[libvirt PATCH 0/5] Support AMD SEV firmware with -bios instead of pflash

Erik Skultety eskultet at redhat.com
Fri Jan 21 14:40:23 UTC 2022

On Fri, Jan 21, 2022 at 02:16:14PM +0000, Daniel P. Berrangé wrote:
> On Fri, Jan 14, 2022 at 07:07:10PM +0000, Daniel P. Berrangé wrote:
> > The firmware distros have given people for use with AMD SEV thus far has
> > just been one of the regular OVMF builds. This is sufficient for booting
> > a guest with SEV enabled, but is useless if you want to actually
> > validate the guest measurement. The NVRAM store is untrustworthy since
> > it is not included in the measurement. We need to supply a dedicated
> > build of OVMF without NVRAM support enabled. While it is possible to
> > use with pflash, we then get a problem with firmware selection as there
> > is no easy way to make it prefer the firmware without NVRAM. Also the
> > firmware descriptor treats the NVRAM template as a mandatory field
> > today and libvirt enforces that.
> > 
> > While we could invent a new feature flag 'sev-stateless' for the
> > firmware descriptors, and/or make the NVRAM template path optional,
> > it makes more sense if the firmware descriptor just reports the SEV
> > firmware as type=memory instead of type=flash.
> > 
> > If the libvirt XML parses the <loader type='rom'/> attribute when
> > doing firmware auto-selection, we trivially enable a way for a mgmt
> > app to indicate that it wants the SEV firmware without NVRAM
> > support.
> > 
> > This series does all the plumbing we need.
> > 
> > The only minor issue is that QEMU support for -bios with SEV enabled
> > firmware is broken:
> > 
> >   https://lists.gnu.org/archive/html/qemu-devel/2022-01/msg02957.html
> Well turns out the concept is unfixably broken on the QEMU side
> with SEV enabled UEFI firmware. So I'm going to ditch the first
> docs patch.
> I figure it is still possibly useful to be able to controla
> auto-firmware selection based on 'type', even if it doesn't
> help my sev use case, so might as well leave keep that now
> I've implemented it.

In any case, in context of patch 2/5, shouldn't autoselect haven been left
untouched and instead pick the type automatically, say in
qemuValidateDomainDefBoot or similar depending on whether the domain has
LaunchSecurity SEV defined in the XML?


More information about the libvir-list mailing list