Skip to content

RFE: select correct UEFI firmware with AMD SEV-ES enabled

Goal

Libvirt already supports AMD SEV and users are able to set policy for SEV using launchSecurity elemet where SEV-ES bit controls if it is required or not. This will affect the UEFI firmware autoselection.

Technical details

QEMU will add a new flag amd-sev-es into UEFI firmware json descriptor files which will allow libvirt to select correct firmware when SEV-ES is requested and firmware auto-selection is used. It's already possible to create this configuration in libvirt XML so we need to add code to handle the firmware auto-selection correctly.

SMM is not supported with AMD SEV-ES but libvirt can pick a firmware where SMM is enabled which will not work.

Additional information

QEMU patch to document the amd-sev-es https://lists.nongnu.org/archive/html/qemu-devel/2021-04/msg04156.html

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information