On 8/13/25 09:01, Andrea Bolognani wrote:
On Tue, Aug 12, 2025 at 05:26:19PM -0600, Jim Fehlig wrote:
On 7/31/25 09:45, Andrea Bolognani via Devel wrote:
This test case demonstrates how firmware autoselection doesn't
currently work correctly for domains using SEV-SNP: the
descriptor for a suitable firmware exists, and yet it doesn't
get picked up.
On my test system, autoselection for SEV-SNP guests does work after making
the firmware descriptor changes suggested by Gerd
https://src.fedoraproject.org/fork/kraxel/rpms/edk2/c/5146a0c3e9bf821d045e0cc3600ad715aca14588
It fails for SEV and SEV-ES guests. As a first step, I tried "importing" the
descriptor changes to tests/qemufirmwaredata/, but as always I'm fighting
with fixing up the tests :-/.
Patch importing the changes attached.
Thanks! My trial and error approach to fixing the test suite would have
eventually got there :-).
Can you be more specific about the issue you're experiencing for
SEV(-ES) guests?
I'm seeing the same issue we were trying to solve for SNP guests with this
series
ERROR operation failed: Unable to find 'efi' firmware that is compatible with
the current configuration
Based on the patch, the behavior doesn't seem to
change at all there. Are you able to successfully start those guests
when you use unmodified libvirt and edk2?
No, the same issue exists with SEV and SEV-ES guests. Sorry if that was not
clear. Prior to separating SNP into its own descriptor, all three features
shared the "stateless, pflash" descriptor, and all three suffered the problem
you're fixing with this series.
SNP works after providing a descriptor which properly identifies it as requiring
a 'memory' device. AFAICT, the existing autoselection code already handles
non-pflash devices.
Then again, the existing SEV tests look... Questionable. They all use
the i440fx machine type and default (BIOS) firmware, whereas
according to the documentation[1] you really want q35 and UEFI. So at
best our test coverage is lacking.
Agreed.
Stressing again the fact that I know very little about SEV and its
variants, my impression is that generally speaking stateless firmware
is preferred for the use case; however in Fedora the descriptors for
"regular" edk2 builds with no Secure Boot[2] advertise support for
the "amd-sev" and "amd-sev-es" firmware features, and since they sort
before the SEV-specific builds[3] libvirt will pick them up unless
you specifically ask for the firmware to be stateless.
Not sure if the best way to get out of this situation is to shuffle
the descriptors around, drop the SEV-specific features from other
descriptors, or tweak the libvirt algorithm so that it will prefer
stateless firmware for SEV unless told otherwise.
Very much interested in hearing everyone's thoughts on the topic.
AFAIK, only stateless firmware should be used with SEV and SEV-ES guests.
Probably best to drop those features from the other descriptors.
BTW, I often tend to ignore SEV and SEV-ES. IMO they are not used and can
hopefully be removed from upstream projects in the future. This opinion was
recently strengthened when I discovered that new BIOS updates to our Genoa and
Turin systems will not allow the SEV-ES and SEV-SNP features to work together.
Regards,
Jim
