On 2015-11-03 13:01:17, Laszlo Ersek wrote: > Cc: Paolo Bonzini <pbonz...@redhat.com> > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Laszlo Ersek <ler...@redhat.com> > --- > > Notes: > v4: > - update to current test results > > v3: > - this documentation is not accurate any longer, but since Paolo and > myself are getting different test results, I'm not bothering updating > this until our results converge > > v2: > - documented "-nx" VCPU feature flag > <http://thread.gmane.org/gmane.comp.bios.edk2.devel/952/focus=978> > > OvmfPkg/README | 53 ++++++++++++++++++++ > 1 file changed, 53 insertions(+) > > diff --git a/OvmfPkg/README b/OvmfPkg/README > index 147e6e0..575dfe8 100644 > --- a/OvmfPkg/README > +++ b/OvmfPkg/README > @@ -118,6 +118,59 @@ $ OvmfPkg/build.sh -a X64 qemu -cdrom > /path/to/disk-image.iso > To build a 32-bit OVMF without debug messages using GCC 4.5: > $ OvmfPkg/build.sh -a IA32 -b RELEASE -t GCC45 > > +=== SMM support === > + > +OVMF is capable of utilizing SMM if the underlying QEMU or KVM hypervisor > +emulates SMM. SMM is put to use in the S3 suspend and resume infrastructure, > +and in the UEFI variable driver stack. The purpose is (virtual) hardware > +separation between the runtime guest OS and the firmware (OVMF), with the > +intent to make Secure Boot actually secure, by preventing the runtime guest > OS > +from tampering with the variable store and S3 areas. > + > +For SMM support, OVMF must be built with the "-D SMM_REQUIRE" option. The > +resultant firmware binary will check if QEMU actually provides SMM emulation; > +if it doesn't, then OVMF will log an error and trigger an assertion failure > +during boot (even in RELEASE builds). Both the naming of the flag > (SMM_REQUIRE, > +instead of SMM_ENABLE), and this behavior are consistent with the goal > +described above: this is supposed to be a security feature, and fallbacks are > +not allowed. Similarly, a pflash-backed variable store is a requirement. > + > +QEMU should be started with the options listed below (in addition to any > other > +guest-specific flags). The command line should be gradually composed from the > +hints below. The minimum required QEMU release (and Q35 machine type) is 2.5. > + > +* QEMU binary and options specific to 32-bit guests: > +
Should we add this? '\' is used to extend the command line to multiple lines, and '^' can be used on windows. > + qemu-system-i386 -cpu coreduo,-nx \ Sometimes we put '$' before a command prompt. I know there is no standard prompt, but that is the one that I usually use in examples. > + > + or > + > + qemu-system-x86_64 -cpu <MODEL>,-lm,-nx \ > + > +* QEMU binary for running 64-bit guests (no particular options): > + > + qemu-system-x86_64 \ > + > +* Flags common to all SMM scenarios (only the Q35 machine type is supported): > + > + -machine q35,smm=on,accel=(tcg|kvm) \ > + -m ... \ > + -smp ... \ > + -global driver=cfi.pflash01,property=secure,value=on \ > + -drive if=pflash,format=raw,unit=0,file=OVMF_CODE.fd,readonly=on \ > + -drive if=pflash,format=raw,unit=1,file=copy_of_OVMF_VARS.fd \ > + > +* In order to enable S3, add: > + > + -global ICH9-LPC.disable_s3=0 \ > + > +For KVM acceleration, a v4.4 or later Linux kernel is required on the host. I think maybe we should put the linux + qemu requirements at the top of the SMM section. Something like: SMM support requires QEMU 2.5. SMM with KVM requires Linux 4.4 (host). > + > +Dependent on the development status of the > +"UefiCpuPkg/Universal/Acpi/S3Resume2Pei" module, S3 resume may not work in > +OvmfPkg/OvmfPkgX64.dsc builds. In such cases, OvmfPkg/OvmfPkgIa32X64.dsc is > +recommended for running X64 guests. Is this paragraph needed? I don't think we should have to say that UefiCpuPkg/S3Resume2Pei might be broken. Is it still broken? Reviewed-by: Jordan Justen <jordan.l.jus...@intel.com> > + > === Network Support === > > OVMF provides a UEFI network stack by default. Its lowest level driver is the > -- > 1.8.3.1 > > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
