATCH v2 4/5] x86/loader: expose unpatched kernel

Posted by Gerd Hoffmann 2 months, 2 weeks ago

Add a new "etc/boot/kernel" fw_cfg file, containing the kernel without
the setup header patches.  Intended use is booting in UEFI with secure
boot enabled, where the setup header patching breaks secure boot
verification.

Needs OVMF changes too to be actually useful.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/i386/x86-common.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/i386/x86-common.c b/hw/i386/x86-common.c
index 82137e053ae0..63cf41711e72 100644
--- a/hw/i386/x86-common.c
+++ b/hw/i386/x86-common.c
@@ -960,6 +960,9 @@ void x86_load_linux(X86MachineState *x86ms,
     sev_load_ctx.setup_data = (char *)setup;
     sev_load_ctx.setup_size = setup_size;
 
+    /* kernel without setup header patches */
+    fw_cfg_add_file(fw_cfg, "etc/boot/kernel", kernel, kernel_size);
+
     if (sev_enabled()) {
         sev_add_kernel_loader_hashes(&sev_load_ctx, &error_fatal);
     }
-- 
2.46.0

[PATCH v2 1/5] vl: fix qemu_validate_options() indention
[PATCH v2 2/5] x86/loader: only patch linux kernels
[PATCH v2 3/5] x86/loader: read complete kernel
[PATCH v2 4/5] x86/loader: expose unpatched kernel
[PATCH v2 5/5] x86/loader: add -shim option