On Tue, Aug 12, 2025 at 05:26:19PM -0600, Jim Fehlig wrote:
On 7/31/25 09:45, Andrea Bolognani via Devel wrote:
This test case demonstrates how firmware autoselection doesn't currently work correctly for domains using SEV-SNP: the descriptor for a suitable firmware exists, and yet it doesn't get picked up.
On my test system, autoselection for SEV-SNP guests does work after making the firmware descriptor changes suggested by Gerd
https://src.fedoraproject.org/fork/kraxel/rpms/edk2/c/5146a0c3e9bf821d045e0c...
It fails for SEV and SEV-ES guests. As a first step, I tried "importing" the descriptor changes to tests/qemufirmwaredata/, but as always I'm fighting with fixing up the tests :-/.
Patch importing the changes attached. Can you be more specific about the issue you're experiencing for SEV(-ES) guests? Based on the patch, the behavior doesn't seem to change at all there. Are you able to successfully start those guests when you use unmodified libvirt and edk2? Then again, the existing SEV tests look... Questionable. They all use the i440fx machine type and default (BIOS) firmware, whereas according to the documentation[1] you really want q35 and UEFI. So at best our test coverage is lacking. Stressing again the fact that I know very little about SEV and its variants, my impression is that generally speaking stateless firmware is preferred for the use case; however in Fedora the descriptors for "regular" edk2 builds with no Secure Boot[2] advertise support for the "amd-sev" and "amd-sev-es" firmware features, and since they sort before the SEV-specific builds[3] libvirt will pick them up unless you specifically ask for the firmware to be stateless. Not sure if the best way to get out of this situation is to shuffle the descriptors around, drop the SEV-specific features from other descriptors, or tweak the libvirt algorithm so that it will prefer stateless firmware for SEV unless told otherwise. Very much interested in hearing everyone's thoughts on the topic. [1] https://libvirt.org/kbase/launch_security_sev.html [2] /usr/share/qemu/firmware/5*-edk2-ovmf-*-x64-nosb.json [3] /usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev*.json -- Andrea Bolognani / Red Hat / Virtualization