Source: edk2 Severity: wishlist X-Debbugs-Cc: sl...@ubuntu.com, da...@debian.org
Dear Maintainer, The launch of SNP QEMU VM with SNP measurement boot option fails due to the absence of OVMF amdsev file in the OVMF package. The OVMF package requires the integration of the AMD SEV firmware file,OVMF.amdsev.fd, to enable support for SEV-secured VM remote attestation and secret injection. Currently, the SEV firmware necessary to support SEV Virtual Machine Remote Attestation is not available within the OVMF binary package (but part of the necessary code is part of the source package already). We attempted to execute an SNP QEMU measured boot using the OVMF file, but this endeavor was unsuccessful due to the provision of an invalid OVMF file within the OVMF package. Error message that I see using OVMF.fd (/usr/share/ovmf/OVMF.fd) as guest bios is as follows: qemu-system-x86_64: SEV: guest firmware hashes table area is invalid (base=0x0 size=0x0) QEMU commandline used for my SNP guest test launch is as follows: qemu-system-x86_64 \ -enable-kvm \ -cpu EPYC-v4 \ -m 2048 \ -nographic \ -netdev user,hostfwd=tcp::10030-:22,id=vmnic \ -device virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=vmnic,romfile= \ -device virtio-scsi-pci,id=scsi0 \ -device scsi-hd,drive=disk0 \ -drive if=none,id=disk0,format=qcow2,file=/home/amd/os-guest-test/os-guest-test-guest.qcow2 \ -machine memory-encryption=sev0,vmport=off \ -object memory-backend-memfd,id=ram1,size=2048M,share=true,prealloc=false \ -machine memory-backend=ram1 \ -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,kernel-hashes=on \ -bios /usr/share/ovmf/OVMF.fd \ -kernel /home/amd/os-guest-test/guest_kernel_initrd/vmlinuz-6.13.9-200.fc41.x86_64 \ -initrd /home/amd/os-guest-test/guest_kernel_initrd/initramfs-6.13.9-200.fc41.x86_64.img \ -append "console=tty1 console=ttyS0,115200n8 root=LABEL=fedora ro rootflags=subvol=root" This feature request was forwarded from Ubuntu/Launchpad: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2106771 Cheers, Lukas -- System Information: Debian Release: trixie/sid APT prefers noble-updates APT policy: (500, 'noble-updates'), (500, 'noble-security'), (500, 'noble'), (100, 'noble-proposed'), (100, 'noble-backports') Architecture: amd64 (x86_64) Kernel: Linux 6.8.0-55-generic (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE:en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
