On Tue, Aug 05, 2025 at 01:18:12AM -0700, Andrea Bolognani wrote:
> On Tue, Aug 05, 2025 at 08:08:14AM +0100, Daniel P. Berrangé wrote:
> > On Mon, Aug 04, 2025 at 02:15:01PM -0600, Jim Fehlig wrote:
> > > On 8/4/25 05:31, Andrea Bolognani wrote:
> > > > On Fri, Aug 01, 2025 at 11:39:45AM -0600, Jim Fehlig via Devel wrote:
> > > > > With this addition, the correct firmware is detected, but it's not
> > > > > properly
> > > > > provided to qemu
> > > > >
> > > > > internal error: QEMU unexpectedly closed the monitor
> > > > > (vm='sles15sp7-snp'):
> > > > > 2025-08-01T17:11:20.589614Z qemu-system-x86_64: pflash with kvm
> > > > > requires KVM
> > > > > readonly memory support
> > > > >
> > > > > The pertinent command line pieces being
> > > > >
> > > > > -blockdev
> > > > > '{"driver":"file","filename":"/usr/share/qemu/ovmf-x86_64-sev.bin","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":
> > > > > "unmap"}'
> > > > > -blockdev
> > > > > '{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}'
> > > > >
> > > > > But for SNP, it needs to be provided as bios, e.g.
> > > > >
> > > > > -bios /usr/share/qemu/ovmf-x86_64-sev.bin
> > > > >
> > > > > Are we correctly identifying this firmware in the descriptor file?
> > > > > It's
> > > > > advertised as a "flash" device, although I'm not sure if any of the
> > > > > other
> > > > > "FirmwareDevice" options [1] are appropriate. Perhaps the
> > > > > "FirmwareOSInterface" should be 'bios'?
> > > >
> > > > Adding Michal and Daniel to the conversation so that they can provide
> > > > some insights. I have zero experience with SEV and no easy access to
> > > > the relevant hardware.
> > >
> > > I don't follow qemu development close enough to know if pflash is now
> > > supported with SNP guests. AFAIK, only '-bios' was supported when the
> > > initial SNP enablement was merged.
> >
> > TDX/SNP are strictly -bios only and will remain that way.
>
> Got it.
>
> The TDX descriptor is using device=memory already so it should work
> correctly today.
>
> Do you have any objections to the idea of separate descriptors for
> SEV(-ES) (device=flash) and SEV-SNP (device=memory) pointing to the
> same file? If not, I'll get the edk2 maintainer involved and make it
> happen.
Possibly we could just switch the existing descriptor, as with newer
QEMU IIUC SEV/ES can use either device
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
