[RFC PATCH 5/7] qemu: add support to TDVF firmware loader

Daniel P. Berrangé berrange at redhat.com
Mon Jun 21 13:20:45 UTC 2021 

On Mon, Jun 21, 2021 at 03:19:55AM +0000, Duan, Zhenzhong wrote:
> 
> > -----Original Message-----
> > From: Pavel Hrdina <phrdina at redhat.com>
> > Sent: Friday, June 18, 2021 8:34 PM
> > To: Duan, Zhenzhong <zhenzhong.duan at intel.com>
> > Cc: libvir-list at redhat.com; Yamahata, Isaku <isaku.yamahata at intel.com>;
> > Tian, Jun J <jun.j.tian at intel.com>; Qiang, Chenyi <chenyi.qiang at intel.com>
> > Subject: Re: [RFC PATCH 5/7] qemu: add support to TDVF firmware loader
> > 
> > On Fri, Jun 18, 2021 at 04:50:50PM +0800, Zhenzhong Duan wrote:
> > > TDX guest need a specific firmware TDVF to bootup, add a new element
> > > in TrustDomain element for that purpose, like below:
> > >
> > > <TrustDomain type='tdx'>
> > >    <policy>0x0001</policy>
> > >    <loader>/path/to/TDVF-binary</loader>
> > > </TrustDomain>
> > 
> > Looking into QEMU patches and if I understand it correctly this loader is
> > supposed to be used instead of UEFI or BIOS?
> Yes.
> 
> > If that's true I don't think it
> > should be here as we already have XML bits to specify VM loader.
> > 
> > We could use something like this:
> > 
> >   <os>
> >     <loader type='generic'>/path/to/TDVF-binary</loader>
> >   </os>
> > 
> > Currently supported types are:
> > 
> >  - `rom` which is translated to
> > 
> >      -bios /path/to/bios.bin
> > 
> >  - `pflash` which is translated to
> > 
> >      -drive file=/path/to/uefi.fd,if=pflash,format=raw,...
> > 
> > And we could add a new type called 'generic', 'device', 'binary' or something
> > else which would be translated to:
> > 
> >      -device loader,file=/path/to/TDVF-binary,...
> > 
> Thanks for your suggestion, the main reason is I see only TDX guest using firmware in such a special way,
> So I move <loader> in TDX specific element <TrustDomain>. I'll change to <os>.<loader> if you think it's better.

Note that SEV does actually need a special loader too. The standard UEFI
builds don't support SEV, so we need to pick a special UEFI build just
for SEV.

QEMU has a concept of firmware descriptors that let the host tell libvirt
what features each firmware supports. This lets libvirt automatically
pick the right firmware binary to use.

Even if the TDX firmware is not a normal UEFI / EDK2 binary, I think we
really ought to figure out a way to use the firmware descriptors in QEMU
to report the existsance of the TDX firmware inary on the host. This would
let libvirt automatically pick a TDX loader.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list