firmware selection for SEV-ES

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

firmware selection for SEV-ES

From:	Laszlo Ersek
Subject:	firmware selection for SEV-ES
Date:	Wed, 21 Apr 2021 11:54:24 +0200

Hi Brijesh, Tom,

in QEMU's "docs/interop/firmware.json", the @FirmwareFeature enumeration
has a constant called @amd-sev. We should introduce an @amd-sev-es
constant as well, minimally for the following reason:

AMD document #56421 ("SEV-ES Guest-Hypervisor Communication Block
Standardization") revision 1.40 says in "4.6 System Management Mode
(SMM)" that "SMM will not be supported in this version of the
specification". This is reflected in OVMF, so an OVMF binary that's
supposed to run in a SEV-ES guest must be built without "-D
SMM_REQUIRE". (As a consequence, such a binary should be built also
without "-D SECURE_BOOT_ENABLE".)

At the level of "docs/interop/firmware.json", this means that management
applications should be enabled to look for the @amd-sev-es feature (and
it also means, for OS distributors, that any firmware descriptor
exposing @amd-sev-es will currently have to lack all three of:
@requires-smm, @secure-boot, @enrolled-keys).

I have three questions:


(1) According to
<https://libvirt.org/formatdomain.html#launch-security>, SEV-ES is
explicitly requested in the domain XML via setting bit#2 in the "policy"
element.

Can this setting be used by libvirt to look for such a firmware
descriptor that exposes @amd-sev-es?


(2) "docs/interop/firmware.json" documents @amd-sev as follows:

# @amd-sev: The firmware supports running under AMD Secure Encrypted
#           Virtualization, as specified in the AMD64 Architecture
#           Programmer's Manual. QEMU command line options related to
#           this feature are documented in
#           "docs/amd-memory-encryption.txt".

Documenting the new @amd-sev-es enum constant with very slight
customizations for the same text should be possible, I reckon. However,
"docs/amd-memory-encryption.txt" (nor
"docs/confidential-guest-support.txt") seem to mention SEV-ES.

Can you guys propose a patch for "docs/amd-memory-encryption.txt"?

I guess that would be next to this snippet:

> # ${QEMU} \
>    sev-guest,id=sev0,policy=0x1...\


(3) Is the "AMD64 Architecture Programmer's Manual" the specification
that we should reference under @amd-sev-es as well (i.e., same as with
@amd-sev), or is there a more specific document?

Thanks,
Laszlo

[Prev in Thread]

Current Thread

[Next in Thread]

firmware selection for SEV-ES, Laszlo Ersek <=
- Re: firmware selection for SEV-ES, Pavel Hrdina, 2021/04/21
  - Re: firmware selection for SEV-ES, Laszlo Ersek, 2021/04/22
    - Re: firmware selection for SEV-ES, Michal Privoznik, 2021/04/23
    - Re: firmware selection for SEV-ES, Laszlo Ersek, 2021/04/23
    - Re: firmware selection for SEV-ES, Pavel Hrdina, 2021/04/23
    - Re: firmware selection for SEV-ES, Laszlo Ersek, 2021/04/23
    - Re: firmware selection for SEV-ES, Pavel Hrdina, 2021/04/23
    - Re: firmware selection for SEV-ES, Laszlo Ersek, 2021/04/23
    - Re: firmware selection for SEV-ES, Pavel Hrdina, 2021/04/23
    - Re: firmware selection for SEV-ES, Laszlo Ersek, 2021/04/26

Prev by Date: Re: [PATCH 0/2] i386: Fix interrupt based Async PF enablement
Next by Date: Re: [RFC PATCH] vfio-ccw: Permit missing IRQs
Previous by thread: [PATCH] amd_iommu: Fix pte_override_page_mask()
Next by thread: Re: firmware selection for SEV-ES
Index(es):
- Date
- Thread