[pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX
Fiona Ebner
f.ebner at proxmox.com
Wed Nov 12 15:48:03 CET 2025
Am 12.11.25 um 2:48 PM schrieb Fiona Ebner:
> I did not go ahead with applying the edk2 patches yet, because I got a
> question: Don't we want to enroll the Microsoft and distro keys for the
> image? Debian upstream added TDX support just a few days ago and they
> enroll the Microsoft and distro keys and even dropped the variant
> without pre-enrolled keys [1] that was part of the initial merge. The
> changes [0] include an "enroll_vendor" helper so we could use that and
> get an OVMF_TDX_4M.ms.fd image.
>
> What do you think?
My proposal to add on top:
> diff --git a/debian/pve-edk2-firmware-ovmf.install b/debian/pve-edk2-firmware-ovmf.install
> index 22186563bb..cd5313bb0d 100644
> --- a/debian/pve-edk2-firmware-ovmf.install
> +++ b/debian/pve-edk2-firmware-ovmf.install
> @@ -3,7 +3,7 @@ debian/ovmf-install/OVMF_VARS*.fd /usr/share/pve-edk2-firmware
> debian/ovmf-sev-install/OVMF_SEV_CODE*.fd /usr/share/pve-edk2-firmware
> debian/ovmf-sev-install/OVMF_SEV_VARS*.fd /usr/share/pve-edk2-firmware
> debian/ovmf-sev-install/OVMF_SEV_4M.fd /usr/share/pve-edk2-firmware
> -debian/ovmf-tdx-install/OVMF_TDX_4M.fd /usr/share/pve-edk2-firmware
> +debian/ovmf-tdx-install/OVMF_TDX_4M.ms.fd /usr/share/pve-edk2-firmware
> debian/ovmf32-install/OVMF32_CODE*.fd /usr/share/pve-edk2-firmware
> debian/ovmf32-install/OVMF32_VARS*.fd /usr/share/pve-edk2-firmware
> debian/PkKek-1-snakeoil.* /usr/share/pve-edk2-firmware
> diff --git a/debian/rules b/debian/rules
> index 9def34d267..044071cf90 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -95,8 +95,10 @@ OVMF_TDX_INSTALL_DIR = debian/ovmf-tdx-install
> OVMF_TDX_BUILD_ROOT = Build/IntelTdx
> OVMF_TDX_BUILD_DIR = $(OVMF_TDX_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
(Note that I already split the above to follow commit "16bb13da3d
debian/rules: Define *_BUILD_ROOT variables" that was picked up from
Debian).
> OVMF_TDX_SHELL = $(OVMF_TDX_BUILD_DIR)/X64/Shell.efi
> +OVMF_TDX_ENROLL = $(OVMF_TDX_BUILD_DIR)/X64/EnrollDefaultKeys.efi
> OVMF_TDX_BINARIES = $(OVMF_TDX_SHELL)
> OVMF_TDX_IMAGES := $(addprefix $(OVMF_TDX_INSTALL_DIR)/,OVMF_TDX_4M.fd)
> +OVMF_TDX_PREENROLLED_IMAGES := $(addprefix $(OVMF_TDX_INSTALL_DIR)/,OVMF_TDX_4M.ms.fd)
>
> QEMU_EFI_BUILD_ROOT = Build/ArmVirtQemu-$(EDK2_HOST_ARCH)
> QEMU_EFI_BUILD_DIR = $(QEMU_EFI_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
> @@ -145,7 +147,7 @@ $(OVMF_SEV_BINARIES) $(OVMF_SEV_IMAGES): debian/setup-build-stamp
> cp $(OVMF_SEV_BUILD_DIR)/FV/OVMF.fd \
> $(OVMF_SEV_INSTALL_DIR)/OVMF_SEV_4M.fd
>
> -build-ovmf-tdx: $(OVMF_TDX_BINARIES) $(OVMF_TDX_IMAGES)
> +build-ovmf-tdx: $(OVMF_TDX_BINARIES) $(OVMF_TDX_IMAGES) $(OVMF_TDX_PREENROLLED_IMAGES)
> $(OVMF_TDX_BINARIES) $(OVMF_TDX_IMAGES): debian/setup-build-stamp
> rm -rf $(OVMF_TDX_INSTALL_DIR)
> mkdir $(OVMF_TDX_INSTALL_DIR)
> @@ -215,6 +217,9 @@ enroll_snakeoil = virt-fw-vars --input $(1) --output $(2) \
> %/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/PkKek-1-snakeoil.pem $(OVMF_ENROLL) $(OVMF_SHELL)
> $(call enroll_snakeoil,$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd,$@)
>
> +%/OVMF_TDX_4M.ms.fd: %/OVMF_TDX_4M.fd debian/PkKek-1-vendor.pem $(OVMF_TDX_ENROLL) $(OVMF_TDX_SHELL)
> + $(call enroll_vendor,$(OVMF_TDX_INSTALL_DIR)/OVMF_TDX_4M.fd,$@,amd64)
> +
> BaseTools/Bin/GccLto/liblto-aarch64.a: BaseTools/Bin/GccLto/liblto-aarch64.s
> $($(EDK2_TOOLCHAIN)_AARCH64_PREFIX)gcc -c -fpic $< -o $@
>
Let me know if this looks good to you or if you prefer something else :)
Best Regards,
Fiona
More information about the pve-devel
mailing list