On Fri, Jan 14, 2022 at 07:07:10PM +0000, Daniel P. Berrangé wrote:
The firmware distros have given people for use with AMD SEV thus far
has
just been one of the regular OVMF builds. This is sufficient for booting
a guest with SEV enabled, but is useless if you want to actually
validate the guest measurement. The NVRAM store is untrustworthy since
it is not included in the measurement. We need to supply a dedicated
build of OVMF without NVRAM support enabled. While it is possible to
use with pflash, we then get a problem with firmware selection as there
is no easy way to make it prefer the firmware without NVRAM. Also the
firmware descriptor treats the NVRAM template as a mandatory field
today and libvirt enforces that.
While we could invent a new feature flag 'sev-stateless' for the
firmware descriptors, and/or make the NVRAM template path optional,
it makes more sense if the firmware descriptor just reports the SEV
firmware as type=memory instead of type=flash.
If the libvirt XML parses the <loader type='rom'/> attribute when
doing firmware auto-selection, we trivially enable a way for a mgmt
app to indicate that it wants the SEV firmware without NVRAM
support.
This series does all the plumbing we need.
The only minor issue is that QEMU support for -bios with SEV enabled
firmware is broken:
https://lists.gnu.org/archive/html/qemu-devel/2022-01/msg02957.html
Well turns out the concept is unfixably broken on the QEMU side
with SEV enabled UEFI firmware. So I'm going to ditch the first
docs patch.
I figure it is still possibly useful to be able to controla
auto-firmware selection based on 'type', even if it doesn't
help my sev use case, so might as well leave keep that now
I've implemented it.
Daniel P. Berrangé (5):
docs: explain that some UEFI images can use 'rom' instead of 'pflash'
conf: parse loader 'type' even when doing firmware auto select
qemu: filter firmware selection based on loader type
tests: add firmware descriptor for SEV dedicated build
tests: add a test for selecting a firmware without NVRAM
docs/formatdomain.rst | 24 +++++-
src/conf/domain_conf.c | 8 +-
src/qemu/qemu_firmware.c | 25 +++++++
.../usr/share/qemu/firmware/62-ovmf-sev.json | 27 +++++++
tests/qemufirmwaretest.c | 4 +-
.../os-firmware-efi-sev.x86_64-6.0.0.args | 43 +++++++++++
.../qemuxml2argvdata/os-firmware-efi-sev.xml | 74 +++++++++++++++++++
tests/qemuxml2argvtest.c | 1 +
8 files changed, 197 insertions(+), 9 deletions(-)
create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/62-ovmf-sev.json
create mode 100644 tests/qemuxml2argvdata/os-firmware-efi-sev.x86_64-6.0.0.args
create mode 100644 tests/qemuxml2argvdata/os-firmware-efi-sev.xml
--
2.33.1
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|