Re: firmware selection for SEV-ES

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: firmware selection for SEV-ES

From:	Laszlo Ersek
Subject:	Re: firmware selection for SEV-ES
Date:	Thu, 22 Apr 2021 16:16:11 +0200

On 04/21/21 17:25, Tom Lendacky wrote:
> On 4/21/21 4:54 AM, Laszlo Ersek wrote:
>> Hi Brijesh, Tom,
> 
> Hi Laszlo,
> 
>>
>> in QEMU's "docs/interop/firmware.json", the @FirmwareFeature enumeration
>> has a constant called @amd-sev. We should introduce an @amd-sev-es
>> constant as well, minimally for the following reason:
>>
>> AMD document #56421 ("SEV-ES Guest-Hypervisor Communication Block
>> Standardization") revision 1.40 says in "4.6 System Management Mode
>> (SMM)" that "SMM will not be supported in this version of the
>> specification". This is reflected in OVMF, so an OVMF binary that's
>> supposed to run in a SEV-ES guest must be built without "-D
>> SMM_REQUIRE". (As a consequence, such a binary should be built also
>> without "-D SECURE_BOOT_ENABLE".)
>>
>> At the level of "docs/interop/firmware.json", this means that management
>> applications should be enabled to look for the @amd-sev-es feature (and
>> it also means, for OS distributors, that any firmware descriptor
>> exposing @amd-sev-es will currently have to lack all three of:
>> @requires-smm, @secure-boot, @enrolled-keys).
>>
>> I have three questions:
>>
>>
>> (1) According to
>> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flibvirt.org%2Fformatdomain.html%23launch-security&amp;data=04%7C01%7Cthomas.lendacky%40amd.com%7Ca80df30ddbc54479df1008d904ab7ab8%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637545956815983695%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=aQ1yttPryxCjO%2B7cIPfxathftEPEKb0QYhdHI7WkWLU%3D&amp;reserved=0>,
>>  SEV-ES is
>> explicitly requested in the domain XML via setting bit#2 in the "policy"
>> element.
>>
>> Can this setting be used by libvirt to look for such a firmware
>> descriptor that exposes @amd-sev-es?
>>
>>
>> (2) "docs/interop/firmware.json" documents @amd-sev as follows:
>>
>> # @amd-sev: The firmware supports running under AMD Secure Encrypted
>> #           Virtualization, as specified in the AMD64 Architecture
>> #           Programmer's Manual. QEMU command line options related to
>> #           this feature are documented in
>> #           "docs/amd-memory-encryption.txt".
>>
>> Documenting the new @amd-sev-es enum constant with very slight
>> customizations for the same text should be possible, I reckon. However,
>> "docs/amd-memory-encryption.txt" (nor
>> "docs/confidential-guest-support.txt") seem to mention SEV-ES.
>>
>> Can you guys propose a patch for "docs/amd-memory-encryption.txt"?
> 
> Yes, I can submit a patch to update the documentation.

Thank you, I've made some comments there.

Laszlo

> 
>>
>> I guess that would be next to this snippet:
>>
>>> # ${QEMU} \
>>>    sev-guest,id=sev0,policy=0x1...\
>>
>>
>> (3) Is the "AMD64 Architecture Programmer's Manual" the specification
>> that we should reference under @amd-sev-es as well (i.e., same as with
>> @amd-sev), or is there a more specific document?
> 
> Yes, the same specification applies to SEV-ES.
> 
> Thanks,
> Tom
> 
>>
>> Thanks,
>> Laszlo
>>
>

[Prev in Thread]

Current Thread

[Next in Thread]

firmware selection for SEV-ES, Laszlo Ersek, 2021/04/21
- Re: firmware selection for SEV-ES, Pavel Hrdina, 2021/04/21
  - Re: firmware selection for SEV-ES, Laszlo Ersek, 2021/04/22
- Re: firmware selection for SEV-ES, Tom Lendacky, 2021/04/21
  - Re: firmware selection for SEV-ES, Laszlo Ersek <=

Prev by Date: Re: firmware selection for SEV-ES
Next by Date: Re: Resetting non-qdev children in a 3-phase reset device
Previous by thread: Re: firmware selection for SEV-ES
Next by thread: [PATCH v2 0/5] mptcp support
Index(es):
- Date
- Thread