[libvirt PATCH 0/5] Support AMD SEV firmware with -bios instead of pflash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The firmware distros have given people for use with AMD SEV thus far has
just been one of the regular OVMF builds. This is sufficient for booting
a guest with SEV enabled, but is useless if you want to actually
validate the guest measurement. The NVRAM store is untrustworthy since
it is not included in the measurement. We need to supply a dedicated
build of OVMF without NVRAM support enabled. While it is possible to
use with pflash, we then get a problem with firmware selection as there
is no easy way to make it prefer the firmware without NVRAM. Also the
firmware descriptor treats the NVRAM template as a mandatory field
today and libvirt enforces that.

While we could invent a new feature flag 'sev-stateless' for the
firmware descriptors, and/or make the NVRAM template path optional,
it makes more sense if the firmware descriptor just reports the SEV
firmware as type=memory instead of type=flash.

If the libvirt XML parses the <loader type='rom'/> attribute when
doing firmware auto-selection, we trivially enable a way for a mgmt
app to indicate that it wants the SEV firmware without NVRAM
support.

This series does all the plumbing we need.

The only minor issue is that QEMU support for -bios with SEV enabled
firmware is broken:

  https://lists.gnu.org/archive/html/qemu-devel/2022-01/msg02957.html

Daniel P. Berrangé (5):
  docs: explain that some UEFI images can use 'rom' instead of 'pflash'
  conf: parse loader 'type' even when doing firmware auto select
  qemu: filter firmware selection based on loader type
  tests: add firmware descriptor for SEV dedicated build
  tests: add a test for selecting a firmware without NVRAM

 docs/formatdomain.rst                         | 24 +++++-
 src/conf/domain_conf.c                        |  8 +-
 src/qemu/qemu_firmware.c                      | 25 +++++++
 .../usr/share/qemu/firmware/62-ovmf-sev.json  | 27 +++++++
 tests/qemufirmwaretest.c                      |  4 +-
 .../os-firmware-efi-sev.x86_64-6.0.0.args     | 43 +++++++++++
 .../qemuxml2argvdata/os-firmware-efi-sev.xml  | 74 +++++++++++++++++++
 tests/qemuxml2argvtest.c                      |  1 +
 8 files changed, 197 insertions(+), 9 deletions(-)
 create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/62-ovmf-sev.json
 create mode 100644 tests/qemuxml2argvdata/os-firmware-efi-sev.x86_64-6.0.0.args
 create mode 100644 tests/qemuxml2argvdata/os-firmware-efi-sev.xml

-- 
2.33.1
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux