From: Michal Privoznik <mprivozn@redhat.com>
To: Laszlo Ersek <lersek@redhat.com>, Pavel Hrdina <phrdina@redhat.com>
Cc: "Tom Lendacky" <thomas.lendacky@amd.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Brijesh Singh" <brijesh.singh@amd.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
"qemu devel list" <qemu-devel@nongnu.org>
Subject: Re: firmware selection for SEV-ES
Date: Fri, 23 Apr 2021 10:16:24 +0200 [thread overview]
Message-ID: <0cf69e7e-d159-6b68-0046-5449b0241634@redhat.com> (raw)
In-Reply-To: <0b5d799c-6290-5585-599e-4c4f37af6202@redhat.com>
On 4/22/21 4:13 PM, Laszlo Ersek wrote:
> On 04/21/21 13:51, Pavel Hrdina wrote:
>> On Wed, Apr 21, 2021 at 11:54:24AM +0200, Laszlo Ersek wrote:
>>> Hi Brijesh, Tom,
>>>
>>> in QEMU's "docs/interop/firmware.json", the @FirmwareFeature enumeration
>>> has a constant called @amd-sev. We should introduce an @amd-sev-es
>>> constant as well, minimally for the following reason:
>>>
>>> AMD document #56421 ("SEV-ES Guest-Hypervisor Communication Block
>>> Standardization") revision 1.40 says in "4.6 System Management Mode
>>> (SMM)" that "SMM will not be supported in this version of the
>>> specification". This is reflected in OVMF, so an OVMF binary that's
>>> supposed to run in a SEV-ES guest must be built without "-D
>>> SMM_REQUIRE". (As a consequence, such a binary should be built also
>>> without "-D SECURE_BOOT_ENABLE".)
>>>
>>> At the level of "docs/interop/firmware.json", this means that management
>>> applications should be enabled to look for the @amd-sev-es feature (and
>>> it also means, for OS distributors, that any firmware descriptor
>>> exposing @amd-sev-es will currently have to lack all three of:
>>> @requires-smm, @secure-boot, @enrolled-keys).
>>>
>>> I have three questions:
>>>
>>>
>>> (1) According to
>>> <https://libvirt.org/formatdomain.html#launch-security>, SEV-ES is
>>> explicitly requested in the domain XML via setting bit#2 in the "policy"
>>> element.
>>>
>>> Can this setting be used by libvirt to look for such a firmware
>>> descriptor that exposes @amd-sev-es?
>>
>> Hi Laszlo and all,
>>
>> Currently we use only <launchSecurity type='sev'> when selecting
>> firmware to make sure that it supports @amd-sev. Since we already have a
>> place in the VM XML where users can configure amd-sev-as we can use that
>> information when selecting correct firmware that should be used for the
>> VM.
>
> Thanks!
>
> Should we file a libvirtd Feature Request (where?) for recognizing the
> @amd-sev-es feature flag?
Yes, we should. We can use RedHat bugzilla for that. Laszlo - do you
want to do it yourself or shall I help you with that?
Michal
next prev parent reply other threads:[~2021-04-23 8:17 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-21 9:54 firmware selection for SEV-ES Laszlo Ersek
2021-04-21 11:51 ` Pavel Hrdina
2021-04-22 14:13 ` Laszlo Ersek
2021-04-23 8:16 ` Michal Privoznik [this message]
2021-04-23 10:31 ` Laszlo Ersek
2021-04-23 10:31 ` Pavel Hrdina
2021-04-23 12:34 ` Laszlo Ersek
2021-04-23 13:01 ` Pavel Hrdina
2021-04-23 13:06 ` Laszlo Ersek
2021-04-23 17:36 ` Pavel Hrdina
2021-04-26 11:01 ` Laszlo Ersek
2021-04-21 15:25 ` Tom Lendacky
2021-04-22 14:16 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0cf69e7e-d159-6b68-0046-5449b0241634@redhat.com \
--to=mprivozn@redhat.com \
--cc=berrange@redhat.com \
--cc=brijesh.singh@amd.com \
--cc=dgilbert@redhat.com \
--cc=lersek@redhat.com \
--cc=phrdina@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=thomas.lendacky@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).