On 3/22/2022 5:27 PM, Daniel P. Berrangé wrote:
...
IMHO the AmdSev build for OVMF gets this right by entirely disabling
the split OVMF_CODE.fd vs OVMF_VARS.fd, and just having a single
OVMF.fd file that is exposed read-only to the guest.
This is further represented in $QEMU.git/docs/interop/firmware.json
by marking the firmware as 'stateless', which apps like libvirt will
use to figure out what QEMU command line to pick.
Hi Daniel,
I don't play with AMD SEV and I'm not sure if AMD SEV requires only
single OVMF.fd. But IIUC, from edk2
commit 437eb3f7a8db ("OvmfPkg/QemuFlashFvbServicesRuntimeDxe: Bypass
flash detection with SEV-ES")
, AMD SEV(-ES) does support NVRAM via proactive VMGEXIT MMIO
QemuFlashWrite(). If so, AMD SEV seems to be able to support split OVMF,
right?
IOW, if you don't want OVMF_VARS.fd to be written to, then follow
what AmdSev has done, and get rid of the split files.
With regards,
Daniel
