Re: Question about SEV* guests and automatic firmware selection

Thu, 24 Apr 2025 03:59:52 -0700 

On Mon, Apr 21, 2025 at 01:38:35PM -0600, Jim Fehlig via Devel wrote:
> Hi All,
> 
> While investigating an internal bug report, we noticed that a minimal
> firmware auto-selection configuration along with SEV* fails to find a match.
> E.g. the following config
> 
> <domain type="kvm">
>   <os firmware="efi">
>     <type arch="x86_64" machine="q35">hvm</type>
>     <boot dev="hd"/>
>   </os>
>   <launchSecurity type="sev">
>     <policy>0x07</policy>
>   </launchSecurity>
> ...
> </domain>
> 
> Fails with "Unable to find 'efi' firmware that is compatible with the
> current configuration". A firmware that should match has the following json
> description
> 
> {
>     "description": "UEFI firmware for x86_64, with AMD SEV",
>     "interface-types": [
>         "uefi"
>     ],
>     "mapping": {
>         "device": "flash",
>       "mode": "stateless",
>         "executable": {
>             "filename": "/usr/share/qemu/ovmf-x86_64-sev.bin",
>             "format": "raw"
>         }
>     },
>     "targets": [
>         {
>             "architecture": "x86_64",
>             "machines": [
>                 "pc-q35-*"
>             ]
>         }
>     ],
>     "features": [
>         "acpi-s4",
>       "amd-sev",
>       "amd-sev-es",
>       "amd-sev-snp",
>         "verbose-dynamic"
>     ],
>     "tags": [
> 
>     ]
> }
> 
> Auto-selection works fine if I specify a 'stateless' firmware, e.g. amend
> the above config with
> 
>   <os firmware="efi">
>     <type arch="x86_64" machine="q35">hvm</type>
>     <loader stateless="yes"/>
>     <boot dev="hd"/>
>   </os>
> 
> Being unfamiliar with the firmware auto-selection code, I tried the below
> naive hack, which only led to test failures and the subsequent runtime error
> "unable to find any master var store for loader:
> /usr/share/qemu/ovmf-x86_64-sev.bin". Should auto-selection work with the
> minimal config, or is it expected that user also specify a stateless
> firmware?

I don't have any SEV/SNP installation available to test with current,
but on Fedora/RHEL, AFAIK, we successfully install with

virt-install  \
--name snp  \
--launchSecurity sev-snp,policy=0x30000  \
--machine q35
--boot uefi

which will NOT result in 'stateless' attribute being set and our
firwmare descriptors match what you show above.


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Reply via email to