On Wed, Apr 21, 2021 at 11:54:24AM +0200, Laszlo Ersek wrote:
> Hi Brijesh, Tom,
>
> in QEMU's "docs/interop/firmware.json", the @FirmwareFeature enumeration
> has a constant called @amd-sev. We should introduce an @amd-sev-es
> constant as well, minimally for the following reason:
>
> AMD document #56421 ("SEV-ES Guest-Hypervisor Communication Block
> Standardization") revision 1.40 says in "4.6 System Management Mode
> (SMM)" that "SMM will not be supported in this version of the
> specification". This is reflected in OVMF, so an OVMF binary that's
> supposed to run in a SEV-ES guest must be built without "-D
> SMM_REQUIRE". (As a consequence, such a binary should be built also
> without "-D SECURE_BOOT_ENABLE".)
>
> At the level of "docs/interop/firmware.json", this means that management
> applications should be enabled to look for the @amd-sev-es feature (and
> it also means, for OS distributors, that any firmware descriptor
> exposing @amd-sev-es will currently have to lack all three of:
> @requires-smm, @secure-boot, @enrolled-keys).
>
> I have three questions:
>
>
> (1) According to
> <https://libvirt.org/formatdomain.html#launch-security>, SEV-ES is
> explicitly requested in the domain XML via setting bit#2 in the "policy"
> element.
>
> Can this setting be used by libvirt to look for such a firmware
> descriptor that exposes @amd-sev-es?
Hi Laszlo and all,
Currently we use only <launchSecurity type='sev'> when selecting
firmware to make sure that it supports @amd-sev. Since we already have a
place in the VM XML where users can configure amd-sev-as we can use that
information when selecting correct firmware that should be used for the
VM.
Pavel
> (2) "docs/interop/firmware.json" documents @amd-sev as follows:
>
> # @amd-sev: The firmware supports running under AMD Secure Encrypted
> # Virtualization, as specified in the AMD64 Architecture
> # Programmer's Manual. QEMU command line options related to
> # this feature are documented in
> # "docs/amd-memory-encryption.txt".
>
> Documenting the new @amd-sev-es enum constant with very slight
> customizations for the same text should be possible, I reckon. However,
> "docs/amd-memory-encryption.txt" (nor
> "docs/confidential-guest-support.txt") seem to mention SEV-ES.
>
> Can you guys propose a patch for "docs/amd-memory-encryption.txt"?
>
> I guess that would be next to this snippet:
>
> > # ${QEMU} \
> > sev-guest,id=sev0,policy=0x1...\
>
>
> (3) Is the "AMD64 Architecture Programmer's Manual" the specification
> that we should reference under @amd-sev-es as well (i.e., same as with
> @amd-sev), or is there a more specific document?
>
> Thanks,
> Laszlo
>
signature.asc
Description: PGP signature
