Re: [PATCH 0/5] qemu: Fixes to firmware selection

Tue, 12 Aug 2025 01:31:35 -0700 

On Tue, Aug 05, 2025 at 12:56:56PM +0200, Gerd Hoffmann wrote:
> > Assuming that
> >
> >   * the need to use -bios for SEV-SNP is intended;
>
> Yes.  SEV-SNP (and TDX too) are by design incompatible with pflash
> emulation.  Both do not allow the host change guest memory layout
> after launch, and pflash needs to do that to switch between reading
> mode and programming mode.

Thanks for providing the additional insight.

> >   * pflash still needs to be used for SEV (-ES?);
>
> You can use pflash with SEV + SEV-ES.  It makes sense to do that if
> you want use a persistent variable store in pflash.  Otherwise it
> doesn't make much of a difference whenever you use -bios or read-only
> pflash for the firmware.

The current descriptor uses mode=stateless so there is not going to
be a persistent variable store.

> > then I think that we need to have the edk2 package ship two separate
> > descriptors pointing to the same file, one containing
> >
> >   {
> >     "mapping": {
> >         "device": "flash",
> >         "mode": "stateless",
> >         "executable": {
> >             "filename": "/usr/share/edk2/ovmf/OVMF.amdsev.fd",
> >             "format": "raw"
> >         }
> >     },
> >     "features": [
> >         "amd-sev",
> >         "amd-sev-es"
> >     ]
> >   }
> >
> > for SEV(-ES) and one containing
> >
> >   {
> >     "mapping": {
> >         "device": "memory",
> >         "filename": "/usr/share/edk2/ovmf/OVMF.amdsev.fd"
> >     },
> >     "features": [
> >         "amd-sev-snp"
> >     ]
> >   }
> >
> > for SEV-SNP.
>
> That should work.  Using device=memory for all three amd-sev* variants
> should work too I think.

Daniel suggested that elsewhere in the thread and of course it's an
appealing proposition, as it would keep complexity down and unify
handling across CVM use cases.

However I wonder if changing things would break migration for
existing SEV(-ES) guests. I think it would be fine since the current
pflash-based configuration would be transmitted as part of the
migration XML, so they will simply keep using that.

If I'm right about the above, then I agree that we should just switch
the existing SEV descriptor to device=memory.

-- 
Andrea Bolognani / Red Hat / Virtualization

Reply via email to