[PATCH v2 00/10] qemu: Fixes to firmware selection
Changes from [v1]: * pick up Jim's test suite improvements; * squash in fixes for issues found during review; * add a few commits intented to spark further discussion around what the firmware descriptors should look like in the edk2 package. [v1] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/RKQ3A... Andrea Bolognani (9): tests: Tweak descriptor for combined firmware tests: Minimize SEV tests tests: Add tests for SEV firmware selection qemu: Fix matching for stateless/combined firmware qemu: Fix matching for read/write firmware news: Update for firmware selection fixes DONOTMERGE update firmware data DONOTMERGE remove SEV features from non-SEV descriptors DONOTMERGE don't explicitly request stateless firmware for SEV Jim Fehlig (1): tests: Improve AMD SEV-related tests NEWS.rst | 5 ++ src/qemu/qemu_firmware.c | 47 ++++++++++++++----- .../firmware/60-edk2-ovmf-x64-amdsev.json | 1 - .../50-edk2-ovmf-4m-qcow2-x64-nosb.json | 2 - .../51-edk2-ovmf-2m-raw-x64-nosb.json | 2 - .../firmware/60-edk2-ovmf-x64-amdsev.json | 3 +- .../firmware/60-edk2-ovmf-x64-amdsevsnp.json} | 14 +++--- .../usr/share/qemu/firmware/90-combined.json | 5 +- tests/qemufirmwaretest.c | 4 +- ...ware-auto-efi-rw-pflash.x86_64-latest.args | 36 ++++++++++++++ ...mware-auto-efi-rw-pflash.x86_64-latest.err | 1 - ...mware-auto-efi-rw-pflash.x86_64-latest.xml | 6 ++- .../firmware-auto-efi-rw.x86_64-latest.args | 36 ++++++++++++++ .../firmware-auto-efi-rw.x86_64-latest.err | 1 - .../firmware-auto-efi-rw.x86_64-latest.xml | 6 ++- ...auto-efi-sev-snp.x86_64-latest+amdsev.args | 35 ++++++++++++++ ...auto-efi-sev-snp.x86_64-latest+amdsev.xml} | 9 +++- .../firmware-auto-efi-sev-snp.xml | 20 ++++++++ ...are-auto-efi-sev.x86_64-latest+amdsev.args | 36 ++++++++++++++ ...are-auto-efi-sev.x86_64-latest+amdsev.xml} | 9 +++- .../qemuxmlconfdata/firmware-auto-efi-sev.xml | 20 ++++++++ ...urity-sev-direct.x86_64-latest+amdsev.args | 7 ++- ...curity-sev-direct.x86_64-latest+amdsev.xml | 19 +++----- ...nch-security-sev-direct.x86_64-latest.args | 7 ++- ...unch-security-sev-direct.x86_64-latest.xml | 19 +++----- .../launch-security-sev-direct.xml | 19 +------- ...ng-platform-info.x86_64-latest+amdsev.args | 9 ++-- ...ing-platform-info.x86_64-latest+amdsev.xml | 29 ++++++------ ...nch-security-sev-missing-platform-info.xml | 25 +++------- ...security-sev-snp.x86_64-latest+amdsev.args | 11 +---- ...-security-sev-snp.x86_64-latest+amdsev.xml | 29 +----------- ...launch-security-sev-snp.x86_64-latest.args | 11 +---- .../launch-security-sev-snp.x86_64-latest.xml | 29 +----------- .../launch-security-sev-snp.xml | 45 +----------------- ...nch-security-sev.x86_64-latest+amdsev.args | 9 ++-- ...unch-security-sev.x86_64-latest+amdsev.xml | 29 ++++++------ tests/qemuxmlconfdata/launch-security-sev.xml | 25 +++------- tests/qemuxmlconftest.c | 11 ++++- 38 files changed, 352 insertions(+), 279 deletions(-) copy tests/qemufirmwaredata/{out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json => usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsevsnp.json} (57%) create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-rw-pflash.x86_64-latest.args delete mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-rw-pflash.x86_64-latest.err create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-rw.x86_64-latest.args delete mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-rw.x86_64-latest.err create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.args copy tests/qemuxmlconfdata/{firmware-auto-efi-rw-pflash.x86_64-latest.xml => firmware-auto-efi-sev-snp.x86_64-latest+amdsev.xml} (78%) create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.xml create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.args copy tests/qemuxmlconfdata/{firmware-auto-efi-rw-pflash.x86_64-latest.xml => firmware-auto-efi-sev.x86_64-latest+amdsev.xml} (77%) create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-sev.xml -- 2.51.0
This kind of firmware build is not shipped in Fedora, where most descriptors in our test suite come from, so we had to make it up. It was based off the Secure Boot-enabled edk2 build, and the filename it points to is the same. That has been fine so far since it's not actually being picked up by any of the test cases, but that's going to change soon and when it does we want to be able to avoid any confusion. Signed-off-by: Andrea Bolognani <abologna@redhat.com> --- .../qemufirmwaredata/usr/share/qemu/firmware/90-combined.json | 4 ++-- tests/qemufirmwaretest.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/qemufirmwaredata/usr/share/qemu/firmware/90-combined.json b/tests/qemufirmwaredata/usr/share/qemu/firmware/90-combined.json index 2c8381adf7..8ecac440b4 100644 --- a/tests/qemufirmwaredata/usr/share/qemu/firmware/90-combined.json +++ b/tests/qemufirmwaredata/usr/share/qemu/firmware/90-combined.json @@ -1,5 +1,5 @@ { - "description": "OVMF with SB+SMM, SB enabled, MS certs enrolled", + "description": "OVMF with SB+SMM, SB enabled, MS certs enrolled (combined)", "interface-types": [ "uefi" ], @@ -7,7 +7,7 @@ "device": "flash", "mode": "combined", "executable": { - "filename": "/usr/share/edk2/ovmf/OVMF.secboot.fd", + "filename": "/usr/share/edk2/ovmf/OVMF.combined.fd", "format": "raw" } }, diff --git a/tests/qemufirmwaretest.c b/tests/qemufirmwaretest.c index f16ea526ff..a4fb5c9b9c 100644 --- a/tests/qemufirmwaretest.c +++ b/tests/qemufirmwaretest.c @@ -317,7 +317,7 @@ mymain(void) "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd:/usr/share/edk2/ovmf/OVMF_VARS.fd:" "/usr/share/edk2/ovmf/OVMF_CODE_4M.qcow2:/usr/share/edk2/ovmf/OVMF_VARS_4M.qcow2:" "/usr/share/edk2/ovmf/OVMF_CODE.fd:/usr/share/edk2/ovmf/OVMF_VARS.fd:" - "/usr/share/edk2/ovmf/OVMF.secboot.fd:NULL:" + "/usr/share/edk2/ovmf/OVMF.combined.fd:NULL:" "/usr/share/edk2/ovmf/OVMF.amdsev.fd:NULL:" "/usr/share/edk2/ovmf/OVMF.inteltdx.secboot.fd:NULL", VIR_DOMAIN_OS_DEF_FIRMWARE_BIOS, -- 2.51.0
On 8/25/25 10:19, Andrea Bolognani via Devel wrote:
This kind of firmware build is not shipped in Fedora, where most descriptors in our test suite come from, so we had to make it up. It was based off the Secure Boot-enabled edk2 build, and the filename it points to is the same.
That has been fine so far since it's not actually being picked up by any of the test cases, but that's going to change soon and when it does we want to be able to avoid any confusion.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> --- .../qemufirmwaredata/usr/share/qemu/firmware/90-combined.json | 4 ++-- tests/qemufirmwaretest.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)
ACK from V1 stands https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/EZX2... Reviewed-by: Jim Fehlig <jfehlig@suse.com> Regards, Jim
Removing all unnecessary devices and elements makes it easier to focus on the actual purpose of these tests (configuring the SEV-specific bits). Signed-off-by: Andrea Bolognani <abologna@redhat.com> --- ...urity-sev-direct.x86_64-latest+amdsev.args | 3 -- ...curity-sev-direct.x86_64-latest+amdsev.xml | 13 +----- ...nch-security-sev-direct.x86_64-latest.args | 3 -- ...unch-security-sev-direct.x86_64-latest.xml | 13 +----- .../launch-security-sev-direct.xml | 17 +------ ...ng-platform-info.x86_64-latest+amdsev.args | 3 -- ...ing-platform-info.x86_64-latest+amdsev.xml | 13 +----- ...nch-security-sev-missing-platform-info.xml | 18 +------- ...security-sev-snp.x86_64-latest+amdsev.args | 6 --- ...-security-sev-snp.x86_64-latest+amdsev.xml | 27 +----------- ...launch-security-sev-snp.x86_64-latest.args | 6 --- .../launch-security-sev-snp.x86_64-latest.xml | 27 +----------- .../launch-security-sev-snp.xml | 44 +------------------ ...nch-security-sev.x86_64-latest+amdsev.args | 3 -- ...unch-security-sev.x86_64-latest+amdsev.xml | 13 +----- tests/qemuxmlconfdata/launch-security-sev.xml | 18 +------- 16 files changed, 10 insertions(+), 217 deletions(-) diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.args b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.args index 33f820f5ad..909e88b0b9 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.args +++ b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.args @@ -30,9 +30,6 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -initrd /initrd \ -append runme \ -shim /shim \ --device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \ --blockdev '{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1","node-name":"libvirt-1-storage","read-only":false}' \ --device '{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-storage","id":"ide0-0-0","bootindex":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -object '{"qom-type":"sev-guest","id":"lsec0","cbitpos":47,"reduced-phys-bits":1,"policy":1,"dh-cert-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/dh_cert.base64","session-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/session.base64","kernel-hashes":true}' \ -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml index dea8236540..01ca8fe012 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml @@ -21,18 +21,7 @@ <on_crash>destroy</on_crash> <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> - <disk type='block' device='disk'> - <driver name='qemu' type='raw'/> - <source dev='/dev/HostVG/QEMUGuest1'/> - <target dev='hda' bus='ide'/> - <address type='drive' controller='0' bus='0' target='0' unit='0'/> - </disk> - <controller type='usb' index='0' model='piix3-uhci'> - <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> - </controller> - <controller type='ide' index='0'> - <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/> - </controller> + <controller type='usb' index='0' model='none'/> <controller type='pci' index='0' model='pci-root'/> <input type='mouse' bus='ps2'/> <input type='keyboard' bus='ps2'/> diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args index 33f820f5ad..909e88b0b9 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args +++ b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args @@ -30,9 +30,6 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -initrd /initrd \ -append runme \ -shim /shim \ --device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \ --blockdev '{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1","node-name":"libvirt-1-storage","read-only":false}' \ --device '{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-storage","id":"ide0-0-0","bootindex":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -object '{"qom-type":"sev-guest","id":"lsec0","cbitpos":47,"reduced-phys-bits":1,"policy":1,"dh-cert-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/dh_cert.base64","session-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/session.base64","kernel-hashes":true}' \ -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml index dea8236540..01ca8fe012 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml @@ -21,18 +21,7 @@ <on_crash>destroy</on_crash> <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> - <disk type='block' device='disk'> - <driver name='qemu' type='raw'/> - <source dev='/dev/HostVG/QEMUGuest1'/> - <target dev='hda' bus='ide'/> - <address type='drive' controller='0' bus='0' target='0' unit='0'/> - </disk> - <controller type='usb' index='0' model='piix3-uhci'> - <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> - </controller> - <controller type='ide' index='0'> - <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/> - </controller> + <controller type='usb' index='0' model='none'/> <controller type='pci' index='0' model='pci-root'/> <input type='mouse' bus='ps2'/> <input type='keyboard' bus='ps2'/> diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.xml b/tests/qemuxmlconfdata/launch-security-sev-direct.xml index 76277b6278..7b4908c7d4 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-direct.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-direct.xml @@ -2,7 +2,6 @@ <name>QEMUGuest1</name> <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> <memory unit='KiB'>219100</memory> - <currentMemory unit='KiB'>219100</currentMemory> <vcpu placement='static'>1</vcpu> <os> <type arch='x86_64' machine='pc'>hvm</type> @@ -11,23 +10,9 @@ <cmdline>runme</cmdline> <shim>/shim</shim> </os> - <clock offset='utc'/> - <on_poweroff>destroy</on_poweroff> - <on_reboot>restart</on_reboot> - <on_crash>destroy</on_crash> <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> - <disk type='block' device='disk'> - <driver name='qemu' type='raw'/> - <source dev='/dev/HostVG/QEMUGuest1'/> - <target dev='hda' bus='ide'/> - <address type='drive' controller='0' bus='0' target='0' unit='0'/> - </disk> - <controller type='usb' index='0'/> - <controller type='ide' index='0'/> - <controller type='pci' index='0' model='pci-root'/> - <input type='mouse' bus='ps2'/> - <input type='keyboard' bus='ps2'/> + <controller type='usb' model='none'/> <memballoon model='none'/> </devices> <launchSecurity type='sev' kernelHashes='yes'> diff --git a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.args b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.args index cbbda6345f..0270316a67 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.args +++ b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.args @@ -26,9 +26,6 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -rtc base=utc \ -no-shutdown \ -boot strict=on \ --device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \ --blockdev '{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1","node-name":"libvirt-1-storage","read-only":false}' \ --device '{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-storage","id":"ide0-0-0","bootindex":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -object '{"qom-type":"sev-guest","id":"lsec0","cbitpos":51,"reduced-phys-bits":1,"policy":1,"dh-cert-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/dh_cert.base64","session-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/session.base64"}' \ -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ diff --git a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.xml b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.xml index 6a0048aeae..6e7119c34e 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.xml @@ -17,18 +17,7 @@ <on_crash>destroy</on_crash> <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> - <disk type='block' device='disk'> - <driver name='qemu' type='raw'/> - <source dev='/dev/HostVG/QEMUGuest1'/> - <target dev='hda' bus='ide'/> - <address type='drive' controller='0' bus='0' target='0' unit='0'/> - </disk> - <controller type='usb' index='0' model='piix3-uhci'> - <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> - </controller> - <controller type='ide' index='0'> - <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/> - </controller> + <controller type='usb' index='0' model='none'/> <controller type='pci' index='0' model='pci-root'/> <input type='mouse' bus='ps2'/> <input type='keyboard' bus='ps2'/> diff --git a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.xml b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.xml index b4f3eb4998..cef48ec3c7 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.xml @@ -2,29 +2,13 @@ <name>QEMUGuest1</name> <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> <memory unit='KiB'>219100</memory> - <currentMemory unit='KiB'>219100</currentMemory> <vcpu placement='static'>1</vcpu> <os> <type arch='x86_64' machine='pc'>hvm</type> - <boot dev='hd'/> </os> - <clock offset='utc'/> - <on_poweroff>destroy</on_poweroff> - <on_reboot>restart</on_reboot> - <on_crash>destroy</on_crash> <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> - <disk type='block' device='disk'> - <driver name='qemu' type='raw'/> - <source dev='/dev/HostVG/QEMUGuest1'/> - <target dev='hda' bus='ide'/> - <address type='drive' controller='0' bus='0' target='0' unit='0'/> - </disk> - <controller type='usb' index='0'/> - <controller type='ide' index='0'/> - <controller type='pci' index='0' model='pci-root'/> - <input type='mouse' bus='ps2'/> - <input type='keyboard' bus='ps2'/> + <controller type='usb' model='none'/> <memballoon model='none'/> </devices> <launchSecurity type='sev'> diff --git a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.args b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.args index b3bc7fcf04..d849eb88e0 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.args +++ b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.args @@ -28,12 +28,6 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -rtc base=utc \ -no-shutdown \ -boot strict=on \ --device '{"driver":"pcie-root-port","port":8,"chassis":1,"id":"pci.1","bus":"pcie.0","multifunction":true,"addr":"0x1"}' \ --device '{"driver":"pcie-root-port","port":9,"chassis":2,"id":"pci.2","bus":"pcie.0","addr":"0x1.0x1"}' \ --device '{"driver":"pcie-root-port","port":10,"chassis":3,"id":"pci.3","bus":"pcie.0","addr":"0x1.0x2"}' \ --device '{"driver":"qemu-xhci","id":"usb","bus":"pci.1","addr":"0x0"}' \ --blockdev '{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1","node-name":"libvirt-1-storage","read-only":false}' \ --device '{"driver":"virtio-blk-pci","bus":"pci.2","addr":"0x0","drive":"libvirt-1-storage","id":"virtio-disk0","bootindex":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -global ICH9-LPC.noreboot=off \ -watchdog-action reset \ diff --git a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.xml b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.xml index d9bf146993..a0487b021e 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.xml @@ -15,8 +15,6 @@ </os> <features> <acpi/> - <apic/> - <pae/> </features> <cpu mode='custom' match='exact' check='none'> <model fallback='forbid'>qemu64</model> @@ -27,34 +25,11 @@ <on_crash>destroy</on_crash> <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> - <disk type='block' device='disk'> - <driver name='qemu' type='raw'/> - <source dev='/dev/HostVG/QEMUGuest1'/> - <target dev='vda' bus='virtio'/> - <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/> - </disk> - <controller type='usb' index='0' model='qemu-xhci'> - <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> - </controller> + <controller type='usb' index='0' model='none'/> <controller type='sata' index='0'> <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/> </controller> <controller type='pci' index='0' model='pcie-root'/> - <controller type='pci' index='1' model='pcie-root-port'> - <model name='pcie-root-port'/> - <target chassis='1' port='0x8'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/> - </controller> - <controller type='pci' index='2' model='pcie-root-port'> - <model name='pcie-root-port'/> - <target chassis='2' port='0x9'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/> - </controller> - <controller type='pci' index='3' model='pcie-root-port'> - <model name='pcie-root-port'/> - <target chassis='3' port='0xa'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> - </controller> <input type='mouse' bus='ps2'/> <input type='keyboard' bus='ps2'/> <audio id='1' type='none'/> diff --git a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.args b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.args index b3bc7fcf04..d849eb88e0 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.args +++ b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.args @@ -28,12 +28,6 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -rtc base=utc \ -no-shutdown \ -boot strict=on \ --device '{"driver":"pcie-root-port","port":8,"chassis":1,"id":"pci.1","bus":"pcie.0","multifunction":true,"addr":"0x1"}' \ --device '{"driver":"pcie-root-port","port":9,"chassis":2,"id":"pci.2","bus":"pcie.0","addr":"0x1.0x1"}' \ --device '{"driver":"pcie-root-port","port":10,"chassis":3,"id":"pci.3","bus":"pcie.0","addr":"0x1.0x2"}' \ --device '{"driver":"qemu-xhci","id":"usb","bus":"pci.1","addr":"0x0"}' \ --blockdev '{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1","node-name":"libvirt-1-storage","read-only":false}' \ --device '{"driver":"virtio-blk-pci","bus":"pci.2","addr":"0x0","drive":"libvirt-1-storage","id":"virtio-disk0","bootindex":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -global ICH9-LPC.noreboot=off \ -watchdog-action reset \ diff --git a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml index d9bf146993..a0487b021e 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml @@ -15,8 +15,6 @@ </os> <features> <acpi/> - <apic/> - <pae/> </features> <cpu mode='custom' match='exact' check='none'> <model fallback='forbid'>qemu64</model> @@ -27,34 +25,11 @@ <on_crash>destroy</on_crash> <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> - <disk type='block' device='disk'> - <driver name='qemu' type='raw'/> - <source dev='/dev/HostVG/QEMUGuest1'/> - <target dev='vda' bus='virtio'/> - <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/> - </disk> - <controller type='usb' index='0' model='qemu-xhci'> - <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> - </controller> + <controller type='usb' index='0' model='none'/> <controller type='sata' index='0'> <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/> </controller> <controller type='pci' index='0' model='pcie-root'/> - <controller type='pci' index='1' model='pcie-root-port'> - <model name='pcie-root-port'/> - <target chassis='1' port='0x8'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/> - </controller> - <controller type='pci' index='2' model='pcie-root-port'> - <model name='pcie-root-port'/> - <target chassis='2' port='0x9'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/> - </controller> - <controller type='pci' index='3' model='pcie-root-port'> - <model name='pcie-root-port'/> - <target chassis='3' port='0xa'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> - </controller> <input type='mouse' bus='ps2'/> <input type='keyboard' bus='ps2'/> <audio id='1' type='none'/> diff --git a/tests/qemuxmlconfdata/launch-security-sev-snp.xml b/tests/qemuxmlconfdata/launch-security-sev-snp.xml index 408198674e..d62ed0d05d 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-snp.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-snp.xml @@ -2,59 +2,17 @@ <name>QEMUGuest1</name> <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> <memory unit='KiB'>219100</memory> - <currentMemory unit='KiB'>219100</currentMemory> <vcpu placement='static'>1</vcpu> <os firmware='efi'> <type arch='x86_64' machine='pc-q35-8.2'>hvm</type> <loader stateless='yes'/> - <boot dev='hd'/> </os> <features> <acpi/> - <apic/> - <pae/> </features> - <cpu mode='custom' match='exact' check='none'> - <model fallback='forbid'>qemu64</model> - </cpu> - <clock offset='utc'/> - <on_poweroff>destroy</on_poweroff> - <on_reboot>restart</on_reboot> - <on_crash>destroy</on_crash> <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> - <disk type='block' device='disk'> - <driver name='qemu' type='raw'/> - <source dev='/dev/HostVG/QEMUGuest1'/> - <target dev='vda' bus='virtio'/> - <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/> - </disk> - <controller type='usb' index='0' model='qemu-xhci'> - <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> - </controller> - <controller type='sata' index='0'> - <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/> - </controller> - <controller type='pci' index='0' model='pcie-root'/> - <controller type='pci' index='1' model='pcie-root-port'> - <model name='pcie-root-port'/> - <target chassis='1' port='0x8'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/> - </controller> - <controller type='pci' index='2' model='pcie-root-port'> - <model name='pcie-root-port'/> - <target chassis='2' port='0x9'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/> - </controller> - <controller type='pci' index='3' model='pcie-root-port'> - <model name='pcie-root-port'/> - <target chassis='3' port='0xa'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> - </controller> - <input type='mouse' bus='ps2'/> - <input type='keyboard' bus='ps2'/> - <audio id='1' type='none'/> - <watchdog model='itco' action='reset'/> + <controller type='usb' model='none'/> <memballoon model='none'/> </devices> <launchSecurity type='sev-snp' authorKey='yes' vcek='no'> diff --git a/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.args b/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.args index a71b08e4da..452648e252 100644 --- a/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.args +++ b/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.args @@ -26,9 +26,6 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -rtc base=utc \ -no-shutdown \ -boot strict=on \ --device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \ --blockdev '{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1","node-name":"libvirt-1-storage","read-only":false}' \ --device '{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-storage","id":"ide0-0-0","bootindex":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -object '{"qom-type":"sev-guest","id":"lsec0","cbitpos":47,"reduced-phys-bits":1,"policy":1,"dh-cert-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/dh_cert.base64","session-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/session.base64"}' \ -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ diff --git a/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.xml b/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.xml index a3ee54ed44..eca1c1de75 100644 --- a/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.xml +++ b/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.xml @@ -17,18 +17,7 @@ <on_crash>destroy</on_crash> <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> - <disk type='block' device='disk'> - <driver name='qemu' type='raw'/> - <source dev='/dev/HostVG/QEMUGuest1'/> - <target dev='hda' bus='ide'/> - <address type='drive' controller='0' bus='0' target='0' unit='0'/> - </disk> - <controller type='usb' index='0' model='piix3-uhci'> - <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> - </controller> - <controller type='ide' index='0'> - <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/> - </controller> + <controller type='usb' index='0' model='none'/> <controller type='pci' index='0' model='pci-root'/> <input type='mouse' bus='ps2'/> <input type='keyboard' bus='ps2'/> diff --git a/tests/qemuxmlconfdata/launch-security-sev.xml b/tests/qemuxmlconfdata/launch-security-sev.xml index 51967071f7..3c4cbe4344 100644 --- a/tests/qemuxmlconfdata/launch-security-sev.xml +++ b/tests/qemuxmlconfdata/launch-security-sev.xml @@ -2,29 +2,13 @@ <name>QEMUGuest1</name> <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> <memory unit='KiB'>219100</memory> - <currentMemory unit='KiB'>219100</currentMemory> <vcpu placement='static'>1</vcpu> <os> <type arch='x86_64' machine='pc'>hvm</type> - <boot dev='hd'/> </os> - <clock offset='utc'/> - <on_poweroff>destroy</on_poweroff> - <on_reboot>restart</on_reboot> - <on_crash>destroy</on_crash> <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> - <disk type='block' device='disk'> - <driver name='qemu' type='raw'/> - <source dev='/dev/HostVG/QEMUGuest1'/> - <target dev='hda' bus='ide'/> - <address type='drive' controller='0' bus='0' target='0' unit='0'/> - </disk> - <controller type='usb' index='0'/> - <controller type='ide' index='0'/> - <controller type='pci' index='0' model='pci-root'/> - <input type='mouse' bus='ps2'/> - <input type='keyboard' bus='ps2'/> + <controller type='usb' model='none'/> <memballoon model='none'/> </devices> <launchSecurity type='sev'> -- 2.51.0
On 8/25/25 10:19, Andrea Bolognani via Devel wrote:
Removing all unnecessary devices and elements makes it easier to focus on the actual purpose of these tests (configuring the SEV-specific bits).
Signed-off-by: Andrea Bolognani <abologna@redhat.com> --- ...urity-sev-direct.x86_64-latest+amdsev.args | 3 -- ...curity-sev-direct.x86_64-latest+amdsev.xml | 13 +----- ...nch-security-sev-direct.x86_64-latest.args | 3 -- ...unch-security-sev-direct.x86_64-latest.xml | 13 +----- .../launch-security-sev-direct.xml | 17 +------ ...ng-platform-info.x86_64-latest+amdsev.args | 3 -- ...ing-platform-info.x86_64-latest+amdsev.xml | 13 +----- ...nch-security-sev-missing-platform-info.xml | 18 +------- ...security-sev-snp.x86_64-latest+amdsev.args | 6 --- ...-security-sev-snp.x86_64-latest+amdsev.xml | 27 +----------- ...launch-security-sev-snp.x86_64-latest.args | 6 --- .../launch-security-sev-snp.x86_64-latest.xml | 27 +----------- .../launch-security-sev-snp.xml | 44 +------------------ ...nch-security-sev.x86_64-latest+amdsev.args | 3 -- ...unch-security-sev.x86_64-latest+amdsev.xml | 13 +----- tests/qemuxmlconfdata/launch-security-sev.xml | 18 +------- 16 files changed, 10 insertions(+), 217 deletions(-)
Good idea, and nice cleanup. Reviewed-by: Jim Fehlig <jfehlig@suse.com> Regards, Jim
From: Jim Fehlig <jfehlig@suse.com> SEV and SEV-ES guests should use q35 machine type and uefi. Adjust existing tests accordingly. Signed-off-by: Jim Fehlig <jfehlig@suse.com> --- ...curity-sev-direct.x86_64-latest+amdsev.args | 4 +++- ...ecurity-sev-direct.x86_64-latest+amdsev.xml | 8 ++++++-- ...unch-security-sev-direct.x86_64-latest.args | 4 +++- ...aunch-security-sev-direct.x86_64-latest.xml | 8 ++++++-- .../launch-security-sev-direct.xml | 2 +- ...ing-platform-info.x86_64-latest+amdsev.args | 6 +++++- ...sing-platform-info.x86_64-latest+amdsev.xml | 18 +++++++++++++++--- ...unch-security-sev-missing-platform-info.xml | 8 ++++++-- ...unch-security-sev.x86_64-latest+amdsev.args | 6 +++++- ...aunch-security-sev.x86_64-latest+amdsev.xml | 18 +++++++++++++++--- tests/qemuxmlconfdata/launch-security-sev.xml | 8 ++++++-- 11 files changed, 71 insertions(+), 19 deletions(-) diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.args b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.args index 909e88b0b9..56fa8e0b21 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.args +++ b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.args @@ -10,7 +10,7 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -name guest=QEMUGuest1,debug-threads=on \ -S \ -object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/master-key.aes"}' \ --machine pc,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,acpi=off \ +-machine pc-q35-8.2,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,acpi=off \ -accel kvm \ -cpu qemu64 \ -m size=219136k \ @@ -31,6 +31,8 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -append runme \ -shim /shim \ -audiodev '{"id":"audio1","driver":"none"}' \ +-global ICH9-LPC.noreboot=off \ +-watchdog-action reset \ -object '{"qom-type":"sev-guest","id":"lsec0","cbitpos":47,"reduced-phys-bits":1,"policy":1,"dh-cert-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/dh_cert.base64","session-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/session.base64","kernel-hashes":true}' \ -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ -msg timestamp=on diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml index 01ca8fe012..39786d7a50 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest+amdsev.xml @@ -5,7 +5,7 @@ <currentMemory unit='KiB'>219100</currentMemory> <vcpu placement='static'>1</vcpu> <os> - <type arch='x86_64' machine='pc'>hvm</type> + <type arch='x86_64' machine='pc-q35-8.2'>hvm</type> <kernel>/vmlinuz</kernel> <initrd>/initrd</initrd> <cmdline>runme</cmdline> @@ -22,10 +22,14 @@ <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> <controller type='usb' index='0' model='none'/> - <controller type='pci' index='0' model='pci-root'/> + <controller type='sata' index='0'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/> + </controller> + <controller type='pci' index='0' model='pcie-root'/> <input type='mouse' bus='ps2'/> <input type='keyboard' bus='ps2'/> <audio id='1' type='none'/> + <watchdog model='itco' action='reset'/> <memballoon model='none'/> </devices> <launchSecurity type='sev' kernelHashes='yes'> diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args index 909e88b0b9..56fa8e0b21 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args +++ b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args @@ -10,7 +10,7 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -name guest=QEMUGuest1,debug-threads=on \ -S \ -object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/master-key.aes"}' \ --machine pc,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,acpi=off \ +-machine pc-q35-8.2,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,acpi=off \ -accel kvm \ -cpu qemu64 \ -m size=219136k \ @@ -31,6 +31,8 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -append runme \ -shim /shim \ -audiodev '{"id":"audio1","driver":"none"}' \ +-global ICH9-LPC.noreboot=off \ +-watchdog-action reset \ -object '{"qom-type":"sev-guest","id":"lsec0","cbitpos":47,"reduced-phys-bits":1,"policy":1,"dh-cert-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/dh_cert.base64","session-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/session.base64","kernel-hashes":true}' \ -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ -msg timestamp=on diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml index 01ca8fe012..39786d7a50 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.xml @@ -5,7 +5,7 @@ <currentMemory unit='KiB'>219100</currentMemory> <vcpu placement='static'>1</vcpu> <os> - <type arch='x86_64' machine='pc'>hvm</type> + <type arch='x86_64' machine='pc-q35-8.2'>hvm</type> <kernel>/vmlinuz</kernel> <initrd>/initrd</initrd> <cmdline>runme</cmdline> @@ -22,10 +22,14 @@ <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> <controller type='usb' index='0' model='none'/> - <controller type='pci' index='0' model='pci-root'/> + <controller type='sata' index='0'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/> + </controller> + <controller type='pci' index='0' model='pcie-root'/> <input type='mouse' bus='ps2'/> <input type='keyboard' bus='ps2'/> <audio id='1' type='none'/> + <watchdog model='itco' action='reset'/> <memballoon model='none'/> </devices> <launchSecurity type='sev' kernelHashes='yes'> diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.xml b/tests/qemuxmlconfdata/launch-security-sev-direct.xml index 7b4908c7d4..d654e7ffc0 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-direct.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-direct.xml @@ -4,7 +4,7 @@ <memory unit='KiB'>219100</memory> <vcpu placement='static'>1</vcpu> <os> - <type arch='x86_64' machine='pc'>hvm</type> + <type arch='x86_64' machine='pc-q35-8.2'>hvm</type> <kernel>/vmlinuz</kernel> <initrd>/initrd</initrd> <cmdline>runme</cmdline> diff --git a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.args b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.args index 0270316a67..6e076cec63 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.args +++ b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.args @@ -10,7 +10,9 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -name guest=QEMUGuest1,debug-threads=on \ -S \ -object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/master-key.aes"}' \ --machine pc,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,acpi=off \ +-blockdev '{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF.amdsev.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \ +-machine pc-q35-8.2,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,pflash0=libvirt-pflash0-format,acpi=on \ -accel kvm \ -cpu qemu64 \ -m size=219136k \ @@ -27,6 +29,8 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -no-shutdown \ -boot strict=on \ -audiodev '{"id":"audio1","driver":"none"}' \ +-global ICH9-LPC.noreboot=off \ +-watchdog-action reset \ -object '{"qom-type":"sev-guest","id":"lsec0","cbitpos":51,"reduced-phys-bits":1,"policy":1,"dh-cert-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/dh_cert.base64","session-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/session.base64"}' \ -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ -msg timestamp=on diff --git a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.xml b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.xml index 6e7119c34e..d0f8ed031d 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.x86_64-latest+amdsev.xml @@ -4,10 +4,18 @@ <memory unit='KiB'>219100</memory> <currentMemory unit='KiB'>219100</currentMemory> <vcpu placement='static'>1</vcpu> - <os> - <type arch='x86_64' machine='pc'>hvm</type> + <os firmware='efi'> + <type arch='x86_64' machine='pc-q35-8.2'>hvm</type> + <firmware> + <feature enabled='no' name='enrolled-keys'/> + <feature enabled='no' name='secure-boot'/> + </firmware> + <loader readonly='yes' type='pflash' stateless='yes' format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader> <boot dev='hd'/> </os> + <features> + <acpi/> + </features> <cpu mode='custom' match='exact' check='none'> <model fallback='forbid'>qemu64</model> </cpu> @@ -18,10 +26,14 @@ <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> <controller type='usb' index='0' model='none'/> - <controller type='pci' index='0' model='pci-root'/> + <controller type='sata' index='0'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/> + </controller> + <controller type='pci' index='0' model='pcie-root'/> <input type='mouse' bus='ps2'/> <input type='keyboard' bus='ps2'/> <audio id='1' type='none'/> + <watchdog model='itco' action='reset'/> <memballoon model='none'/> </devices> <launchSecurity type='sev'> diff --git a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.xml b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.xml index cef48ec3c7..513d704f93 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.xml @@ -3,9 +3,13 @@ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> <memory unit='KiB'>219100</memory> <vcpu placement='static'>1</vcpu> - <os> - <type arch='x86_64' machine='pc'>hvm</type> + <os firmware='efi'> + <type arch='x86_64' machine='pc-q35-8.2'>hvm</type> + <loader stateless='yes'/> </os> + <features> + <acpi/> + </features> <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> <controller type='usb' model='none'/> diff --git a/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.args b/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.args index 452648e252..b62961f974 100644 --- a/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.args +++ b/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.args @@ -10,7 +10,9 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -name guest=QEMUGuest1,debug-threads=on \ -S \ -object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/master-key.aes"}' \ --machine pc,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,acpi=off \ +-blockdev '{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF.amdsev.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \ +-machine pc-q35-8.2,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,pflash0=libvirt-pflash0-format,acpi=on \ -accel kvm \ -cpu qemu64 \ -m size=219136k \ @@ -27,6 +29,8 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -no-shutdown \ -boot strict=on \ -audiodev '{"id":"audio1","driver":"none"}' \ +-global ICH9-LPC.noreboot=off \ +-watchdog-action reset \ -object '{"qom-type":"sev-guest","id":"lsec0","cbitpos":47,"reduced-phys-bits":1,"policy":1,"dh-cert-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/dh_cert.base64","session-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/session.base64"}' \ -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ -msg timestamp=on diff --git a/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.xml b/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.xml index eca1c1de75..b7ec804058 100644 --- a/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.xml +++ b/tests/qemuxmlconfdata/launch-security-sev.x86_64-latest+amdsev.xml @@ -4,10 +4,18 @@ <memory unit='KiB'>219100</memory> <currentMemory unit='KiB'>219100</currentMemory> <vcpu placement='static'>1</vcpu> - <os> - <type arch='x86_64' machine='pc'>hvm</type> + <os firmware='efi'> + <type arch='x86_64' machine='pc-q35-8.2'>hvm</type> + <firmware> + <feature enabled='no' name='enrolled-keys'/> + <feature enabled='no' name='secure-boot'/> + </firmware> + <loader readonly='yes' type='pflash' stateless='yes' format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader> <boot dev='hd'/> </os> + <features> + <acpi/> + </features> <cpu mode='custom' match='exact' check='none'> <model fallback='forbid'>qemu64</model> </cpu> @@ -18,10 +26,14 @@ <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> <controller type='usb' index='0' model='none'/> - <controller type='pci' index='0' model='pci-root'/> + <controller type='sata' index='0'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/> + </controller> + <controller type='pci' index='0' model='pcie-root'/> <input type='mouse' bus='ps2'/> <input type='keyboard' bus='ps2'/> <audio id='1' type='none'/> + <watchdog model='itco' action='reset'/> <memballoon model='none'/> </devices> <launchSecurity type='sev'> diff --git a/tests/qemuxmlconfdata/launch-security-sev.xml b/tests/qemuxmlconfdata/launch-security-sev.xml index 3c4cbe4344..39859fd126 100644 --- a/tests/qemuxmlconfdata/launch-security-sev.xml +++ b/tests/qemuxmlconfdata/launch-security-sev.xml @@ -3,9 +3,13 @@ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> <memory unit='KiB'>219100</memory> <vcpu placement='static'>1</vcpu> - <os> - <type arch='x86_64' machine='pc'>hvm</type> + <os firmware='efi'> + <type arch='x86_64' machine='pc-q35-8.2'>hvm</type> + <loader stateless='yes'/> </os> + <features> + <acpi/> + </features> <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> <controller type='usb' model='none'/> -- 2.51.0
One of the new test cases demonstrates how firmware autoselection doesn't currently work correctly for domains using SEV-SNP: the descriptor for a suitable firmware exists, and yet it doesn't get picked up. The other test cases shows that, while firmware autoselection succeeds for non-SNP SEV domains, the results are not the expected ones: the generic (stateful) edk2 build is used instead of the SEV-specific (stateless) one. Signed-off-by: Andrea Bolognani <abologna@redhat.com> --- ...-auto-efi-sev-snp.x86_64-latest+amdsev.err | 1 + ...-auto-efi-sev-snp.x86_64-latest+amdsev.xml | 38 ++++++++++++++++ .../firmware-auto-efi-sev-snp.xml | 20 +++++++++ ...are-auto-efi-sev.x86_64-latest+amdsev.args | 37 ++++++++++++++++ ...ware-auto-efi-sev.x86_64-latest+amdsev.xml | 43 +++++++++++++++++++ .../qemuxmlconfdata/firmware-auto-efi-sev.xml | 20 +++++++++ tests/qemuxmlconftest.c | 8 ++++ 7 files changed, 167 insertions(+) create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.err create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.xml create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.xml create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.args create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.xml create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-sev.xml diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.err b/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.err new file mode 100644 index 0000000000..3edb2b3451 --- /dev/null +++ b/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.err @@ -0,0 +1 @@ +operation failed: Unable to find 'efi' firmware that is compatible with the current configuration diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.xml b/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.xml new file mode 100644 index 0000000000..81ac7888ea --- /dev/null +++ b/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.xml @@ -0,0 +1,38 @@ +<domain type='kvm'> + <name>guest</name> + <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid> + <memory unit='KiB'>1048576</memory> + <currentMemory unit='KiB'>1048576</currentMemory> + <vcpu placement='static'>1</vcpu> + <os firmware='efi'> + <type arch='x86_64' machine='pc-q35-10.0'>hvm</type> + <loader format='raw'/> + <boot dev='hd'/> + </os> + <features> + <acpi/> + </features> + <cpu mode='custom' match='exact' check='none'> + <model fallback='forbid'>qemu64</model> + </cpu> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <controller type='usb' index='0' model='none'/> + <controller type='sata' index='0'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/> + </controller> + <controller type='pci' index='0' model='pcie-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <audio id='1' type='none'/> + <watchdog model='itco' action='reset'/> + <memballoon model='none'/> + </devices> + <launchSecurity type='sev-snp'> + <policy>0x00030000</policy> + </launchSecurity> +</domain> diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.xml b/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.xml new file mode 100644 index 0000000000..4bb363d07a --- /dev/null +++ b/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.xml @@ -0,0 +1,20 @@ +<domain type='kvm'> + <name>guest</name> + <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid> + <memory unit='KiB'>1048576</memory> + <vcpu placement='static'>1</vcpu> + <os firmware='efi'> + <type arch='x86_64' machine='pc-q35-10.0'>hvm</type> + </os> + <features> + <acpi/> + </features> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <controller type='usb' model='none'/> + <memballoon model='none'/> + </devices> + <launchSecurity type='sev-snp'> + <policy>0x30000</policy> + </launchSecurity> +</domain> diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.args b/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.args new file mode 100644 index 0000000000..550ac52b8a --- /dev/null +++ b/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.args @@ -0,0 +1,37 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/var/lib/libvirt/qemu/domain--1-guest \ +USER=test \ +LOGNAME=test \ +XDG_DATA_HOME=/var/lib/libvirt/qemu/domain--1-guest/.local/share \ +XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain--1-guest/.cache \ +XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-guest/.config \ +/usr/bin/qemu-system-x86_64 \ +-name guest=guest,debug-threads=on \ +-S \ +-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-guest/master-key.aes"}' \ +-blockdev '{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF_CODE.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \ +-blockdev '{"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/guest_VARS.fd","node-name":"libvirt-pflash1-storage","read-only":false}' \ +-machine pc-q35-10.0,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-storage,acpi=on \ +-accel kvm \ +-cpu qemu64 \ +-m size=1048576k \ +-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}' \ +-overcommit mem-lock=off \ +-smp 1,sockets=1,cores=1,threads=1 \ +-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \ +-display none \ +-no-user-config \ +-nodefaults \ +-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \ +-mon chardev=charmonitor,id=monitor,mode=control \ +-rtc base=utc \ +-no-shutdown \ +-boot strict=on \ +-audiodev '{"id":"audio1","driver":"none"}' \ +-global ICH9-LPC.noreboot=off \ +-watchdog-action reset \ +-object '{"qom-type":"sev-guest","id":"lsec0","cbitpos":51,"reduced-phys-bits":1,"policy":196608}' \ +-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ +-msg timestamp=on diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.xml b/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.xml new file mode 100644 index 0000000000..cbfdcdeee3 --- /dev/null +++ b/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.xml @@ -0,0 +1,43 @@ +<domain type='kvm'> + <name>guest</name> + <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid> + <memory unit='KiB'>1048576</memory> + <currentMemory unit='KiB'>1048576</currentMemory> + <vcpu placement='static'>1</vcpu> + <os firmware='efi'> + <type arch='x86_64' machine='pc-q35-10.0'>hvm</type> + <firmware> + <feature enabled='no' name='enrolled-keys'/> + <feature enabled='no' name='secure-boot'/> + </firmware> + <loader readonly='yes' type='pflash' format='raw'>/usr/share/edk2/ovmf/OVMF_CODE.fd</loader> + <nvram template='/usr/share/edk2/ovmf/OVMF_VARS.fd' templateFormat='raw' format='raw'>/var/lib/libvirt/qemu/nvram/guest_VARS.fd</nvram> + <boot dev='hd'/> + </os> + <features> + <acpi/> + </features> + <cpu mode='custom' match='exact' check='none'> + <model fallback='forbid'>qemu64</model> + </cpu> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <controller type='usb' index='0' model='none'/> + <controller type='sata' index='0'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/> + </controller> + <controller type='pci' index='0' model='pcie-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <audio id='1' type='none'/> + <watchdog model='itco' action='reset'/> + <memballoon model='none'/> + </devices> + <launchSecurity type='sev'> + <policy>0x30000</policy> + </launchSecurity> +</domain> diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-sev.xml b/tests/qemuxmlconfdata/firmware-auto-efi-sev.xml new file mode 100644 index 0000000000..69e0c2bd51 --- /dev/null +++ b/tests/qemuxmlconfdata/firmware-auto-efi-sev.xml @@ -0,0 +1,20 @@ +<domain type='kvm'> + <name>guest</name> + <uuid>63840878-0deb-4095-97e6-fc444d9bc9fa</uuid> + <memory unit='KiB'>1048576</memory> + <vcpu placement='static'>1</vcpu> + <os firmware='efi'> + <type arch='x86_64' machine='pc-q35-10.0'>hvm</type> + </os> + <features> + <acpi/> + </features> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <controller type='usb' model='none'/> + <memballoon model='none'/> + </devices> + <launchSecurity type='sev'> + <policy>0x30000</policy> + </launchSecurity> +</domain> diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c index 079f20ddf4..c17bb168f6 100644 --- a/tests/qemuxmlconftest.c +++ b/tests/qemuxmlconftest.c @@ -1477,6 +1477,14 @@ mymain(void) DO_TEST_CAPS_ARCH_LATEST_ABI_UPDATE("firmware-auto-efi-format-loader-raw", "aarch64"); DO_TEST_CAPS_LATEST("firmware-auto-efi-format-mismatch"); + DO_TEST_CAPS_ARCH_LATEST_FULL("firmware-auto-efi-sev", "x86_64", + ARG_CAPS_VARIANT, "+amdsev", + ARG_END); + DO_TEST_CAPS_ARCH_LATEST_FULL("firmware-auto-efi-sev-snp", "x86_64", + ARG_FLAGS, FLAG_EXPECT_FAILURE, + ARG_CAPS_VARIANT, "+amdsev", + ARG_END); + DO_TEST_CAPS_LATEST("clock-utc"); DO_TEST_CAPS_LATEST("clock-localtime"); DO_TEST_CAPS_LATEST("clock-localtime-basis-localtime"); -- 2.51.0
On 8/25/25 10:19, Andrea Bolognani via Devel wrote:
One of the new test cases demonstrates how firmware autoselection doesn't currently work correctly for domains using SEV-SNP: the descriptor for a suitable firmware exists, and yet it doesn't get picked up.
But the descriptor is incorrect. Autoselection using current git master works fine with a proper descriptor for SNP. IMO, we need to fix the descriptors (patches 8 and 9) before adding more tests with invalid config.
The other test cases shows that, while firmware autoselection succeeds for non-SNP SEV domains, the results are not the expected ones: the generic (stateful) edk2 build is used instead of the SEV-specific (stateless) one.
We need patch 9 to prevent selection of the stateful firmware, but then we'd hit the problem fixed by patch 5 :-). ...
diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.args b/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.args new file mode 100644 index 0000000000..550ac52b8a --- /dev/null +++ b/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.args @@ -0,0 +1,37 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/var/lib/libvirt/qemu/domain--1-guest \ +USER=test \ +LOGNAME=test \ +XDG_DATA_HOME=/var/lib/libvirt/qemu/domain--1-guest/.local/share \ +XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain--1-guest/.cache \ +XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-guest/.config \ +/usr/bin/qemu-system-x86_64 \ +-name guest=guest,debug-threads=on \ +-S \ +-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-guest/master-key.aes"}' \ +-blockdev '{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF_CODE.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \ +-blockdev '{"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/guest_VARS.fd","node-name":"libvirt-pflash1-storage","read-only":false}' \
Writable pflash is not compatible with SEV(-ES) guests. Regards, Jim
On Mon, Aug 25, 2025 at 05:12:57PM -0600, Jim Fehlig wrote:
On 8/25/25 10:19, Andrea Bolognani via Devel wrote:
One of the new test cases demonstrates how firmware autoselection doesn't currently work correctly for domains using SEV-SNP: the descriptor for a suitable firmware exists, and yet it doesn't get picked up.
But the descriptor is incorrect. Autoselection using current git master works fine with a proper descriptor for SNP.
It's true, the current descriptor for SEV-SNP is incorrect as it causes libvirt to use pflash instead of rom. But the fact that libvirt will ignore the current descriptor unless <loader stateless='yes'/> is present in the domain configuration, as demonstrated by the test case that I'm adding in this patch, is a problem of its own, and indeed the one that you reported in the first place ;) So yes, we need to fix both issues, the one in libvirt and the one in the descriptors. Solving the latter first would merely sweep the former under the carpet, not make it go away.
IMO, we need to fix the descriptors (patches 8 and 9) before adding more tests with invalid config.
I'm doing things in this order deliberately. Adding a failing test establishes the current baseline for the functionality, so that when the fix is applied you can see the improvement reflected directly in the test suite, confirming its effectiveness. Adding tests after the fact only demonstrates that the feature now works, not that it was broken beforehand.
+-blockdev '{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF_CODE.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \ +-blockdev '{"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/guest_VARS.fd","node-name":"libvirt-pflash1-storage","read-only":false}' \
Writable pflash is not compatible with SEV(-ES) guests.
Is that so? According to https://libvirt.org/kbase/launch_security_sev.html a stateless firmware is only a requirement if boot measurements are desired, which IIUC is not necessarily always the case. In fact, the full XML example at the bottom of that document is using stateful firmware. To be clear, I'm tentatively in favor of moving towards a world in which stateless firmware is used consistently across the board for SEV guests, but we need to ensure that we don't cause disruption for existing users in the process. -- Andrea Bolognani / Red Hat / Virtualization
On 8/26/25 09:30, Andrea Bolognani wrote:
On Mon, Aug 25, 2025 at 05:12:57PM -0600, Jim Fehlig wrote:
On 8/25/25 10:19, Andrea Bolognani via Devel wrote:
One of the new test cases demonstrates how firmware autoselection doesn't currently work correctly for domains using SEV-SNP: the descriptor for a suitable firmware exists, and yet it doesn't get picked up.
But the descriptor is incorrect. Autoselection using current git master works fine with a proper descriptor for SNP.
It's true, the current descriptor for SEV-SNP is incorrect as it causes libvirt to use pflash instead of rom. But the fact that libvirt will ignore the current descriptor unless
<loader stateless='yes'/>
is present in the domain configuration, as demonstrated by the test case that I'm adding in this patch, is a problem of its own, and indeed the one that you reported in the first place ;)
Yep, no arguing that point.
So yes, we need to fix both issues, the one in libvirt and the one in the descriptors. Solving the latter first would merely sweep the former under the carpet, not make it go away.
I think the same could be said by fixing libvirt first.
IMO, we need to fix the descriptors (patches 8 and 9) before adding more tests with invalid config.
I'm doing things in this order deliberately. Adding a failing test establishes the current baseline for the functionality, so that when the fix is applied you can see the improvement reflected directly in the test suite, confirming its effectiveness. Adding tests after the fact only demonstrates that the feature now works, not that it was broken beforehand.
+-blockdev '{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF_CODE.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \ +-blockdev '{"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/guest_VARS.fd","node-name":"libvirt-pflash1-storage","read-only":false}' \
Writable pflash is not compatible with SEV(-ES) guests.
Is that so? According to
https://libvirt.org/kbase/launch_security_sev.html
a stateless firmware is only a requirement if boot measurements are desired, which IIUC is not necessarily always the case.
Dammit, you're right. I need to remember some of the SNP/TDX restrictions do not apply to SEV(-ES). Too bad we're stuck supporting that transitional technology.
In fact, the full XML example at the bottom of that document is using stateful firmware.
To be clear, I'm tentatively in favor of moving towards a world in which stateless firmware is used consistently across the board for SEV guests, but we need to ensure that we don't cause disruption for existing users in the process.
Agreed. Changing the actual edk2 descriptors per patch 9 may cause disruptions for users wanting a persistent variable store in pflash for their SEV(-ES) guests. Regards, Jim
On Tue, Aug 26, 2025 at 10:39:30AM -0600, Jim Fehlig wrote:
On 8/26/25 09:30, Andrea Bolognani wrote:
On Mon, Aug 25, 2025 at 05:12:57PM -0600, Jim Fehlig wrote:
On 8/25/25 10:19, Andrea Bolognani via Devel wrote:
One of the new test cases demonstrates how firmware autoselection doesn't currently work correctly for domains using SEV-SNP: the descriptor for a suitable firmware exists, and yet it doesn't get picked up.
But the descriptor is incorrect. Autoselection using current git master works fine with a proper descriptor for SNP.
It's true, the current descriptor for SEV-SNP is incorrect as it causes libvirt to use pflash instead of rom. But the fact that libvirt will ignore the current descriptor unless
<loader stateless='yes'/>
is present in the domain configuration, as demonstrated by the test case that I'm adding in this patch, is a problem of its own, and indeed the one that you reported in the first place ;)
Yep, no arguing that point.
So yes, we need to fix both issues, the one in libvirt and the one in the descriptors. Solving the latter first would merely sweep the former under the carpet, not make it go away.
I think the same could be said by fixing libvirt first.
Not really, because after you've fixed libvirt (patch 05/10) the test case lands in an "intermediate" state where autoselection succeeds, but you still get the wrong mode being used (pflash instead of ROM). Only after you fix the descriptors too (patch 08/10) you end up with the desired state. Doing things in this order gives you the full progression of the fix clearly visible in the git log.
To be clear, I'm tentatively in favor of moving towards a world in which stateless firmware is used consistently across the board for SEV guests, but we need to ensure that we don't cause disruption for existing users in the process.
Agreed. Changing the actual edk2 descriptors per patch 9 may cause disruptions for users wanting a persistent variable store in pflash for their SEV(-ES) guests.
Maybe we can cater to that use case by adding a low-priority descriptor that is identical to the regular edk2 one but advertises amd-sev and amd-sev-es features, and by asking users that want a persistent variable store to ask for <loader stateless='no'/> instead? Assuming people looking to stateful SEV are a small minority, this sounds like it might be feasible. And then we could use the ROM loader for everyone else. We wouldn't even need separate descriptors for SEV-SNP and SEV(-ES), just for stateless SEV and stateful SEV. -- Andrea Bolognani / Red Hat / Virtualization
The current code assumes that a stateless firmware has to be explicitly requested by the user, and should never be picked otherwise. This means that, for example, domains configured to use SEV-SNP are forced to explicitly request for the firmware to be stateless. Additionally, we assume that only split firmware is suitable for the stateful use case, whereas a combined firmware image would also do the job. As a result of these changes, the failing SEV-SNP test case that was added recently passes, and so do the test cases requesting read/write firmware. Signed-off-by: Andrea Bolognani <abologna@redhat.com> --- src/qemu/qemu_firmware.c | 40 ++++++++++++++----- ...ware-auto-efi-rw-pflash.x86_64-latest.args | 36 +++++++++++++++++ ...mware-auto-efi-rw-pflash.x86_64-latest.err | 1 - ...mware-auto-efi-rw-pflash.x86_64-latest.xml | 6 ++- .../firmware-auto-efi-rw.x86_64-latest.args | 36 +++++++++++++++++ .../firmware-auto-efi-rw.x86_64-latest.err | 1 - .../firmware-auto-efi-rw.x86_64-latest.xml | 6 ++- ...auto-efi-sev-snp.x86_64-latest+amdsev.args | 36 +++++++++++++++++ ...-auto-efi-sev-snp.x86_64-latest+amdsev.err | 1 - ...-auto-efi-sev-snp.x86_64-latest+amdsev.xml | 6 ++- tests/qemuxmlconftest.c | 5 +-- 11 files changed, 154 insertions(+), 20 deletions(-) create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-rw-pflash.x86_64-latest.args delete mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-rw-pflash.x86_64-latest.err create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-rw.x86_64-latest.args delete mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-rw.x86_64-latest.err create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.args delete mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.err diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c index f0b5592f07..6ead61d59c 100644 --- a/src/qemu/qemu_firmware.c +++ b/src/qemu/qemu_firmware.c @@ -1301,16 +1301,21 @@ qemuFirmwareMatchDomain(const virDomainDef *def, return false; } - if (loader && loader->stateless == VIR_TRISTATE_BOOL_YES) { - if (flash->mode != QEMU_FIRMWARE_FLASH_MODE_STATELESS) { - VIR_DEBUG("Discarding loader without stateless flash"); - return false; - } - } else { - if (flash->mode != QEMU_FIRMWARE_FLASH_MODE_SPLIT) { - VIR_DEBUG("Discarding loader without split flash"); - return false; - } + /* Explicit requests for either a stateless or stateful + * firmware should be fulfilled, but if no preference is + * provided either one is fine as long as the other match + * criteria are satisfied */ + if (loader && + loader->stateless == VIR_TRISTATE_BOOL_NO && + flash->mode == QEMU_FIRMWARE_FLASH_MODE_STATELESS) { + VIR_DEBUG("Discarding stateless loader"); + return false; + } + if (loader && + loader->stateless == VIR_TRISTATE_BOOL_YES && + flash->mode != QEMU_FIRMWARE_FLASH_MODE_STATELESS) { + VIR_DEBUG("Discarding non-stateless loader"); + return false; } if (loader && @@ -1348,6 +1353,11 @@ qemuFirmwareMatchDomain(const virDomainDef *def, return false; } + if (loader && loader->stateless == VIR_TRISTATE_BOOL_NO) { + VIR_DEBUG("Discarding stateless loader"); + return false; + } + if (loader && loader->readonly == VIR_TRISTATE_BOOL_NO) { VIR_DEBUG("Discarding readonly loader"); return false; @@ -1425,9 +1435,17 @@ qemuFirmwareEnableFeaturesModern(virDomainDef *def, loader = def->os.loader; loader->type = VIR_DOMAIN_LOADER_TYPE_PFLASH; - loader->readonly = VIR_TRISTATE_BOOL_YES; loader->format = format; + /* Combined mode implies read/write, other modes imply read-only */ + if (flash->mode == QEMU_FIRMWARE_FLASH_MODE_COMBINED) + loader->readonly = VIR_TRISTATE_BOOL_NO; + else + loader->readonly = VIR_TRISTATE_BOOL_YES; + + if (flash->mode == QEMU_FIRMWARE_FLASH_MODE_STATELESS) + loader->stateless = VIR_TRISTATE_BOOL_YES; + VIR_FREE(loader->path); loader->path = g_strdup(flash->executable.filename); diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-rw-pflash.x86_64-latest.args b/tests/qemuxmlconfdata/firmware-auto-efi-rw-pflash.x86_64-latest.args new file mode 100644 index 0000000000..d06de24db8 --- /dev/null +++ b/tests/qemuxmlconfdata/firmware-auto-efi-rw-pflash.x86_64-latest.args @@ -0,0 +1,36 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/var/lib/libvirt/qemu/domain--1-guest \ +USER=test \ +LOGNAME=test \ +XDG_DATA_HOME=/var/lib/libvirt/qemu/domain--1-guest/.local/share \ +XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain--1-guest/.cache \ +XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-guest/.config \ +/usr/bin/qemu-system-x86_64 \ +-name guest=guest,debug-threads=on \ +-S \ +-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-guest/master-key.aes"}' \ +-blockdev '{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF.combined.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"node-name":"libvirt-pflash0-format","read-only":false,"driver":"raw","file":"libvirt-pflash0-storage"}' \ +-machine pc-q35-10.0,usb=off,smm=on,dump-guest-core=off,memory-backend=pc.ram,pflash0=libvirt-pflash0-format,acpi=on \ +-accel kvm \ +-cpu qemu64 \ +-global driver=cfi.pflash01,property=secure,value=on \ +-m size=1048576k \ +-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}' \ +-overcommit mem-lock=off \ +-smp 1,sockets=1,cores=1,threads=1 \ +-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \ +-display none \ +-no-user-config \ +-nodefaults \ +-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \ +-mon chardev=charmonitor,id=monitor,mode=control \ +-rtc base=utc \ +-no-shutdown \ +-boot strict=on \ +-audiodev '{"id":"audio1","driver":"none"}' \ +-global ICH9-LPC.noreboot=off \ +-watchdog-action reset \ +-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ +-msg timestamp=on diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-rw-pflash.x86_64-latest.err b/tests/qemuxmlconfdata/firmware-auto-efi-rw-pflash.x86_64-latest.err deleted file mode 100644 index 3edb2b3451..0000000000 --- a/tests/qemuxmlconfdata/firmware-auto-efi-rw-pflash.x86_64-latest.err +++ /dev/null @@ -1 +0,0 @@ -operation failed: Unable to find 'efi' firmware that is compatible with the current configuration diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-rw-pflash.x86_64-latest.xml b/tests/qemuxmlconfdata/firmware-auto-efi-rw-pflash.x86_64-latest.xml index 217c1f4b94..7b79738d98 100644 --- a/tests/qemuxmlconfdata/firmware-auto-efi-rw-pflash.x86_64-latest.xml +++ b/tests/qemuxmlconfdata/firmware-auto-efi-rw-pflash.x86_64-latest.xml @@ -6,11 +6,15 @@ <vcpu placement='static'>1</vcpu> <os firmware='efi'> <type arch='x86_64' machine='pc-q35-10.0'>hvm</type> - <loader readonly='no' type='pflash' format='raw'/> + <firmware> + <feature enabled='yes' name='secure-boot'/> + </firmware> + <loader readonly='no' secure='yes' type='pflash' format='raw'>/usr/share/edk2/ovmf/OVMF.combined.fd</loader> <boot dev='hd'/> </os> <features> <acpi/> + <smm state='on'/> </features> <cpu mode='custom' match='exact' check='none'> <model fallback='forbid'>qemu64</model> diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-rw.x86_64-latest.args b/tests/qemuxmlconfdata/firmware-auto-efi-rw.x86_64-latest.args new file mode 100644 index 0000000000..d06de24db8 --- /dev/null +++ b/tests/qemuxmlconfdata/firmware-auto-efi-rw.x86_64-latest.args @@ -0,0 +1,36 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/var/lib/libvirt/qemu/domain--1-guest \ +USER=test \ +LOGNAME=test \ +XDG_DATA_HOME=/var/lib/libvirt/qemu/domain--1-guest/.local/share \ +XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain--1-guest/.cache \ +XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-guest/.config \ +/usr/bin/qemu-system-x86_64 \ +-name guest=guest,debug-threads=on \ +-S \ +-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-guest/master-key.aes"}' \ +-blockdev '{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF.combined.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"node-name":"libvirt-pflash0-format","read-only":false,"driver":"raw","file":"libvirt-pflash0-storage"}' \ +-machine pc-q35-10.0,usb=off,smm=on,dump-guest-core=off,memory-backend=pc.ram,pflash0=libvirt-pflash0-format,acpi=on \ +-accel kvm \ +-cpu qemu64 \ +-global driver=cfi.pflash01,property=secure,value=on \ +-m size=1048576k \ +-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}' \ +-overcommit mem-lock=off \ +-smp 1,sockets=1,cores=1,threads=1 \ +-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \ +-display none \ +-no-user-config \ +-nodefaults \ +-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \ +-mon chardev=charmonitor,id=monitor,mode=control \ +-rtc base=utc \ +-no-shutdown \ +-boot strict=on \ +-audiodev '{"id":"audio1","driver":"none"}' \ +-global ICH9-LPC.noreboot=off \ +-watchdog-action reset \ +-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ +-msg timestamp=on diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-rw.x86_64-latest.err b/tests/qemuxmlconfdata/firmware-auto-efi-rw.x86_64-latest.err deleted file mode 100644 index 3edb2b3451..0000000000 --- a/tests/qemuxmlconfdata/firmware-auto-efi-rw.x86_64-latest.err +++ /dev/null @@ -1 +0,0 @@ -operation failed: Unable to find 'efi' firmware that is compatible with the current configuration diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-rw.x86_64-latest.xml b/tests/qemuxmlconfdata/firmware-auto-efi-rw.x86_64-latest.xml index 0f6b965067..7b79738d98 100644 --- a/tests/qemuxmlconfdata/firmware-auto-efi-rw.x86_64-latest.xml +++ b/tests/qemuxmlconfdata/firmware-auto-efi-rw.x86_64-latest.xml @@ -6,11 +6,15 @@ <vcpu placement='static'>1</vcpu> <os firmware='efi'> <type arch='x86_64' machine='pc-q35-10.0'>hvm</type> - <loader readonly='no' format='raw'/> + <firmware> + <feature enabled='yes' name='secure-boot'/> + </firmware> + <loader readonly='no' secure='yes' type='pflash' format='raw'>/usr/share/edk2/ovmf/OVMF.combined.fd</loader> <boot dev='hd'/> </os> <features> <acpi/> + <smm state='on'/> </features> <cpu mode='custom' match='exact' check='none'> <model fallback='forbid'>qemu64</model> diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.args b/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.args new file mode 100644 index 0000000000..99350f600c --- /dev/null +++ b/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.args @@ -0,0 +1,36 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/var/lib/libvirt/qemu/domain--1-guest \ +USER=test \ +LOGNAME=test \ +XDG_DATA_HOME=/var/lib/libvirt/qemu/domain--1-guest/.local/share \ +XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain--1-guest/.cache \ +XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-guest/.config \ +/usr/bin/qemu-system-x86_64 \ +-name guest=guest,debug-threads=on \ +-S \ +-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-guest/master-key.aes"}' \ +-blockdev '{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF.amdsev.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \ +-machine pc-q35-10.0,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,pflash0=libvirt-pflash0-format,acpi=on \ +-accel kvm \ +-cpu qemu64 \ +-m size=1048576k \ +-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}' \ +-overcommit mem-lock=off \ +-smp 1,sockets=1,cores=1,threads=1 \ +-uuid 63840878-0deb-4095-97e6-fc444d9bc9fa \ +-display none \ +-no-user-config \ +-nodefaults \ +-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \ +-mon chardev=charmonitor,id=monitor,mode=control \ +-rtc base=utc \ +-no-shutdown \ +-boot strict=on \ +-audiodev '{"id":"audio1","driver":"none"}' \ +-global ICH9-LPC.noreboot=off \ +-watchdog-action reset \ +-object '{"qom-type":"sev-snp-guest","id":"lsec0","cbitpos":51,"reduced-phys-bits":1,"policy":196608}' \ +-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ +-msg timestamp=on diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.err b/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.err deleted file mode 100644 index 3edb2b3451..0000000000 --- a/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.err +++ /dev/null @@ -1 +0,0 @@ -operation failed: Unable to find 'efi' firmware that is compatible with the current configuration diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.xml b/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.xml index 81ac7888ea..6ea58f3361 100644 --- a/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.xml +++ b/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.xml @@ -6,7 +6,11 @@ <vcpu placement='static'>1</vcpu> <os firmware='efi'> <type arch='x86_64' machine='pc-q35-10.0'>hvm</type> - <loader format='raw'/> + <firmware> + <feature enabled='no' name='enrolled-keys'/> + <feature enabled='no' name='secure-boot'/> + </firmware> + <loader readonly='yes' type='pflash' stateless='yes' format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader> <boot dev='hd'/> </os> <features> diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c index c17bb168f6..d2c04855a0 100644 --- a/tests/qemuxmlconftest.c +++ b/tests/qemuxmlconftest.c @@ -1443,8 +1443,8 @@ mymain(void) DO_TEST_CAPS_LATEST("firmware-auto-efi"); DO_TEST_CAPS_LATEST_ABI_UPDATE("firmware-auto-efi"); DO_TEST_CAPS_LATEST("firmware-auto-efi-stateless"); - DO_TEST_CAPS_LATEST_FAILURE("firmware-auto-efi-rw"); - DO_TEST_CAPS_LATEST_FAILURE("firmware-auto-efi-rw-pflash"); + DO_TEST_CAPS_LATEST("firmware-auto-efi-rw"); + DO_TEST_CAPS_LATEST("firmware-auto-efi-rw-pflash"); DO_TEST_CAPS_LATEST("firmware-auto-efi-loader-secure"); DO_TEST_CAPS_LATEST_ABI_UPDATE("firmware-auto-efi-loader-secure"); DO_TEST_CAPS_LATEST("firmware-auto-efi-loader-insecure"); @@ -1481,7 +1481,6 @@ mymain(void) ARG_CAPS_VARIANT, "+amdsev", ARG_END); DO_TEST_CAPS_ARCH_LATEST_FULL("firmware-auto-efi-sev-snp", "x86_64", - ARG_FLAGS, FLAG_EXPECT_FAILURE, ARG_CAPS_VARIANT, "+amdsev", ARG_END); -- 2.51.0
On 8/25/25 10:19, Andrea Bolognani via Devel wrote:
The current code assumes that a stateless firmware has to be explicitly requested by the user, and should never be picked otherwise. This means that, for example, domains configured to use SEV-SNP are forced to explicitly request for the firmware to be stateless.
With proper firmware descriptors, I'd replace 'SEV-SNP' with 'SEV(-ES)'.
Additionally, we assume that only split firmware is suitable for the stateful use case, whereas a combined firmware image would also do the job.
As a result of these changes, the failing SEV-SNP test case that was added recently passes, and so do the test cases requesting read/write firmware.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> --- src/qemu/qemu_firmware.c | 40 ++++++++++++++-----
The code changes are fine IMO, and work in my testing.
...ware-auto-efi-rw-pflash.x86_64-latest.args | 36 +++++++++++++++++ ...mware-auto-efi-rw-pflash.x86_64-latest.err | 1 - ...mware-auto-efi-rw-pflash.x86_64-latest.xml | 6 ++- .../firmware-auto-efi-rw.x86_64-latest.args | 36 +++++++++++++++++ .../firmware-auto-efi-rw.x86_64-latest.err | 1 - .../firmware-auto-efi-rw.x86_64-latest.xml | 6 ++- ...auto-efi-sev-snp.x86_64-latest+amdsev.args | 36 +++++++++++++++++ ...-auto-efi-sev-snp.x86_64-latest+amdsev.err | 1 - ...-auto-efi-sev-snp.x86_64-latest+amdsev.xml | 6 ++- tests/qemuxmlconftest.c | 5 +-- 11 files changed, 154 insertions(+), 20 deletions(-) create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-rw-pflash.x86_64-latest.args delete mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-rw-pflash.x86_64-latest.err create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-rw.x86_64-latest.args delete mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-rw.x86_64-latest.err create mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.args delete mode 100644 tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.err
IMO, we should first agree on the firmware descriptor changes before tweaking/adding tests. Regards, Jim
We currently always pick a read-only firmware unless we are explicitly asked for a read/write one, which is probably what most people expect anyway but doesn't really make sense otherwise: if no specific requirement has been provided by the user, both read-only and read/write firmwares should be allowed to match. This won't result in any change in practice, since distros are not shipping read/write builds of edk2 anyway. If they started doing that, it would be their responsibility to ensure that they are ordered after the read-only builds. Signed-off-by: Andrea Bolognani <abologna@redhat.com> --- src/qemu/qemu_firmware.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c index 6ead61d59c..5bd34ea87f 100644 --- a/src/qemu/qemu_firmware.c +++ b/src/qemu/qemu_firmware.c @@ -1318,6 +1318,13 @@ qemuFirmwareMatchDomain(const virDomainDef *def, return false; } + /* Same for read-only status */ + if (loader && + loader->readonly == VIR_TRISTATE_BOOL_YES && + flash->mode == QEMU_FIRMWARE_FLASH_MODE_COMBINED) { + VIR_DEBUG("Discarding read/write loader"); + return false; + } if (loader && loader->readonly == VIR_TRISTATE_BOOL_NO && flash->mode != QEMU_FIRMWARE_FLASH_MODE_COMBINED) { -- 2.51.0
Signed-off-by: Andrea Bolognani <abologna@redhat.com> --- NEWS.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/NEWS.rst b/NEWS.rst index e6a74ad699..0a003d5b67 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -26,6 +26,11 @@ v11.7.0 (unreleased) * **Bug fixes** + * qemu: Fix selection of stateless/combined firmware + + A stateless firmware will now be correctly chosen when appropriate, + e.g. for domains configured to use SEV-SNP. + v11.6.0 (2025-08-01) ==================== -- 2.51.0
Based on proposed changes in the Fedora edk2 package. The SEV(-ES) and SEV-SNP descriptors are now separate, which allows libvirt to pick the correct firmware loading mechanism (flash vs ROM) automatically. --- .../qemu/firmware/60-edk2-ovmf-x64-amdsev.json | 1 - .../qemu/firmware/60-edk2-ovmf-x64-amdsev.json | 3 +-- .../qemu/firmware/60-edk2-ovmf-x64-amdsevsnp.json} | 14 ++++++-------- tests/qemufirmwaretest.c | 2 ++ ...ware-auto-efi-sev-snp.x86_64-latest+amdsev.args | 5 ++--- ...mware-auto-efi-sev-snp.x86_64-latest+amdsev.xml | 2 +- ...unch-security-sev-snp.x86_64-latest+amdsev.args | 5 ++--- ...aunch-security-sev-snp.x86_64-latest+amdsev.xml | 2 +- .../launch-security-sev-snp.x86_64-latest.args | 5 ++--- .../launch-security-sev-snp.x86_64-latest.xml | 2 +- 10 files changed, 18 insertions(+), 23 deletions(-) copy tests/qemufirmwaredata/{out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json => usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsevsnp.json} (57%) diff --git a/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json b/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json index d83d394ba7..2d3b821acb 100644 --- a/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json +++ b/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json @@ -21,7 +21,6 @@ "features": [ "amd-sev", "amd-sev-es", - "amd-sev-snp", "verbose-dynamic" ] } diff --git a/tests/qemufirmwaredata/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json b/tests/qemufirmwaredata/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json index 9a561bc7eb..ca88ef9176 100644 --- a/tests/qemufirmwaredata/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json +++ b/tests/qemufirmwaredata/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json @@ -1,5 +1,5 @@ { - "description": "OVMF with SEV-ES support", + "description": "OVMF with SEV + SEV-ES support", "interface-types": [ "uefi" ], @@ -22,7 +22,6 @@ "features": [ "amd-sev", "amd-sev-es", - "amd-sev-snp", "verbose-dynamic" ], "tags": [ diff --git a/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json b/tests/qemufirmwaredata/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsevsnp.json similarity index 57% copy from tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json copy to tests/qemufirmwaredata/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsevsnp.json index d83d394ba7..99e51c3d00 100644 --- a/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json +++ b/tests/qemufirmwaredata/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsevsnp.json @@ -1,14 +1,11 @@ { + "description": "OVMF with SEV-SNP support", "interface-types": [ "uefi" ], "mapping": { - "device": "flash", - "mode": "stateless", - "executable": { - "filename": "/usr/share/edk2/ovmf/OVMF.amdsev.fd", - "format": "raw" - } + "device": "memory", + "filename": "/usr/share/edk2/ovmf/OVMF.amdsev.fd" }, "targets": [ { @@ -19,9 +16,10 @@ } ], "features": [ - "amd-sev", - "amd-sev-es", "amd-sev-snp", "verbose-dynamic" + ], + "tags": [ + ] } diff --git a/tests/qemufirmwaretest.c b/tests/qemufirmwaretest.c index a4fb5c9b9c..c18ee85c0a 100644 --- a/tests/qemufirmwaretest.c +++ b/tests/qemufirmwaretest.c @@ -100,6 +100,7 @@ testFWPrecedence(const void *opaque G_GNUC_UNUSED) PREFIX "/share/qemu/firmware/53-edk2-aarch64-verbose-raw.json", SYSCONFDIR "/qemu/firmware/59-combined.json", PREFIX "/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json", + PREFIX "/share/qemu/firmware/60-edk2-ovmf-x64-amdsevsnp.json", PREFIX "/share/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json", PREFIX "/share/qemu/firmware/90-combined.json", PREFIX "/share/qemu/firmware/91-bios.json", @@ -279,6 +280,7 @@ mymain(void) DO_PARSE_TEST("usr/share/qemu/firmware/52-edk2-aarch64-verbose-qcow2.json"); DO_PARSE_TEST("usr/share/qemu/firmware/53-edk2-aarch64-verbose-raw.json"); DO_PARSE_TEST("usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json"); + DO_PARSE_TEST("usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsevsnp.json"); DO_PARSE_TEST("usr/share/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json"); DO_PARSE_TEST("usr/share/qemu/firmware/90-combined.json"); DO_PARSE_TEST("usr/share/qemu/firmware/91-bios.json"); diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.args b/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.args index 99350f600c..624039d1a2 100644 --- a/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.args +++ b/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.args @@ -10,11 +10,10 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-guest/.config \ -name guest=guest,debug-threads=on \ -S \ -object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-guest/master-key.aes"}' \ --blockdev '{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF.amdsev.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \ --blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \ --machine pc-q35-10.0,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,pflash0=libvirt-pflash0-format,acpi=on \ +-machine pc-q35-10.0,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,acpi=on \ -accel kvm \ -cpu qemu64 \ +-bios /usr/share/edk2/ovmf/OVMF.amdsev.fd \ -m size=1048576k \ -object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}' \ -overcommit mem-lock=off \ diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.xml b/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.xml index 6ea58f3361..10a1a3a22d 100644 --- a/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.xml +++ b/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.xml @@ -10,7 +10,7 @@ <feature enabled='no' name='enrolled-keys'/> <feature enabled='no' name='secure-boot'/> </firmware> - <loader readonly='yes' type='pflash' stateless='yes' format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader> + <loader type='rom' format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader> <boot dev='hd'/> </os> <features> diff --git a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.args b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.args index d849eb88e0..f8bc8a71fe 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.args +++ b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.args @@ -10,11 +10,10 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -name guest=QEMUGuest1,debug-threads=on \ -S \ -object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/master-key.aes"}' \ --blockdev '{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF.amdsev.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \ --blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \ --machine pc-q35-8.2,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,pflash0=libvirt-pflash0-format,acpi=on \ +-machine pc-q35-8.2,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,acpi=on \ -accel kvm \ -cpu qemu64 \ +-bios /usr/share/edk2/ovmf/OVMF.amdsev.fd \ -m size=219136k \ -object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":224395264}' \ -overcommit mem-lock=off \ diff --git a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.xml b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.xml index a0487b021e..f57f3f2b68 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.xml @@ -10,7 +10,7 @@ <feature enabled='no' name='enrolled-keys'/> <feature enabled='no' name='secure-boot'/> </firmware> - <loader readonly='yes' type='pflash' stateless='yes' format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader> + <loader type='rom' stateless='yes' format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader> <boot dev='hd'/> </os> <features> diff --git a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.args b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.args index d849eb88e0..f8bc8a71fe 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.args +++ b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.args @@ -10,11 +10,10 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -name guest=QEMUGuest1,debug-threads=on \ -S \ -object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/master-key.aes"}' \ --blockdev '{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF.amdsev.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \ --blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \ --machine pc-q35-8.2,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,pflash0=libvirt-pflash0-format,acpi=on \ +-machine pc-q35-8.2,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,acpi=on \ -accel kvm \ -cpu qemu64 \ +-bios /usr/share/edk2/ovmf/OVMF.amdsev.fd \ -m size=219136k \ -object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":224395264}' \ -overcommit mem-lock=off \ diff --git a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml index a0487b021e..f57f3f2b68 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml @@ -10,7 +10,7 @@ <feature enabled='no' name='enrolled-keys'/> <feature enabled='no' name='secure-boot'/> </firmware> - <loader readonly='yes' type='pflash' stateless='yes' format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader> + <loader type='rom' stateless='yes' format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader> <boot dev='hd'/> </os> <features> -- 2.51.0
On 8/25/25 10:19, Andrea Bolognani via Devel wrote:
Based on proposed changes in the Fedora edk2 package.
The SEV(-ES) and SEV-SNP descriptors are now separate, which allows libvirt to pick the correct firmware loading mechanism (flash vs ROM) automatically. --- .../qemu/firmware/60-edk2-ovmf-x64-amdsev.json | 1 - .../qemu/firmware/60-edk2-ovmf-x64-amdsev.json | 3 +-- .../qemu/firmware/60-edk2-ovmf-x64-amdsevsnp.json} | 14 ++++++--------
As said before, with these changes on top of git master, autoselection for SNP guests should work fine.
tests/qemufirmwaretest.c | 2 ++ ...ware-auto-efi-sev-snp.x86_64-latest+amdsev.args | 5 ++--- ...mware-auto-efi-sev-snp.x86_64-latest+amdsev.xml | 2 +- ...unch-security-sev-snp.x86_64-latest+amdsev.args | 5 ++--- ...aunch-security-sev-snp.x86_64-latest+amdsev.xml | 2 +- .../launch-security-sev-snp.x86_64-latest.args | 5 ++--- .../launch-security-sev-snp.x86_64-latest.xml | 2 +-
Along with improving the SEV-related tests, I now recall another change in the series I assembled: forcibly rebasing this patch on git master https://gitlab.com/jfehlig/libvirt/-/commit/894f3602ec279bc0eeaa723ca6e94859... No need to repeat my preference of first reaching closure on patches 8 and 9, before proceeding with the rest (sans patch 1). Opps... Regards, Jim
These changes are not in the Fedora edk2 packages, not even in tentative form, and are just a suggestion of how we could potentially move things forward. The idea is to stop advertising SEV(-ES) support in the descriptors for regular edk2 builds, thus forcing the SEV-specific stateless build to be used. This arguably makes more sense, but it's unclear whether removing the combination could have negative impact on certain use cases. --- .../share/qemu/firmware/50-edk2-ovmf-4m-qcow2-x64-nosb.json | 2 -- .../share/qemu/firmware/51-edk2-ovmf-2m-raw-x64-nosb.json | 2 -- .../usr/share/qemu/firmware/90-combined.json | 1 - .../firmware-auto-efi-sev.x86_64-latest+amdsev.args | 5 ++--- .../firmware-auto-efi-sev.x86_64-latest+amdsev.xml | 3 +-- 5 files changed, 3 insertions(+), 10 deletions(-) diff --git a/tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-ovmf-4m-qcow2-x64-nosb.json b/tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-ovmf-4m-qcow2-x64-nosb.json index d64735f477..bb11f5febd 100644 --- a/tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-ovmf-4m-qcow2-x64-nosb.json +++ b/tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-ovmf-4m-qcow2-x64-nosb.json @@ -26,8 +26,6 @@ ], "features": [ "acpi-s3", - "amd-sev", - "amd-sev-es", "verbose-dynamic" ], "tags": [ diff --git a/tests/qemufirmwaredata/usr/share/qemu/firmware/51-edk2-ovmf-2m-raw-x64-nosb.json b/tests/qemufirmwaredata/usr/share/qemu/firmware/51-edk2-ovmf-2m-raw-x64-nosb.json index 050853e2b8..bb8ea4c07a 100644 --- a/tests/qemufirmwaredata/usr/share/qemu/firmware/51-edk2-ovmf-2m-raw-x64-nosb.json +++ b/tests/qemufirmwaredata/usr/share/qemu/firmware/51-edk2-ovmf-2m-raw-x64-nosb.json @@ -26,8 +26,6 @@ ], "features": [ "acpi-s3", - "amd-sev", - "amd-sev-es", "verbose-dynamic" ], "tags": [ diff --git a/tests/qemufirmwaredata/usr/share/qemu/firmware/90-combined.json b/tests/qemufirmwaredata/usr/share/qemu/firmware/90-combined.json index 8ecac440b4..a788a3fc40 100644 --- a/tests/qemufirmwaredata/usr/share/qemu/firmware/90-combined.json +++ b/tests/qemufirmwaredata/usr/share/qemu/firmware/90-combined.json @@ -21,7 +21,6 @@ ], "features": [ "acpi-s3", - "amd-sev", "enrolled-keys", "requires-smm", "secure-boot", diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.args b/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.args index 550ac52b8a..a0ede6ca92 100644 --- a/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.args +++ b/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.args @@ -10,10 +10,9 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-guest/.config \ -name guest=guest,debug-threads=on \ -S \ -object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-guest/master-key.aes"}' \ --blockdev '{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF_CODE.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF.amdsev.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}' \ -blockdev '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}' \ --blockdev '{"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/guest_VARS.fd","node-name":"libvirt-pflash1-storage","read-only":false}' \ --machine pc-q35-10.0,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-storage,acpi=on \ +-machine pc-q35-10.0,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,pflash0=libvirt-pflash0-format,acpi=on \ -accel kvm \ -cpu qemu64 \ -m size=1048576k \ diff --git a/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.xml b/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.xml index cbfdcdeee3..35db3dc7c3 100644 --- a/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.xml +++ b/tests/qemuxmlconfdata/firmware-auto-efi-sev.x86_64-latest+amdsev.xml @@ -10,8 +10,7 @@ <feature enabled='no' name='enrolled-keys'/> <feature enabled='no' name='secure-boot'/> </firmware> - <loader readonly='yes' type='pflash' format='raw'>/usr/share/edk2/ovmf/OVMF_CODE.fd</loader> - <nvram template='/usr/share/edk2/ovmf/OVMF_VARS.fd' templateFormat='raw' format='raw'>/var/lib/libvirt/qemu/nvram/guest_VARS.fd</nvram> + <loader readonly='yes' type='pflash' stateless='yes' format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader> <boot dev='hd'/> </os> <features> -- 2.51.0
Thanks to the recent changes in the firmware autoselection algorithm as well as the descriptors being tweaked, the correct firmware gets picked up automatically without having to provide this hint. --- .../launch-security-sev-missing-platform-info.xml | 1 - .../launch-security-sev-snp.x86_64-latest+amdsev.xml | 2 +- tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml | 2 +- tests/qemuxmlconfdata/launch-security-sev-snp.xml | 1 - tests/qemuxmlconfdata/launch-security-sev.xml | 1 - 5 files changed, 2 insertions(+), 5 deletions(-) diff --git a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.xml b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.xml index 513d704f93..475769e143 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-missing-platform-info.xml @@ -5,7 +5,6 @@ <vcpu placement='static'>1</vcpu> <os firmware='efi'> <type arch='x86_64' machine='pc-q35-8.2'>hvm</type> - <loader stateless='yes'/> </os> <features> <acpi/> diff --git a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.xml b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.xml index f57f3f2b68..8153e13dca 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.xml @@ -10,7 +10,7 @@ <feature enabled='no' name='enrolled-keys'/> <feature enabled='no' name='secure-boot'/> </firmware> - <loader type='rom' stateless='yes' format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader> + <loader type='rom' format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader> <boot dev='hd'/> </os> <features> diff --git a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml index f57f3f2b68..8153e13dca 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml @@ -10,7 +10,7 @@ <feature enabled='no' name='enrolled-keys'/> <feature enabled='no' name='secure-boot'/> </firmware> - <loader type='rom' stateless='yes' format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader> + <loader type='rom' format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader> <boot dev='hd'/> </os> <features> diff --git a/tests/qemuxmlconfdata/launch-security-sev-snp.xml b/tests/qemuxmlconfdata/launch-security-sev-snp.xml index d62ed0d05d..c7ef80edff 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-snp.xml +++ b/tests/qemuxmlconfdata/launch-security-sev-snp.xml @@ -5,7 +5,6 @@ <vcpu placement='static'>1</vcpu> <os firmware='efi'> <type arch='x86_64' machine='pc-q35-8.2'>hvm</type> - <loader stateless='yes'/> </os> <features> <acpi/> diff --git a/tests/qemuxmlconfdata/launch-security-sev.xml b/tests/qemuxmlconfdata/launch-security-sev.xml index 39859fd126..7a582d83fb 100644 --- a/tests/qemuxmlconfdata/launch-security-sev.xml +++ b/tests/qemuxmlconfdata/launch-security-sev.xml @@ -5,7 +5,6 @@ <vcpu placement='static'>1</vcpu> <os firmware='efi'> <type arch='x86_64' machine='pc-q35-8.2'>hvm</type> - <loader stateless='yes'/> </os> <features> <acpi/> -- 2.51.0
participants (2)
-
Andrea Bolognani -
Jim Fehlig