[PATCH v2 09/10] DONOTMERGE remove SEV features from non-SEV descriptors

Andrea Bolognani via Devel Mon, 25 Aug 2025 09:46:32 -0700

These changes are not in the Fedora edk2 packages, not even in
tentative form, and are just a suggestion of how we could
potentially move things forward.


The idea is to stop advertising SEV(-ES) support in the
descriptors for regular edk2 builds, thus forcing the
SEV-specific stateless build to be used. This arguably makes
more sense, but it's unclear whether removing the combination
could have negative impact on certain use cases.
---
 .../share/qemu/firmware/50-edk2-ovmf-4m-qcow2-x64-nosb.json  | 2 --
 .../share/qemu/firmware/51-edk2-ovmf-2m-raw-x64-nosb.json    | 2 --
 .../usr/share/qemu/firmware/90-combined.json                 | 1 -
 .../firmware-auto-efi-sev.x86_64-latest+amdsev.args          | 5 ++---
 .../firmware-auto-efi-sev.x86_64-latest+amdsev.xml           | 3 +--
 5 files changed, 3 insertions(+), 10 deletions(-)

diff --git 
a/tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-ovmf-4m-qcow2-x64-nosb.json
 
b/tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-ovmf-4m-qcow2-x64-nosb.json
index d64735f477..bb11f5febd 100644
--- 
a/tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-ovmf-4m-qcow2-x64-nosb.json
+++ 
b/tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-ovmf-4m-qcow2-x64-nosb.json
@@ -26,8 +26,6 @@
     ],
     "features": [
         "acpi-s3",
-        "amd-sev",
-        "amd-sev-es",
         "verbose-dynamic"
     ],
     "tags": [
diff --git 
a/tests/qemufirmwaredata/usr/share/qemu/firmware/51-edk2-ovmf-2m-raw-x64-nosb.json
 
b/tests/qemufirmwaredata/usr/share/qemu/firmware/51-edk2-ovmf-2m-raw-x64-nosb.json
index 050853e2b8..bb8ea4c07a 100644
--- 
a/tests/qemufirmwaredata/usr/share/qemu/firmware/51-edk2-ovmf-2m-raw-x64-nosb.json
+++ 
b/tests/qemufirmwaredata/usr/share/qemu/firmware/51-edk2-ovmf-2m-raw-x64-nosb.json
@@ -26,8 +26,6 @@
     ],
     "features": [
         "acpi-s3",
-        "amd-sev",
-        "amd-sev-es",
         "verbose-dynamic"
     ],
     "tags": [
diff --git a/tests/qemufirmwaredata/usr/share/qemu/firmware/90-combined.json 
b/tests/qemufirmwaredata/usr/share/qemu/firmware/90-combined.json
index 8ecac440b4..a788a3fc40 100644
--- a/tests/qemufirmwaredata/usr/share/qemu/firmware/90-combined.json
+++ b/tests/qemufirmwaredata/usr/share/qemu/firmware/90-combined.json
@@ -21,7 +21,6 @@
     ],
     "features": [
         "acpi-s3",
-        "amd-sev",
         "enrolled-keys",
         "requires-smm",
         "secure-boot",
diff --git 
a/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.args 
b/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.args
index 550ac52b8a..a0ede6ca92 100644
--- a/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.args
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.args
@@ -10,10 +10,9 @@ 
XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-guest/.config \
 -name guest=guest,debug-threads=on \
 -S \
 -object 
'{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-guest/master-key.aes"}'
 \
--blockdev 
'{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF_CODE.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}'
 \
+-blockdev 
'{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF.amdsev.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}'
 \
 -blockdev 
'{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}'
 \
--blockdev 
'{"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/guest_VARS.fd","node-name":"libvirt-pflash1-storage","read-only":false}'
 \
--machine 
pc-q35-10.0,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-storage,acpi=on
 \
+-machine 
pc-q35-10.0,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,pflash0=libvirt-pflash0-format,acpi=on
 \
 -accel kvm \
 -cpu qemu64 \
 -m size=1048576k \
diff --git 
a/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.xml 
b/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.xml
index cbfdcdeee3..35db3dc7c3 100644
--- a/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.xml
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.xml
@@ -10,8 +10,7 @@
       <feature enabled='no' name='enrolled-keys'/>
       <feature enabled='no' name='secure-boot'/>
     </firmware>
-    <loader readonly='yes' type='pflash' 
format='raw'>/usr/share/edk2/ovmf/OVMF_CODE.fd</loader>
-    <nvram template='/usr/share/edk2/ovmf/OVMF_VARS.fd' templateFormat='raw' 
format='raw'>/var/lib/libvirt/qemu/nvram/guest_VARS.fd</nvram>
+    <loader readonly='yes' type='pflash' stateless='yes' 
format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader>
     <boot dev='hd'/>
   </os>
   <features>
-- 
2.51.0

[PATCH v2 09/10] DONOTMERGE remove SEV features from non-SEV descriptors

Reply via email to