[pve-devel] [PATCH edk2-firmware v3 2/5] Add OVMF targets for AMD SEV-ES and SEV-SNP

Philipp Giersfeld philipp.giersfeld at canarybit.eu
Tue Mar 11 13:31:54 CET 2025


On 25/03/05 03:18PM, Fiona Ebner wrote:
> Am 24.02.25 um 13:37 schrieb Philipp Giersfeld:
> > AMD SEV-SNP boots with a single volatile firmware image OVMF.fd via the
> > -bios option.
> > 
> > Currently, an SEV-enabled VM will not boot with an OVMF
> > firmware that was compiled with `SECURE_BOOT_ENABLE` [1].
> > 
> > Furthermore, during testing, SEV-enabled amchines did not boot with
> > `SMM_REQUIRE`.
> > 
> > Therefore, introduce a new target build-ovmf-cvm that builds OVMF
> > firmware suitable for AMD SEV.
> > 
> > [1] https://github.com/tianocore/edk2/pull/6285
> > 
> 
> This has been merged in edk2-stable202502, which is already out now. I'd
> prefer going directly for that tag. Can we avoid splitting out the
> SMM_REQUIRE flag then?
> 
(Assuming you mean the SECURE_BOOT flag)
Yes, I also prefer going directly for edk2-stable202502. I already tested it
briefly and will prepare an updated version of the patch.

Splitting out SMM cannot be avoided since SEV-ES and SEV-SNP do not support it [1,2].

[1] https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html
[2] https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf



More information about the pve-devel mailing list