Thread (12 messages) 12 messages, 5 authors, 2025-06-25

Re: Linux kernel SIG meeting for vwfwupdate discussion

From: Ani Sinha <hidden>
Date: 2025-06-25 07:22:13

On Mon, Jun 23, 2025 at 10:38 PM Dionna Amalie Glaze
[off-list ref] wrote:
Hey all, I've been looking into the least friction-y way to make an
IGVM readable from disk without having to add a complex device driver
to the VMM.
If the FUKI application chooses to read the firmware from disk instead
of having the binary embedded,
Ok so let me get this clear. We are talking about not embedding the
IGVM in a UKI but putting it directly on the disk right?
If this is true, I am not sure what additional problem it solves since
for azure, the issue was that they did not want to have a two stage
boot process. So they wanted to go directly to stage 2 with the IGVM
extracted from the guest disk. If I understand correctly.

 then we can insist that there exists a
GPT partition on the same device as the ESP with IGVM partition type
(let's say GUID C647E858-C402-4D1E-9497-95FF0A4B4465) that's the
simplest filesystem format ever: "1FILE FS", 4 bytes of file size in
little endian, followed by a contiguous representation of the IGVM
file. If you want to change your firmware, create a new partition with
this type and delete the old one. It's a simple enough file system to
propose a DXE driver to OVMF for the FUKI application to use existing
EFI protocols to read the file.

There's the matter of reading the GPT sector and finding the IGVM
partition, then reading the file in the single file filesystem, all
using some method of reading the block device that has mounted the
disk image already that the VMM would have to mess with. The block
device access depends on VMM architecture that I couldn't really
comment on other than folks could probably make it work for Google's
VMM. It'd need to do some funky continuation passing style for the I/O
threads to string together the block read requests, but it shouldn't
be too terrible.






On Tue, May 20, 2025 at 7:41 AM Ani Sinha [off-list ref] wrote:
quoted

quoted
On 19 May 2025, at 4:55 PM, Alexander Graf [off-list ref] wrote:


On 19.05.25 10:37, Ani Sinha wrote:
quoted
quoted
On 16 May 2025, at 2:55 PM, Alexander Graf [off-list ref] wrote:

Hey Ani,

We already presented concepts last year. If we want to preserve credibility, this year we need to show a solution that's either merged or almost merged upstream and ready to use.
Hmm ok I think it will be hard to get anything merged before the deadline on June 9th.

It doesn't have to be merged on the 9th, but it should have a realistic avenue to be merged by September 4th :).
One blocker in this path is that IGVM support has not yet been merged into QEMU. I know Roy (now at MSFT) is working on it and I pinged him today in the mailing list.

--
-Dionna Glaze, PhD, CISSP, CCSP (she/her)
  
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help