1. Patchew
  2. QEMU
  3. [PATCH v3 00/26] arm: Run Arm CCA VMs with KVM
  4. View patch

[RFC PATCH v3 21/26] hw/arm/boot: Load DTB as is for confidential VMs

Jean-Philippe Brucker posted 26 patches 9 months, 3 weeks ago
[RFC PATCH v3 21/26] hw/arm/boot: Load DTB as is for confidential VMs
Posted by Jean-Philippe Brucker 9 months, 3 weeks ago 
For confidential VMs it may be necessary to measure the DTB, to ensure a
malicious host does not insert harmful information in there. In case an
external tool can generated and measured the DTB, load it as is without
patching it.

Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
---
v2->v3: new
---
 hw/arm/boot.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index 4cf7dd5b4d..20b3071339 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -523,7 +523,14 @@ int arm_load_dtb(hwaddr addr, const struct arm_boot_info *binfo,
     char **node_path;
     Error *err = NULL;
 
-    if (binfo->dtb_filename) {
+    if (binfo->dtb_filename && binfo->confidential) {
+        /*
+         * If the user is providing a DTB for a confidential VM, it is already
+         * tailored to this configuration and measured. Load it as is, without
+         * any modification.
+         */
+        return rom_add_file_fixed_as(binfo->dtb_filename, addr, -1, as);
+    } else if (binfo->dtb_filename) {
         char *filename;
         filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, binfo->dtb_filename);
         if (!filename) {
-- 
2.47.0

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.