qemu_firmware: Pick the right firmware for SEV-SNP guests

The firmware descriptors have 'amd-sev-snp` feature which describes whether firmware is suitable for SEV-SNP guests. Provide necessary implementation to detect the feature and pick the right firmware if guest is SEV-SNP enabled. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2025-01-20 11:35:19 +00:00 · 2024-06-13 14:35:57 +02:00 · 2024-06-13 14:35:57 +02:00 · 58b5219961
commit 58b5219961
parent a1d850b300
2 changed files with 16 additions and 0 deletions
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@ -148,6 +148,7 @@ typedef enum {
    QEMU_FIRMWARE_FEATURE_ACPI_S4,
    QEMU_FIRMWARE_FEATURE_AMD_SEV,
    QEMU_FIRMWARE_FEATURE_AMD_SEV_ES,
    QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP,
    QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS,
    QEMU_FIRMWARE_FEATURE_REQUIRES_SMM,
    QEMU_FIRMWARE_FEATURE_SECURE_BOOT,
@ -165,6 +166,7 @@ VIR_ENUM_IMPL(qemuFirmwareFeature,
              "acpi-s4",
              "amd-sev",
              "amd-sev-es",
              "amd-sev-snp",
              "enrolled-keys",
              "requires-smm",
              "secure-boot",
@ -1148,6 +1150,7 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
    bool requiresSMM = false;
    bool supportsSEV = false;
    bool supportsSEVES = false;
    bool supportsSEVSNP = false;
    bool supportsSecureBoot = false;
    bool hasEnrolledKeys = false;
    int reqSecureBoot;
@ -1195,6 +1198,10 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
            supportsSEVES = true;
            break;
        case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
            supportsSEVSNP = true;
            break;
        case QEMU_FIRMWARE_FEATURE_REQUIRES_SMM:
            requiresSMM = true;
            break;
@ -1340,6 +1347,11 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
            break;
        case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
            if (!supportsSEVSNP) {
                VIR_DEBUG("Domain requires SEV-SNP firmware '%s' doesn't support it",
                          path);
                return false;
            }
            break;
        case VIR_DOMAIN_LAUNCH_SECURITY_PV:
            break;
@ -1451,6 +1463,7 @@ qemuFirmwareEnableFeaturesModern(virDomainDef *def,
        case QEMU_FIRMWARE_FEATURE_ACPI_S4:
        case QEMU_FIRMWARE_FEATURE_AMD_SEV:
        case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
        case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
        case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
        case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
        case QEMU_FIRMWARE_FEATURE_NONE:
@ -1501,6 +1514,7 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
        case QEMU_FIRMWARE_FEATURE_ACPI_S4:
        case QEMU_FIRMWARE_FEATURE_AMD_SEV:
        case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
        case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
        case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
        case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
        case QEMU_FIRMWARE_FEATURE_LAST:
@ -1935,6 +1949,7 @@ qemuFirmwareGetSupported(const char *machine,
            case QEMU_FIRMWARE_FEATURE_ACPI_S4:
            case QEMU_FIRMWARE_FEATURE_AMD_SEV:
            case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
            case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
            case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
            case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
            case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
--- a/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
+++ b/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
@ -21,6 +21,7 @@
    "features": [
        "amd-sev",
        "amd-sev-es",
        "amd-sev-snp",
        "verbose-dynamic"
    ]
 }