On Tue, Aug 05, 2025 at 08:08:14AM +0100, Daniel P. Berrangé wrote:
On Mon, Aug 04, 2025 at 02:15:01PM -0600, Jim Fehlig wrote:
On 8/4/25 05:31, Andrea Bolognani wrote:
On Fri, Aug 01, 2025 at 11:39:45AM -0600, Jim Fehlig via Devel wrote:
With this addition, the correct firmware is detected, but it's not properly provided to qemu
internal error: QEMU unexpectedly closed the monitor (vm='sles15sp7-snp'): 2025-08-01T17:11:20.589614Z qemu-system-x86_64: pflash with kvm requires KVM readonly memory support
The pertinent command line pieces being
-blockdev '{"driver":"file","filename":"/usr/share/qemu/ovmf-x86_64-sev.bin","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard": "unmap"}' -blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}'
But for SNP, it needs to be provided as bios, e.g.
-bios /usr/share/qemu/ovmf-x86_64-sev.bin
Are we correctly identifying this firmware in the descriptor file? It's advertised as a "flash" device, although I'm not sure if any of the other "FirmwareDevice" options [1] are appropriate. Perhaps the "FirmwareOSInterface" should be 'bios'?
Adding Michal and Daniel to the conversation so that they can provide some insights. I have zero experience with SEV and no easy access to the relevant hardware.
I don't follow qemu development close enough to know if pflash is now supported with SNP guests. AFAIK, only '-bios' was supported when the initial SNP enablement was merged.
TDX/SNP are strictly -bios only and will remain that way.
Got it. The TDX descriptor is using device=memory already so it should work correctly today. Do you have any objections to the idea of separate descriptors for SEV(-ES) (device=flash) and SEV-SNP (device=memory) pointing to the same file? If not, I'll get the edk2 maintainer involved and make it happen. -- Andrea Bolognani / Red Hat / Virtualization