Cc: Paolo Bonzini <pbonz...@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <ler...@redhat.com>
---
Notes:
v4:
- update to current test results
v3:
- this documentation is not accurate any longer, but since Paolo and
myself are getting different test results, I'm not bothering updating
this until our results converge
v2:
- documented "-nx" VCPU feature flag
<http://thread.gmane.org/gmane.comp.bios.edk2.devel/952/focus=978>
OvmfPkg/README | 53 ++++++++++++++++++++
1 file changed, 53 insertions(+)
diff --git a/OvmfPkg/README b/OvmfPkg/README
index 147e6e0..575dfe8 100644
--- a/OvmfPkg/README
+++ b/OvmfPkg/README
@@ -118,6 +118,59 @@ $ OvmfPkg/build.sh -a X64 qemu -cdrom
/path/to/disk-image.iso
To build a 32-bit OVMF without debug messages using GCC 4.5:
$ OvmfPkg/build.sh -a IA32 -b RELEASE -t GCC45
+=== SMM support ===
+
+OVMF is capable of utilizing SMM if the underlying QEMU or KVM hypervisor
+emulates SMM. SMM is put to use in the S3 suspend and resume infrastructure,
+and in the UEFI variable driver stack. The purpose is (virtual) hardware
+separation between the runtime guest OS and the firmware (OVMF), with the
+intent to make Secure Boot actually secure, by preventing the runtime guest OS
+from tampering with the variable store and S3 areas.
+
+For SMM support, OVMF must be built with the "-D SMM_REQUIRE" option. The
+resultant firmware binary will check if QEMU actually provides SMM emulation;
+if it doesn't, then OVMF will log an error and trigger an assertion failure
+during boot (even in RELEASE builds). Both the naming of the flag (SMM_REQUIRE,
+instead of SMM_ENABLE), and this behavior are consistent with the goal
+described above: this is supposed to be a security feature, and fallbacks are
+not allowed. Similarly, a pflash-backed variable store is a requirement.
+
+QEMU should be started with the options listed below (in addition to any other
+guest-specific flags). The command line should be gradually composed from the
+hints below. The minimum required QEMU release (and Q35 machine type) is 2.5.
+
+* QEMU binary and options specific to 32-bit guests:
+
+ qemu-system-i386 -cpu coreduo,-nx \
+
+ or
+
+ qemu-system-x86_64 -cpu <MODEL>,-lm,-nx \
+
+* QEMU binary for running 64-bit guests (no particular options):
+
+ qemu-system-x86_64 \
+
+* Flags common to all SMM scenarios (only the Q35 machine type is supported):
+
+ -machine q35,smm=on,accel=(tcg|kvm) \
+ -m ... \
+ -smp ... \
+ -global driver=cfi.pflash01,property=secure,value=on \
+ -drive if=pflash,format=raw,unit=0,file=OVMF_CODE.fd,readonly=on \
+ -drive if=pflash,format=raw,unit=1,file=copy_of_OVMF_VARS.fd \
+
+* In order to enable S3, add:
+
+ -global ICH9-LPC.disable_s3=0 \
+
+For KVM acceleration, a v4.4 or later Linux kernel is required on the host.
+
+Dependent on the development status of the
+"UefiCpuPkg/Universal/Acpi/S3Resume2Pei" module, S3 resume may not work in
+OvmfPkg/OvmfPkgX64.dsc builds. In such cases, OvmfPkg/OvmfPkgIa32X64.dsc is
+recommended for running X64 guests.
+
=== Network Support ===
OVMF provides a UEFI network stack by default. Its lowest level driver is the
--
1.8.3.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
