Hello all any comment on this one? It seems it would make sense to disable option roms for SEV by default in QEMU, any feedback anyone?
Thanks, Claudio On 5/11/22 13:30, Vasily Ulyanov wrote: > Hello QEMU devs, > > Currently to launch an SEV guest there are certain requirements for the VM > configuration. One such is that ROM option needs to be disabled for virtio-net > devices [1]. The tools like virt-install or libvirt rely on the QEMU defaults > if > the ROM value is not provided (the default for virtio-net is set to > romfile=efi-virtio.rom). Eventually this leads to unbootable guest and poor > user > experience as it is now mandatory to explicitly disable the ROM option. > > There is a similar situation with iommu_platform, though that seems to be > addressed already in [2] and QEMU adjusts the defaults depending on whether it > is a confidential guest or not. > > Wouldn't it make sense to also handle the romfile like that in QEMU? I.e. in > the > case when an SEV guest is run and no romfile is explicitly specified set it to > an empty value? This will also be useful when running an SEV VM directly with > QEMU. > > Are there any objections or concerns? I could work on the patches but wanted > to > ping the community first and get some feedback. Would QEMU be the proper place > to handle that? Any thoughts? > > [1] https://libvirt.org/kbase/launch_security_sev.html#virtio-net > [2] https://gitlab.com/qemu-project/qemu/-/commit/9f88a7a3df >
