[pve-devel] [PATCH edk2-firmware v3 2/5] Add OVMF targets for AMD SEV-ES and SEV-SNP
Philipp Giersfeld
philipp.giersfeld at canarybit.eu
Tue Mar 11 13:31:54 CET 2025
On 25/03/05 03:18PM, Fiona Ebner wrote:
> Am 24.02.25 um 13:37 schrieb Philipp Giersfeld:
> > AMD SEV-SNP boots with a single volatile firmware image OVMF.fd via the
> > -bios option.
> >
> > Currently, an SEV-enabled VM will not boot with an OVMF
> > firmware that was compiled with `SECURE_BOOT_ENABLE` [1].
> >
> > Furthermore, during testing, SEV-enabled amchines did not boot with
> > `SMM_REQUIRE`.
> >
> > Therefore, introduce a new target build-ovmf-cvm that builds OVMF
> > firmware suitable for AMD SEV.
> >
> > [1] https://github.com/tianocore/edk2/pull/6285
> >
>
> This has been merged in edk2-stable202502, which is already out now. I'd
> prefer going directly for that tag. Can we avoid splitting out the
> SMM_REQUIRE flag then?
>
(Assuming you mean the SECURE_BOOT flag)
Yes, I also prefer going directly for edk2-stable202502. I already tested it
briefly and will prepare an updated version of the patch.
Splitting out SMM cannot be avoided since SEV-ES and SEV-SNP do not support it [1,2].
[1] https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html
[2] https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf
More information about the pve-devel
mailing list