qemu_firmware: Pick the right firmware for SEV-SNP guests

The firmware descriptors have 'amd-sev-snp` feature which
describes whether firmware is suitable for SEV-SNP guests.
Provide necessary implementation to detect the feature and pick
the right firmware if guest is SEV-SNP enabled.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 262eeecc5c39955fe3f17b14bfac42d7f86d8928..424b0b3217787e47a4912132ce7c554e30481ccc 100644 (file)
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -148,6 +148,7 @@ typedef enum {
     QEMU_FIRMWARE_FEATURE_ACPI_S4,
     QEMU_FIRMWARE_FEATURE_AMD_SEV,
     QEMU_FIRMWARE_FEATURE_AMD_SEV_ES,
+    QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP,
     QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS,
     QEMU_FIRMWARE_FEATURE_REQUIRES_SMM,
     QEMU_FIRMWARE_FEATURE_SECURE_BOOT,
@@ -165,6 +166,7 @@ VIR_ENUM_IMPL(qemuFirmwareFeature,
               "acpi-s4",
               "amd-sev",
               "amd-sev-es",
+              "amd-sev-snp",
               "enrolled-keys",
               "requires-smm",
               "secure-boot",
@@ -1148,6 +1150,7 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
     bool requiresSMM = false;
     bool supportsSEV = false;
     bool supportsSEVES = false;
+    bool supportsSEVSNP = false;
     bool supportsSecureBoot = false;
     bool hasEnrolledKeys = false;
     int reqSecureBoot;
@@ -1195,6 +1198,10 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
             supportsSEVES = true;
             break;
 
+        case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
+            supportsSEVSNP = true;
+            break;
+
         case QEMU_FIRMWARE_FEATURE_REQUIRES_SMM:
             requiresSMM = true;
             break;
@@ -1340,6 +1347,11 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
             break;
 
         case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+            if (!supportsSEVSNP) {
+                VIR_DEBUG("Domain requires SEV-SNP firmware '%s' doesn't support it",
+                          path);
+                return false;
+            }
             break;
         case VIR_DOMAIN_LAUNCH_SECURITY_PV:
             break;
@@ -1451,6 +1463,7 @@ qemuFirmwareEnableFeaturesModern(virDomainDef *def,
         case QEMU_FIRMWARE_FEATURE_ACPI_S4:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
+        case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
         case QEMU_FIRMWARE_FEATURE_NONE:
@@ -1501,6 +1514,7 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
         case QEMU_FIRMWARE_FEATURE_ACPI_S4:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
+        case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
         case QEMU_FIRMWARE_FEATURE_LAST:
@@ -1935,6 +1949,7 @@ qemuFirmwareGetSupported(const char *machine,
             case QEMU_FIRMWARE_FEATURE_ACPI_S4:
             case QEMU_FIRMWARE_FEATURE_AMD_SEV:
             case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
+            case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
             case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
             case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
             case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:

diff --git a/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json b/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
index 2d3b821acbb6fe05eca23f564c1b8784346acb6f..d83d394ba77f81798fd77c805d8846219bf5974e 100644 (file)
--- a/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
+++ b/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
@@ -21,6 +21,7 @@
     "features": [
         "amd-sev",
         "amd-sev-es",
+        "amd-sev-snp",
         "verbose-dynamic"
     ]
 }