[pve-devel] [PATCH qemu-server v2 1/3] Adapt AMD SEV code for compatibility with other platforms

Tue Oct 7 17:24:54 CEST 2025

I plan to continue with the review tomorrow, looking good so far :)!

Am 04.10.25 um 3:24 PM schrieb Anton Iacobaeus:
> From: Philipp Giersfeld <philipp.giersfeld at canarybit.eu>
> 
> Change variable and function names that are specific to AMD SEV to
> reflect this. Also, change name of general CC functions and variable
> names to be used in conjunction with other platforms.
> 
> Signed-off-by: Philipp Giersfeld <philipp.giersfeld at canarybit.eu>
> Signed-off-by: Anton Iacobaeus <anton.iacobaeus at canarybit.eu>

Reviewed-by: Fiona Ebner <f.ebner at proxmox.com>

> ---

Note for applying: needs a depends and build-depends on new
pve-edk2-firmware-ovmf

> @@ -49,19 +49,19 @@ my $OVMF = {
>  };
>  
>  my sub get_ovmf_files($$$$) {
> -    my ($arch, $efidisk, $smm, $amd_sev_type) = @_;
> +    my ($arch, $efidisk, $smm, $cvm_type) = @_;
>  
>      my $types = $OVMF->{$arch}
>          or die "no OVMF images known for architecture '$arch'\n";
>  
>      my $type = 'default';
>      if ($arch eq 'x86_64') {
> -        if ($amd_sev_type && $amd_sev_type eq 'snp') {
> +        if ($cvm_type && $cvm_type eq 'snp') {
>              $type = "4m-snp";
>              my ($ovmf) = $types->{$type}->@*;
>              die "EFI base image '$ovmf' not found\n" if !-f $ovmf;
>              return ($ovmf);
> -        } elsif ($amd_sev_type) {
> +        } elsif ($cvm_type && ($cvm_type eq 'std' || $cvm_type eq 'es')) {
>              $type = "4m-sev";

Nit and this is pre-existing, but it would be nice to detect an unknown
type here for future-proofing/robustness (Perl's lack of type system
makes this hard to enforce up-front). Something like

} elsif ($cmv_type) {
die "unknown CMV type $cmv_type\n";

But this should be a separate patch and can also be done as a follow-up
after adding the branch for the Intel one.

>          } elsif (defined($efidisk->{efitype}) && $efidisk->{efitype} eq '4m') {
>              $type = $smm ? "4m" : "4m-no-smm";

> @@ -203,16 +203,16 @@ my sub generate_ovmf_blockdev {
>  sub print_ovmf_commandline {
>      my ($conf, $storecfg, $vmid, $hw_info, $version_guard, $readonly) = @_;
>  
> -    my $amd_sev_type = $hw_info->{'amd-sev-type'};
> +    my $cvm_type = $hw_info->{'cvm-type'};
>  
>      my $cmd = [];
>      my $machine_flags = [];
>  
> -    if ($amd_sev_type && $amd_sev_type eq 'snp') {
> +    if ($cvm_type && $cvm_type eq 'snp') {
>          if (defined($conf->{efidisk0})) {
> -            log_warn("EFI disks are not supported with SEV-SNP and will be ignored");
> +            log_warn("EFI disks are not supported with Confidential Virtual Machines and will be ignored");

Style nit: line longer than 100 characters

>          }
> -        push $cmd->@*, '-bios', get_ovmf_files($hw_info->{arch}, undef, undef, $amd_sev_type);
> +        push $cmd->@*, '-bios', get_ovmf_files($hw_info->{arch}, undef, undef, $cvm_type);
>      } else {
>          if ($version_guard->(10, 0, 0)) { # for the switch to -blockdev
>              my ($code_blockdev, $vars_blockdev, $throttle_group) =