On Thu, Mar 31, 2022 at 04:51:27PM +0800, Xiaoyao Li wrote:
On 3/22/2022 5:27 PM, Daniel P. Berrangé wrote:
...
IMHO the AmdSev build for OVMF gets this right by entirely disabling
the split OVMF_CODE.fd vs OVMF_VARS.fd, and just having a single
OVMF.fd file that is exposed read-only to the guest.
This is further represented in $QEMU.git/docs/interop/firmware.json
by marking the firmware as 'stateless', which apps like libvirt will
use to figure out what QEMU command line to pick.
Hi Daniel,
I don't play with AMD SEV and I'm not sure if AMD SEV requires only single
OVMF.fd. But IIUC, from edk2
commit 437eb3f7a8db ("OvmfPkg/QemuFlashFvbServicesRuntimeDxe: Bypass flash
detection with SEV-ES")
, AMD SEV(-ES) does support NVRAM via proactive VMGEXIT MMIO
QemuFlashWrite(). If so, AMD SEV seems to be able to support split OVMF,
right?
Note that while the traditional OvmfPkg build can be used with
SEV/SEV-ES, this is not viable for measured boot, as it uses
the NVRAM whose content is not measured.
I was specifically referring to the OvmfPkg/AmdSev build which
doesn't use seprate NVRAM, and has no variables persistence.