When IGVM is not being used by the confidential guest, the guest firmware has to be reloaded explictly again into memory. This is because, the memory into which the firmware was loaded before reset was encrypted and is thus lost upon reset. When IGVM is used, it is expected that the IGVM will contain the guest firmware and the execution of the IGVM directives will set up the guest firmware memory.
Signed-off-by: Ani Sinha <[email protected]> --- target/i386/kvm/kvm.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c index e27ccff7a6..38193ea845 100644 --- a/target/i386/kvm/kvm.c +++ b/target/i386/kvm/kvm.c @@ -3282,7 +3282,14 @@ int kvm_arch_on_vmfd_change(MachineState *ms, KVMState *s) if (object_dynamic_cast(OBJECT(ms), TYPE_X86_MACHINE)) { X86MachineState *x86ms = X86_MACHINE(ms); - + /* + * For confidential guests, reload bios ROM if IGVM is not specified. + * If an IGVM file is specified then the firmware must be provided + * in the IGVM file. + */ + if (ms->cgs && !x86ms->igvm) { + x86_bios_rom_reload(x86ms); + } if (x86_machine_is_smm_enabled(x86ms)) { memory_listener_register(&smram_listener.listener, &smram_address_space); -- 2.42.0
