On 4/21/21 4:54 AM, Laszlo Ersek wrote:
> Hi Brijesh, Tom,
Hi Laszlo,
>
> in QEMU's "docs/interop/firmware.json", the @FirmwareFeature enumeration
> has a constant called @amd-sev. We should introduce an @amd-sev-es
> constant as well, minimally for the following reason:
>
> AMD document #56421 ("SEV-ES Guest-Hypervisor Communication Block
> Standardization") revision 1.40 says in "4.6 System Management Mode
> (SMM)" that "SMM will not be supported in this version of the
> specification". This is reflected in OVMF, so an OVMF binary that's
> supposed to run in a SEV-ES guest must be built without "-D
> SMM_REQUIRE". (As a consequence, such a binary should be built also
> without "-D SECURE_BOOT_ENABLE".)
>
> At the level of "docs/interop/firmware.json", this means that management
> applications should be enabled to look for the @amd-sev-es feature (and
> it also means, for OS distributors, that any firmware descriptor
> exposing @amd-sev-es will currently have to lack all three of:
> @requires-smm, @secure-boot, @enrolled-keys).
>
> I have three questions:
>
>
> (1) According to
> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flibvirt.org%2Fformatdomain.html%23launch-security&data=04%7C01%7Cthomas.lendacky%40amd.com%7Ca80df30ddbc54479df1008d904ab7ab8%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637545956815983695%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=aQ1yttPryxCjO%2B7cIPfxathftEPEKb0QYhdHI7WkWLU%3D&reserved=0>,
> SEV-ES is
> explicitly requested in the domain XML via setting bit#2 in the "policy"
> element.
>
> Can this setting be used by libvirt to look for such a firmware
> descriptor that exposes @amd-sev-es?
>
>
> (2) "docs/interop/firmware.json" documents @amd-sev as follows:
>
> # @amd-sev: The firmware supports running under AMD Secure Encrypted
> # Virtualization, as specified in the AMD64 Architecture
> # Programmer's Manual. QEMU command line options related to
> # this feature are documented in
> # "docs/amd-memory-encryption.txt".
>
> Documenting the new @amd-sev-es enum constant with very slight
> customizations for the same text should be possible, I reckon. However,
> "docs/amd-memory-encryption.txt" (nor
> "docs/confidential-guest-support.txt") seem to mention SEV-ES.
>
> Can you guys propose a patch for "docs/amd-memory-encryption.txt"?
Yes, I can submit a patch to update the documentation.
>
> I guess that would be next to this snippet:
>
>> # ${QEMU} \
>> sev-guest,id=sev0,policy=0x1...\
>
>
> (3) Is the "AMD64 Architecture Programmer's Manual" the specification
> that we should reference under @amd-sev-es as well (i.e., same as with
> @amd-sev), or is there a more specific document?
Yes, the same specification applies to SEV-ES.
Thanks,
Tom
>
> Thanks,
> Laszlo
>
