On 04/21/21 13:51, Pavel Hrdina wrote:
> On Wed, Apr 21, 2021 at 11:54:24AM +0200, Laszlo Ersek wrote:
>> Hi Brijesh, Tom,
>>
>> in QEMU's "docs/interop/firmware.json", the @FirmwareFeature enumeration
>> has a constant called @amd-sev. We should introduce an @amd-sev-es
>> constant as well, minimally for the following reason:
>>
>> AMD document #56421 ("SEV-ES Guest-Hypervisor Communication Block
>> Standardization") revision 1.40 says in "4.6 System Management Mode
>> (SMM)" that "SMM will not be supported in this version of the
>> specification". This is reflected in OVMF, so an OVMF binary that's
>> supposed to run in a SEV-ES guest must be built without "-D
>> SMM_REQUIRE". (As a consequence, such a binary should be built also
>> without "-D SECURE_BOOT_ENABLE".)
>>
>> At the level of "docs/interop/firmware.json", this means that management
>> applications should be enabled to look for the @amd-sev-es feature (and
>> it also means, for OS distributors, that any firmware descriptor
>> exposing @amd-sev-es will currently have to lack all three of:
>> @requires-smm, @secure-boot, @enrolled-keys).
>>
>> I have three questions:
>>
>>
>> (1) According to
>> <https://libvirt.org/formatdomain.html#launch-security>, SEV-ES is
>> explicitly requested in the domain XML via setting bit#2 in the "policy"
>> element.
>>
>> Can this setting be used by libvirt to look for such a firmware
>> descriptor that exposes @amd-sev-es?
>
> Hi Laszlo and all,
>
> Currently we use only <launchSecurity type='sev'> when selecting
> firmware to make sure that it supports @amd-sev. Since we already have a
> place in the VM XML where users can configure amd-sev-as we can use that
> information when selecting correct firmware that should be used for the
> VM.
Thanks!
Should we file a libvirtd Feature Request (where?) for recognizing the
@amd-sev-es feature flag?
Cheers
Laszlo
>
> Pavel
>
>> (2) "docs/interop/firmware.json" documents @amd-sev as follows:
>>
>> # @amd-sev: The firmware supports running under AMD Secure Encrypted
>> # Virtualization, as specified in the AMD64 Architecture
>> # Programmer's Manual. QEMU command line options related to
>> # this feature are documented in
>> # "docs/amd-memory-encryption.txt".
>>
>> Documenting the new @amd-sev-es enum constant with very slight
>> customizations for the same text should be possible, I reckon. However,
>> "docs/amd-memory-encryption.txt" (nor
>> "docs/confidential-guest-support.txt") seem to mention SEV-ES.
>>
>> Can you guys propose a patch for "docs/amd-memory-encryption.txt"?
>>
>> I guess that would be next to this snippet:
>>
>>> # ${QEMU} \
>>> sev-guest,id=sev0,policy=0x1...\
>>
>>
>> (3) Is the "AMD64 Architecture Programmer's Manual" the specification
>> that we should reference under @amd-sev-es as well (i.e., same as with
>> @amd-sev), or is there a more specific document?
>>
>> Thanks,
>> Laszlo
>>
