Re: Question about SEV* guests and automatic firmware selection

Thu, 24 Apr 2025 13:19:03 -0700 

On 4/24/25 04:59, Daniel P. Berrangé wrote:

On Mon, Apr 21, 2025 at 01:38:35PM -0600, Jim Fehlig via Devel wrote:

Hi All,

While investigating an internal bug report, we noticed that a minimal
firmware auto-selection configuration along with SEV* fails to find a match.
E.g. the following config

<domain type="kvm">
   <os firmware="efi">
     <type arch="x86_64" machine="q35">hvm</type>
     <boot dev="hd"/>
   </os>
   <launchSecurity type="sev">
     <policy>0x07</policy>
   </launchSecurity>
...
</domain>

Fails with "Unable to find 'efi' firmware that is compatible with the
current configuration". A firmware that should match has the following json
description

{
     "description": "UEFI firmware for x86_64, with AMD SEV",
     "interface-types": [
         "uefi"
     ],
     "mapping": {
         "device": "flash",
        "mode": "stateless",
         "executable": {
             "filename": "/usr/share/qemu/ovmf-x86_64-sev.bin",
             "format": "raw"
         }
     },
     "targets": [
         {
             "architecture": "x86_64",
             "machines": [
                 "pc-q35-*"
             ]
         }
     ],
     "features": [
         "acpi-s4",
        "amd-sev",
        "amd-sev-es",
        "amd-sev-snp",
         "verbose-dynamic"
     ],
     "tags": [

     ]
}

Auto-selection works fine if I specify a 'stateless' firmware, e.g. amend
the above config with

   <os firmware="efi">
     <type arch="x86_64" machine="q35">hvm</type>
     <loader stateless="yes"/>
     <boot dev="hd"/>
   </os>

Being unfamiliar with the firmware auto-selection code, I tried the below
naive hack, which only led to test failures and the subsequent runtime error
"unable to find any master var store for loader:
/usr/share/qemu/ovmf-x86_64-sev.bin". Should auto-selection work with the
minimal config, or is it expected that user also specify a stateless
firmware?


I don't have any SEV/SNP installation available to test with current,
but on Fedora/RHEL, AFAIK, we successfully install with

virt-install  \
--name snp  \
--launchSecurity sev-snp,policy=0x30000  \
--machine q35
--boot uefi


I see the same failure when using '--boot uefi' or '--boot firmware=efi'
ERROR operation failed: Unable to find 'efi' firmware that is compatible with the current configuration 

Works fine with '--boot firmware=efi,loader.stateless=yes'.


which will NOT result in 'stateless' attribute being set and our
firwmare descriptors match what you show above.
Nod. The rawhide descriptor '60-edk2-ovmf-x64-amdsev.json' is nearly identical to the one I posted, with exception of the missing acpi-s4 feature. But that shouldn't be there anyhow. It's a bug that has since been fixed in the openSUSE descriptor. 

Regards,
Jim

Reply via email to