On Tue, Aug 19, 2025 at 04:09:28PM -0600, Jim Fehlig via Devel wrote:
On 8/13/25 09:01, Andrea Bolognani wrote:
Stressing again the fact that I know very little about SEV and its variants, my impression is that generally speaking stateless firmware is preferred for the use case; however in Fedora the descriptors for "regular" edk2 builds with no Secure Boot[2] advertise support for the "amd-sev" and "amd-sev-es" firmware features, and since they sort before the SEV-specific builds[3] libvirt will pick them up unless you specifically ask for the firmware to be stateless.
Not sure if the best way to get out of this situation is to shuffle the descriptors around, drop the SEV-specific features from other descriptors, or tweak the libvirt algorithm so that it will prefer stateless firmware for SEV unless told otherwise.
My WIP series drops the SEV features from the incompatible descriptors.
That feels premature. I'm okay with going in that direction, but it's not a change that we should make to the libvirt test suite before reaching an agreement and having the change applied to the edk2 package. The libvirt test suite is intended to match the real life behavior as closely as possible.
I will be off the remainder of the week, but can tidy the series and post a V1 next week if there's interest.
AFAICT you've made no code change other than squashing in the fixup that I had provided shortly after posting v1. Did I miss something? Your patch updating the SEV(-ES) tests to use q35 and UEFI looks reasonable from a quick look. I'll take a closer one and report back. Overall it doesn't IMO make sense for you to post a series off that branch. I can pick up your test suite changes, squash in my fix and post v2 next week. But before we can consider pushing any of this, we need to solve the SEV(-ES) issue you've mentioned elsewhere in the thread and reach an overall agreement on what the descriptors for firmware targeting all SEV variants should look like going forward. -- Andrea Bolognani / Red Hat / Virtualization