From: Laszlo Ersek <lersek@redhat.com>
To: Michal Privoznik <mprivozn@redhat.com>,
Pavel Hrdina <phrdina@redhat.com>
Cc: "Tom Lendacky" <thomas.lendacky@amd.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Brijesh Singh" <brijesh.singh@amd.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
"qemu devel list" <qemu-devel@nongnu.org>
Subject: Re: firmware selection for SEV-ES
Date: Fri, 23 Apr 2021 12:31:02 +0200 [thread overview]
Message-ID: <d7b3d128-dc67-5162-2541-eff53be4cb84@redhat.com> (raw)
In-Reply-To: <0cf69e7e-d159-6b68-0046-5449b0241634@redhat.com>
On 04/23/21 10:16, Michal Privoznik wrote:
> On 4/22/21 4:13 PM, Laszlo Ersek wrote:
>> On 04/21/21 13:51, Pavel Hrdina wrote:
>>> On Wed, Apr 21, 2021 at 11:54:24AM +0200, Laszlo Ersek wrote:
>>>> Hi Brijesh, Tom,
>>>>
>>>> in QEMU's "docs/interop/firmware.json", the @FirmwareFeature
>>>> enumeration
>>>> has a constant called @amd-sev. We should introduce an @amd-sev-es
>>>> constant as well, minimally for the following reason:
>>>>
>>>> AMD document #56421 ("SEV-ES Guest-Hypervisor Communication Block
>>>> Standardization") revision 1.40 says in "4.6 System Management Mode
>>>> (SMM)" that "SMM will not be supported in this version of the
>>>> specification". This is reflected in OVMF, so an OVMF binary that's
>>>> supposed to run in a SEV-ES guest must be built without "-D
>>>> SMM_REQUIRE". (As a consequence, such a binary should be built also
>>>> without "-D SECURE_BOOT_ENABLE".)
>>>>
>>>> At the level of "docs/interop/firmware.json", this means that
>>>> management
>>>> applications should be enabled to look for the @amd-sev-es feature (and
>>>> it also means, for OS distributors, that any firmware descriptor
>>>> exposing @amd-sev-es will currently have to lack all three of:
>>>> @requires-smm, @secure-boot, @enrolled-keys).
>>>>
>>>> I have three questions:
>>>>
>>>>
>>>> (1) According to
>>>> <https://libvirt.org/formatdomain.html#launch-security>, SEV-ES is
>>>> explicitly requested in the domain XML via setting bit#2 in the
>>>> "policy"
>>>> element.
>>>>
>>>> Can this setting be used by libvirt to look for such a firmware
>>>> descriptor that exposes @amd-sev-es?
>>>
>>> Hi Laszlo and all,
>>>
>>> Currently we use only <launchSecurity type='sev'> when selecting
>>> firmware to make sure that it supports @amd-sev. Since we already have a
>>> place in the VM XML where users can configure amd-sev-as we can use that
>>> information when selecting correct firmware that should be used for the
>>> VM.
>>
>> Thanks!
>>
>> Should we file a libvirtd Feature Request (where?) for recognizing the
>> @amd-sev-es feature flag?
>
> Yes, we should. We can use RedHat bugzilla for that. Laszlo - do you
> want to do it yourself or shall I help you with that?
Please go ahead, I appreciate your help! :)
Thanks!
Laszlo
next prev parent reply other threads:[~2021-04-23 10:33 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-21 9:54 firmware selection for SEV-ES Laszlo Ersek
2021-04-21 11:51 ` Pavel Hrdina
2021-04-22 14:13 ` Laszlo Ersek
2021-04-23 8:16 ` Michal Privoznik
2021-04-23 10:31 ` Laszlo Ersek [this message]
2021-04-23 10:31 ` Pavel Hrdina
2021-04-23 12:34 ` Laszlo Ersek
2021-04-23 13:01 ` Pavel Hrdina
2021-04-23 13:06 ` Laszlo Ersek
2021-04-23 17:36 ` Pavel Hrdina
2021-04-26 11:01 ` Laszlo Ersek
2021-04-21 15:25 ` Tom Lendacky
2021-04-22 14:16 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d7b3d128-dc67-5162-2541-eff53be4cb84@redhat.com \
--to=lersek@redhat.com \
--cc=berrange@redhat.com \
--cc=brijesh.singh@amd.com \
--cc=dgilbert@redhat.com \
--cc=mprivozn@redhat.com \
--cc=phrdina@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=thomas.lendacky@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.