On Fri, Jan 14, 2022 at 07:07:10PM +0000, Daniel P. Berrangé wrote: > The firmware distros have given people for use with AMD SEV thus far has > just been one of the regular OVMF builds. This is sufficient for booting > a guest with SEV enabled, but is useless if you want to actually > validate the guest measurement. The NVRAM store is untrustworthy since > it is not included in the measurement. We need to supply a dedicated > build of OVMF without NVRAM support enabled. While it is possible to > use with pflash, we then get a problem with firmware selection as there > is no easy way to make it prefer the firmware without NVRAM. Also the > firmware descriptor treats the NVRAM template as a mandatory field > today and libvirt enforces that. > > While we could invent a new feature flag 'sev-stateless' for the > firmware descriptors, and/or make the NVRAM template path optional, > it makes more sense if the firmware descriptor just reports the SEV > firmware as type=memory instead of type=flash. > > If the libvirt XML parses the <loader type='rom'/> attribute when > doing firmware auto-selection, we trivially enable a way for a mgmt > app to indicate that it wants the SEV firmware without NVRAM > support. > > This series does all the plumbing we need. > > The only minor issue is that QEMU support for -bios with SEV enabled > firmware is broken: > > https://lists.gnu.org/archive/html/qemu-devel/2022-01/msg02957.html Well turns out the concept is unfixably broken on the QEMU side with SEV enabled UEFI firmware. So I'm going to ditch the first docs patch. I figure it is still possibly useful to be able to controla auto-firmware selection based on 'type', even if it doesn't help my sev use case, so might as well leave keep that now I've implemented it. > > Daniel P. Berrangé (5): > docs: explain that some UEFI images can use 'rom' instead of 'pflash' > conf: parse loader 'type' even when doing firmware auto select > qemu: filter firmware selection based on loader type > tests: add firmware descriptor for SEV dedicated build > tests: add a test for selecting a firmware without NVRAM > > docs/formatdomain.rst | 24 +++++- > src/conf/domain_conf.c | 8 +- > src/qemu/qemu_firmware.c | 25 +++++++ > .../usr/share/qemu/firmware/62-ovmf-sev.json | 27 +++++++ > tests/qemufirmwaretest.c | 4 +- > .../os-firmware-efi-sev.x86_64-6.0.0.args | 43 +++++++++++ > .../qemuxml2argvdata/os-firmware-efi-sev.xml | 74 +++++++++++++++++++ > tests/qemuxml2argvtest.c | 1 + > 8 files changed, 197 insertions(+), 9 deletions(-) > create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/62-ovmf-sev.json > create mode 100644 tests/qemuxml2argvdata/os-firmware-efi-sev.x86_64-6.0.0.args > create mode 100644 tests/qemuxml2argvdata/os-firmware-efi-sev.xml > > -- > 2.33.1 > > Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
