On Tue, Aug 12, 2025 at 05:26:19PM -0600, Jim Fehlig wrote:
> On 7/31/25 09:45, Andrea Bolognani via Devel wrote:
> > This test case demonstrates how firmware autoselection doesn't
> > currently work correctly for domains using SEV-SNP: the
> > descriptor for a suitable firmware exists, and yet it doesn't
> > get picked up.
>
> On my test system, autoselection for SEV-SNP guests does work after making
> the firmware descriptor changes suggested by Gerd
>
> https://src.fedoraproject.org/fork/kraxel/rpms/edk2/c/5146a0c3e9bf821d045e0cc3600ad715aca14588
>
> It fails for SEV and SEV-ES guests. As a first step, I tried "importing" the
> descriptor changes to tests/qemufirmwaredata/, but as always I'm fighting
> with fixing up the tests :-/.
Patch importing the changes attached.
Can you be more specific about the issue you're experiencing for
SEV(-ES) guests? Based on the patch, the behavior doesn't seem to
change at all there. Are you able to successfully start those guests
when you use unmodified libvirt and edk2?
Then again, the existing SEV tests look... Questionable. They all use
the i440fx machine type and default (BIOS) firmware, whereas
according to the documentation[1] you really want q35 and UEFI. So at
best our test coverage is lacking.
Stressing again the fact that I know very little about SEV and its
variants, my impression is that generally speaking stateless firmware
is preferred for the use case; however in Fedora the descriptors for
"regular" edk2 builds with no Secure Boot[2] advertise support for
the "amd-sev" and "amd-sev-es" firmware features, and since they sort
before the SEV-specific builds[3] libvirt will pick them up unless
you specifically ask for the firmware to be stateless.
Not sure if the best way to get out of this situation is to shuffle
the descriptors around, drop the SEV-specific features from other
descriptors, or tweak the libvirt algorithm so that it will prefer
stateless firmware for SEV unless told otherwise.
Very much interested in hearing everyone's thoughts on the topic.
[1] https://libvirt.org/kbase/launch_security_sev.html
[2] /usr/share/qemu/firmware/5*-edk2-ovmf-*-x64-nosb.json
[3] /usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev*.json
--
Andrea Bolognani / Red Hat / Virtualization
From 9fa2cf19ea8fa659d3b7fd5a1dafa510a04612f4 Mon Sep 17 00:00:00 2001
From: Andrea Bolognani <abolo...@redhat.com>
Date: Wed, 13 Aug 2025 11:10:32 +0200
Subject: [PATCH] DONOTMERGE update firmware descriptors
---
.../qemu/firmware/60-edk2-ovmf-x64-amdsev.json | 1 -
.../qemu/firmware/60-edk2-ovmf-x64-amdsev.json | 3 +--
.../qemu/firmware/60-edk2-ovmf-x64-amdsevsnp.json} | 14 ++++++--------
tests/qemufirmwaretest.c | 2 ++
...ware-auto-efi-sev-snp.x86_64-latest+amdsev.args | 5 ++---
...mware-auto-efi-sev-snp.x86_64-latest+amdsev.xml | 2 +-
...unch-security-sev-snp.x86_64-latest+amdsev.args | 5 ++---
...aunch-security-sev-snp.x86_64-latest+amdsev.xml | 2 +-
.../launch-security-sev-snp.x86_64-latest.args | 5 ++---
.../launch-security-sev-snp.x86_64-latest.xml | 2 +-
10 files changed, 18 insertions(+), 23 deletions(-)
copy
tests/qemufirmwaredata/{out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
=> usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsevsnp.json} (57%)
diff --git
a/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
b/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
index d83d394ba7..2d3b821acb 100644
---
a/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
+++
b/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
@@ -21,7 +21,6 @@
"features": [
"amd-sev",
"amd-sev-es",
- "amd-sev-snp",
"verbose-dynamic"
]
}
diff --git
a/tests/qemufirmwaredata/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
b/tests/qemufirmwaredata/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
index 9a561bc7eb..ca88ef9176 100644
---
a/tests/qemufirmwaredata/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
+++
b/tests/qemufirmwaredata/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
@@ -1,5 +1,5 @@
{
- "description": "OVMF with SEV-ES support",
+ "description": "OVMF with SEV + SEV-ES support",
"interface-types": [
"uefi"
],
@@ -22,7 +22,6 @@
"features": [
"amd-sev",
"amd-sev-es",
- "amd-sev-snp",
"verbose-dynamic"
],
"tags": [
diff --git
a/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
b/tests/qemufirmwaredata/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsevsnp.json
similarity index 57%
copy from
tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
copy to
tests/qemufirmwaredata/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsevsnp.json
index d83d394ba7..99e51c3d00 100644
---
a/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
+++
b/tests/qemufirmwaredata/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsevsnp.json
@@ -1,14 +1,11 @@
{
+ "description": "OVMF with SEV-SNP support",
"interface-types": [
"uefi"
],
"mapping": {
- "device": "flash",
- "mode": "stateless",
- "executable": {
- "filename": "/usr/share/edk2/ovmf/OVMF.amdsev.fd",
- "format": "raw"
- }
+ "device": "memory",
+ "filename": "/usr/share/edk2/ovmf/OVMF.amdsev.fd"
},
"targets": [
{
@@ -19,9 +16,10 @@
}
],
"features": [
- "amd-sev",
- "amd-sev-es",
"amd-sev-snp",
"verbose-dynamic"
+ ],
+ "tags": [
+
]
}
diff --git a/tests/qemufirmwaretest.c b/tests/qemufirmwaretest.c
index a4fb5c9b9c..c18ee85c0a 100644
--- a/tests/qemufirmwaretest.c
+++ b/tests/qemufirmwaretest.c
@@ -100,6 +100,7 @@ testFWPrecedence(const void *opaque G_GNUC_UNUSED)
PREFIX "/share/qemu/firmware/53-edk2-aarch64-verbose-raw.json",
SYSCONFDIR "/qemu/firmware/59-combined.json",
PREFIX "/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json",
+ PREFIX "/share/qemu/firmware/60-edk2-ovmf-x64-amdsevsnp.json",
PREFIX "/share/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json",
PREFIX "/share/qemu/firmware/90-combined.json",
PREFIX "/share/qemu/firmware/91-bios.json",
@@ -279,6 +280,7 @@ mymain(void)
DO_PARSE_TEST("usr/share/qemu/firmware/52-edk2-aarch64-verbose-qcow2.json");
DO_PARSE_TEST("usr/share/qemu/firmware/53-edk2-aarch64-verbose-raw.json");
DO_PARSE_TEST("usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json");
+ DO_PARSE_TEST("usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsevsnp.json");
DO_PARSE_TEST("usr/share/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json");
DO_PARSE_TEST("usr/share/qemu/firmware/90-combined.json");
DO_PARSE_TEST("usr/share/qemu/firmware/91-bios.json");
diff --git
a/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.args
b/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.args
index 99350f600c..624039d1a2 100644
--- a/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.args
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.args
@@ -10,11 +10,10 @@
XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-guest/.config \
-name guest=guest,debug-threads=on \
-S \
-object
'{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-guest/master-key.aes"}'
\
--blockdev
'{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF.amdsev.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}'
\
--blockdev
'{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}'
\
--machine
pc-q35-10.0,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,pflash0=libvirt-pflash0-format,acpi=on
\
+-machine
pc-q35-10.0,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,acpi=on
\
-accel kvm \
-cpu qemu64 \
+-bios /usr/share/edk2/ovmf/OVMF.amdsev.fd \
-m size=1048576k \
-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}' \
-overcommit mem-lock=off \
diff --git
a/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.xml
b/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.xml
index 6ea58f3361..10a1a3a22d 100644
--- a/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.xml
+++ b/tests/qemuxmlconfdata/firmware-auto-efi-sev-snp.x86_64-latest+amdsev.xml
@@ -10,7 +10,7 @@
<feature enabled='no' name='enrolled-keys'/>
<feature enabled='no' name='secure-boot'/>
</firmware>
- <loader readonly='yes' type='pflash' stateless='yes'
format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader>
+ <loader type='rom'
format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader>
<boot dev='hd'/>
</os>
<features>
diff --git
a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.args
b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.args
index b3bc7fcf04..c191b62070 100644
--- a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.args
+++ b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.args
@@ -10,11 +10,10 @@
XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \
-name guest=QEMUGuest1,debug-threads=on \
-S \
-object
'{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/master-key.aes"}'
\
--blockdev
'{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF.amdsev.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}'
\
--blockdev
'{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}'
\
--machine
pc-q35-8.2,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,pflash0=libvirt-pflash0-format,acpi=on
\
+-machine
pc-q35-8.2,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,acpi=on
\
-accel kvm \
-cpu qemu64 \
+-bios /usr/share/edk2/ovmf/OVMF.amdsev.fd \
-m size=219136k \
-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":224395264}' \
-overcommit mem-lock=off \
diff --git
a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.xml
b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.xml
index d9bf146993..f356fb798a 100644
--- a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.xml
+++ b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest+amdsev.xml
@@ -10,7 +10,7 @@
<feature enabled='no' name='enrolled-keys'/>
<feature enabled='no' name='secure-boot'/>
</firmware>
- <loader readonly='yes' type='pflash' stateless='yes'
format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader>
+ <loader type='rom' stateless='yes'
format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader>
<boot dev='hd'/>
</os>
<features>
diff --git a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.args
b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.args
index b3bc7fcf04..c191b62070 100644
--- a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.args
+++ b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.args
@@ -10,11 +10,10 @@
XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \
-name guest=QEMUGuest1,debug-threads=on \
-S \
-object
'{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/master-key.aes"}'
\
--blockdev
'{"driver":"file","filename":"/usr/share/edk2/ovmf/OVMF.amdsev.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"}'
\
--blockdev
'{"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"}'
\
--machine
pc-q35-8.2,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,pflash0=libvirt-pflash0-format,acpi=on
\
+-machine
pc-q35-8.2,usb=off,dump-guest-core=off,memory-backend=pc.ram,confidential-guest-support=lsec0,acpi=on
\
-accel kvm \
-cpu qemu64 \
+-bios /usr/share/edk2/ovmf/OVMF.amdsev.fd \
-m size=219136k \
-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":224395264}' \
-overcommit mem-lock=off \
diff --git a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml
b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml
index d9bf146993..f356fb798a 100644
--- a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml
+++ b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml
@@ -10,7 +10,7 @@
<feature enabled='no' name='enrolled-keys'/>
<feature enabled='no' name='secure-boot'/>
</firmware>
- <loader readonly='yes' type='pflash' stateless='yes'
format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader>
+ <loader type='rom' stateless='yes'
format='raw'>/usr/share/edk2/ovmf/OVMF.amdsev.fd</loader>
<boot dev='hd'/>
</os>
<features>
--
2.50.1
