[PATCH v2 03/10] tests: Improve AMD SEV-related tests

25 Aug 2025

From: Jim Fehlig <jfehlig@suse.com>

SEV and SEV-ES guests should use q35 machine type and uefi. Adjust
existing tests accordingly.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---
 ...curity-sev-direct.x86_64-latest+amdsev.args |  4 +++-
 ...ecurity-sev-direct.x86_64-latest+amdsev.xml |  8 ++++++--
 ...unch-security-sev-direct.x86_64-latest.args |  4 +++-
 ...aunch-security-sev-direct.x86_64-latest.xml |  8 ++++++--
 .../launch-security-sev-direct.xml             |  2 +-
 ...ing-platform-info.x86_64-latest+amdsev.args |  6 +++++-
 ...sing-platform-info.x86_64-latest+amdsev.xml | 18 +++++++++++++++---
 ...unch-security-sev-missing-platform-info.xml |  8 ++++++--
 ...unch-security-sev.x86_64-latest+amdsev.args |  6 +++++-
 ...aunch-security-sev.x86_64-latest+amdsev.xml | 18 +++++++++++++++---
 tests/qemuxmlconfdata/launch-security-sev.xml  |  8 ++++++--
 11 files changed, 71 insertions(+), 19 deletions(-)

diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.args b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.args
index 909e88b0b9..56fa8e0b21 100644
--- a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.args
+++ b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.args
@@ -10,7 +10,7 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \
 -name guest=QEMUGuest1,debug-threads=on \
 -S \
 -object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/master-key.aes"}' \
--machine pc,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,acpi=off \
+-machine pc-q35-8.2,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,acpi=off \
 -accel kvm \
 -cpu qemu64 \
 -m size=219136k \
@@ -31,6 +31,8 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \
 -append runme \
 -shim /shim \
 -audiodev '{"id":"audio1","driver":"none"}' \
+-global ICH9-LPC.noreboot=off \
+-watchdog-action reset \
 -object '{"qom-type":"sev-guest","id":"lsec0","cbitpos":47,"reduced-phys-bits":1,"policy":1,"dh-cert-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/dh_cert.base64","session-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/session.base64","kernel-hashes":true}' \
 -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
 -msg timestamp=on
diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml
index 01ca8fe012..39786d7a50 100644
--- a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml
+++ b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml
@@ -5,7 +5,7 @@
   <currentMemory unit='KiB'>219100</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
-    <type arch='x86_64' machine='pc'>hvm</type>
+    <type arch='x86_64' machine='pc-q35-8.2'>hvm</type>
     <kernel>/vmlinuz</kernel>
     <initrd>/initrd</initrd>
     <cmdline>runme</cmdline>
@@ -22,10 +22,14 @@
   <devices>
     <emulator>/usr/bin/qemu-system-x86_64</emulator>
     <controller type='usb' index='0' model='none'/>
-    <controller type='pci' index='0' model='pci-root'/>
+    <controller type='sata' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
+    </controller>
+    <controller type='pci' index='0' model='pcie-root'/>
     <input type='mouse' bus='ps2'/>
     <input type='keyboard' bus='ps2'/>
     <audio id='1' type='none'/>
+    <watchdog model='itco' action='reset'/>
     <memballoon model='none'/>
   </devices>
   <launchSecurity type='sev' kernelHashes='yes'>
diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args
index 909e88b0b9..56fa8e0b21 100644
--- a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args
+++ b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args
@@ -10,7 +10,7 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \
 -name guest=QEMUGuest1,debug-threads=on \
 -S \
 -object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/master-key.aes"}' \
--machine pc,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,acpi=off \
+-machine pc-q35-8.2,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,acpi=off \
 -accel kvm \
 -cpu qemu64 \
 -m size=219136k \
@@ -31,6 +31,8 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \
 -append runme \
 -shim /shim \
 -audiodev '{"id":"audio1","driver":"none"}' \
+-global ICH9-LPC.noreboot=off \
+-watchdog-action reset \
 -object '{"qom-type":"sev-guest","id":"lsec0","cbitpos":47,"reduced-phys-bits":1,"policy":1,"dh-cert-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/dh_cert.base64","session-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/session.base64","kernel-hashes":true}' \
 -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
 -msg timestamp=on
diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml
index 01ca8fe012..39786d7a50 100644
--- a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml
+++ b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml
@@ -5,7 +5,7 @@
   <currentMemory unit='KiB'>219100</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
-    <type arch='x86_64' machine='pc'>hvm</type>
+    <type arch='x86_64' machine='pc-q35-8.2'>hvm</type>
     <kernel>/vmlinuz</kernel>
     <initrd>/initrd</initrd>
     <cmdline>runme</cmdline>
@@ -22,10 +22,14 @@
   <devices>
     <emulator>/usr/bin/qemu-system-x86_64</emulator>
     <controller type='usb' index='0' model='none'/>
-    <controller type='pci' index='0' model='pci-root'/>
+    <controller type='sata' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
+    </controller>
+    <controller type='pci' index='0' model='pcie-root'/>
     <input type='mouse' bus='ps2'/>
     <input type='keyboard' bus='ps2'/>
     <audio id='1' type='none'/>
+    <watchdog model='itco' action='reset'/>
     <memballoon model='none'/>
   </devices>
   <launchSecurity type='sev' kernelHashes='yes'>
diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.xml b/tests/qemuxmlconfdata/launch-security-sev-direct.xml
index 7b4908c7d4..d654e7ffc0 100644
--- a/tests/qemuxmlconfdata/launch-security-sev-direct.xml
+++ b/tests/qemuxmlconfdata/launch-security-sev-direct.xml
@@ -4,7 +4,7 @@
   <memory unit='KiB'>219100</memory>
   <vcpu placement='static'>1</vcpu>
   <os>
-    <type arch='x86_64' machine='pc'>hvm</type>
+    <type arch='x86_64' machine='pc-q35-8.2'>hvm</type>
     <kernel>/vmlinuz</kernel>
     <initrd>/initrd</initrd>
     <cmdline>runme</cmdline>
diff --git a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.args b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.args
index 0270316a67..6e076cec63 100644
--- a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.args
+++ b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.args
@@ -10,7 +10,9 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \
 -name guest=QEMUGuest1,debug-threads=on \
 -S \
 -object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/master-key.aes"}' \
--machine pc,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,acpi=off \
+-blockdev '{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF.amdsev.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \
+-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \
+-machine pc-q35-8.2,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,pflash0=libvirt-pflash0-format,acpi=on \
 -accel kvm \
 -cpu qemu64 \
 -m size=219136k \
@@ -27,6 +29,8 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \
 -no-shutdown \
 -boot strict=on \
 -audiodev '{"id":"audio1","driver":"none"}' \
+-global ICH9-LPC.noreboot=off \
+-watchdog-action reset \
 -object '{"qom-type":"sev-guest","id":"lsec0","cbitpos":51,"reduced-phys-bits":1,"policy":1,"dh-cert-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/dh_cert.base64","session-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/session.base64"}' \
 -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
 -msg timestamp=on
diff --git a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.xml b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.xml
index 6e7119c34e..d0f8ed031d 100644
--- a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.xml
+++ b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.xml
@@ -4,10 +4,18 @@
   <memory unit='KiB'>219100</memory>
   <currentMemory unit='KiB'>219100</currentMemory>
   <vcpu placement='static'>1</vcpu>
-  <os>
-    <type arch='x86_64' machine='pc'>hvm</type>
+  <os firmware='efi'>
+    <type arch='x86_64' machine='pc-q35-8.2'>hvm</type>
+    <firmware>
+      <feature enabled='no' name='enrolled-keys'/>
+      <feature enabled='no' name='secure-boot'/>
+    </firmware>
+    <loader readonly='yes' type='pflash' stateless='yes' format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader>
     <boot dev='hd'/>
   </os>
+  <features>
+    <acpi/>
+  </features>
   <cpu mode='custom' match='exact' check='none'>
     <model fallback='forbid'>qemu64</model>
   </cpu>
@@ -18,10 +26,14 @@
   <devices>
     <emulator>/usr/bin/qemu-system-x86_64</emulator>
     <controller type='usb' index='0' model='none'/>
-    <controller type='pci' index='0' model='pci-root'/>
+    <controller type='sata' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
+    </controller>
+    <controller type='pci' index='0' model='pcie-root'/>
     <input type='mouse' bus='ps2'/>
     <input type='keyboard' bus='ps2'/>
     <audio id='1' type='none'/>
+    <watchdog model='itco' action='reset'/>
     <memballoon model='none'/>
   </devices>
   <launchSecurity type='sev'>
diff --git a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.xml b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.xml
index cef48ec3c7..513d704f93 100644
--- a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.xml
+++ b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.xml
@@ -3,9 +3,13 @@
   <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
   <memory unit='KiB'>219100</memory>
   <vcpu placement='static'>1</vcpu>
-  <os>
-    <type arch='x86_64' machine='pc'>hvm</type>
+  <os firmware='efi'>
+    <type arch='x86_64' machine='pc-q35-8.2'>hvm</type>
+    <loader stateless='yes'/>
   </os>
+  <features>
+    <acpi/>
+  </features>
   <devices>
     <emulator>/usr/bin/qemu-system-x86_64</emulator>
     <controller type='usb' model='none'/>
diff --git a/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.args b/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.args
index 452648e252..b62961f974 100644
--- a/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.args
+++ b/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.args
@@ -10,7 +10,9 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \
 -name guest=QEMUGuest1,debug-threads=on \
 -S \
 -object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/master-key.aes"}' \
--machine pc,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,acpi=off \
+-blockdev '{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF.amdsev.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \
+-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \
+-machine pc-q35-8.2,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,pflash0=libvirt-pflash0-format,acpi=on \
 -accel kvm \
 -cpu qemu64 \
 -m size=219136k \
@@ -27,6 +29,8 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \
 -no-shutdown \
 -boot strict=on \
 -audiodev '{"id":"audio1","driver":"none"}' \
+-global ICH9-LPC.noreboot=off \
+-watchdog-action reset \
 -object '{"qom-type":"sev-guest","id":"lsec0","cbitpos":47,"reduced-phys-bits":1,"policy":1,"dh-cert-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/dh_cert.base64","session-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/session.base64"}' \
 -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
 -msg timestamp=on
diff --git a/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.xml b/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.xml
index eca1c1de75..b7ec804058 100644
--- a/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.xml
+++ b/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.xml
@@ -4,10 +4,18 @@
   <memory unit='KiB'>219100</memory>
   <currentMemory unit='KiB'>219100</currentMemory>
   <vcpu placement='static'>1</vcpu>
-  <os>
-    <type arch='x86_64' machine='pc'>hvm</type>
+  <os firmware='efi'>
+    <type arch='x86_64' machine='pc-q35-8.2'>hvm</type>
+    <firmware>
+      <feature enabled='no' name='enrolled-keys'/>
+      <feature enabled='no' name='secure-boot'/>
+    </firmware>
+    <loader readonly='yes' type='pflash' stateless='yes' format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader>
     <boot dev='hd'/>
   </os>
+  <features>
+    <acpi/>
+  </features>
   <cpu mode='custom' match='exact' check='none'>
     <model fallback='forbid'>qemu64</model>
   </cpu>
@@ -18,10 +26,14 @@
   <devices>
     <emulator>/usr/bin/qemu-system-x86_64</emulator>
     <controller type='usb' index='0' model='none'/>
-    <controller type='pci' index='0' model='pci-root'/>
+    <controller type='sata' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
+    </controller>
+    <controller type='pci' index='0' model='pcie-root'/>
     <input type='mouse' bus='ps2'/>
     <input type='keyboard' bus='ps2'/>
     <audio id='1' type='none'/>
+    <watchdog model='itco' action='reset'/>
     <memballoon model='none'/>
   </devices>
   <launchSecurity type='sev'>
diff --git a/tests/qemuxmlconfdata/launch-security-sev.xml b/tests/qemuxmlconfdata/launch-security-sev.xml
index 3c4cbe4344..39859fd126 100644
--- a/tests/qemuxmlconfdata/launch-security-sev.xml
+++ b/tests/qemuxmlconfdata/launch-security-sev.xml
@@ -3,9 +3,13 @@
   <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
   <memory unit='KiB'>219100</memory>
   <vcpu placement='static'>1</vcpu>
-  <os>
-    <type arch='x86_64' machine='pc'>hvm</type>
+  <os firmware='efi'>
+    <type arch='x86_64' machine='pc-q35-8.2'>hvm</type>
+    <loader stateless='yes'/>
   </os>
+  <features>
+    <acpi/>
+  </features>
   <devices>
     <emulator>/usr/bin/qemu-system-x86_64</emulator>
     <controller type='usb' model='none'/>
-- 
2.51.0

    

[PATCH v2 03/10] tests: Improve AMD SEV-related tests

Andrea Bolognani