On 4/13/23 01:05, Gerd Hoffmann wrote:
Hi,
Specifying both OVMF_CODE.fd and OVMF_VARS.fd generates an ASSERT.
Both as pflash I assume? Which assert?
Yes, both as pflash. I've never attempted to run an SEV guest using the
-bios option.
The assert is:
ASSERT [PlatformPei]
/root/kernels/ovmf-build-X64/OvmfPkg/Library/PlatformInitLib/Platform.c(930):
((BOOLEAN)(0==1))
Ok, so wrong encryption settings.
Specifying just OVMF.fd boots successfully
pflash or -bios or both?
Just pflash.
/me looks surprised. It should not make a difference whenever you use
the separate OVMF_CODE.fd + OVMF_VARS.fd files or the combined OVMF.fd.
What are the exact qemu command lines for both cases?
For the OVMF_CODE.fd/OVMF_VARS.fd case:
qemu-system-x86_64 -enable-kvm -cpu EPYC,host-phys-bits=true -smp 1
-machine type=q35,confidential-guest-support=sev0,vmport=off -m 1G
-object sev-guest,id=sev0,policy=0,cbitpos=51,reduced-phys-bits=1
-drive
if=pflash,format=raw,unit=0,file=/root/kernels/qemu-install/OVMF_CODE.fd,readonly=on
-drive if=pflash,format=raw,unit=1,file=./fedora.fd
-drive file=./fedora.img,if=none,id=disk0,format=raw
-device virtio-scsi-pci,id=scsi0,disable-legacy=on,iommu_platform=true
-device scsi-hd,drive=disk0
-nographic -monitor pty -monitor unix:monitor,server,nowait
-gdb tcp::1234 -qmp tcp::4444,server,wait=off
In this case, only OVMF_CODE.fd will be encrypted.
The fedora.fd (OVMF_VARS.fd) will be unencrypted.
For the OVMF.fd case:
qemu-system-x86_64 -enable-kvm -cpu EPYC,host-phys-bits=true -smp 1
-machine type=q35,confidential-guest-support=sev0,vmport=off -m 1G
-object sev-guest,id=sev0,policy=0,cbitpos=51,reduced-phys-bits=1
-drive
if=pflash,format=raw,unit=0,file=/root/kernels/qemu-install/OVMF.fd,readonly=on
-drive file=./fedora.img,if=none,id=disk0,format=raw
-device virtio-scsi-pci,id=scsi0,disable-legacy=on,iommu_platform=true
-device scsi-hd,drive=disk0
-nographic -monitor pty -monitor unix:monitor,server,nowait
-gdb tcp::1234 -qmp tcp::4444,server,wait=off
In this case, OVMF.fd will be encrypted, which includes the now memory
backed variable store.
I believe none of the mappings are setup properly at this point. I
think just eliminating the call for an SEV guest is fine.
Can AmdSevInitialize() setup the mappings?
Is there a way to tell when OVMF.fd vs OVMF_VARS.fd/OVMF_CODE.fd is used?
The reason being that the variable store of OVMF.fd must be accessed
encrypted since the whole binary was used in the LAUNCH_UPDATE. But with
the split mode, only the OVMF_CODE.fd was encrypted in the LAUNCH_UPDATE,
so the variable store must be accessed unencrypted.
If we can make that determination, then I think we can setup the mappings.
Thanks,
Tom
take care,
Gerd
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#102950): https://edk2.groups.io/g/devel/message/102950
Mute This Topic: https://groups.io/mt/97922617/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-