Re: [PATCH 9/9] docs/system: Add documentation on support for IGVM

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 9/9] docs/system: Add documentation on support for IGVM

From:	Daniel P . Berrangé
Subject:	Re: [PATCH 9/9] docs/system: Add documentation on support for IGVM
Date:	Fri, 1 Mar 2024 17:10:13 +0000
User-agent:	Mutt/2.2.12 (2023-09-09)

On Tue, Feb 27, 2024 at 02:50:15PM +0000, Roy Hopkins wrote:
> IGVM support has been implemented for Confidential Guests that support
> AMD SEV and AMD SEV-ES. Add some documentation that gives some
> background on the IGVM format and how to use it to configure a
> confidential guest.
> 
> Signed-off-by: Roy Hopkins <roy.hopkins@suse.com>
> ---
>  docs/system/igvm.rst  | 58 +++++++++++++++++++++++++++++++++++++++++++
>  docs/system/index.rst |  1 +
>  2 files changed, 59 insertions(+)
>  create mode 100644 docs/system/igvm.rst

> +Firmware Images with IGVM
> +-------------------------
> +
> +When an IGVM filename is specified for a Confidential Guest Support object it
> +overrides the default handling of system firmware: the firmware image, such 
> as
> +an OVMF binary should be contained as a payload of the IGVM file and not
> +provided as a flash drive. The default QEMU firmware is not automatically 
> mapped
> +into guest memory.

IIUC, in future the IGVM file could contain both the OVMF and SVSM
binaries ?

I'm also wondering if there can be dependancies between the IGVM
file and the broader QEMU configuration ?  eg if SVSM gains suupport
for data persistence, potentially we might need some pflash device
exposed as storage for SVSM to use. Would such a dependancy be
something expressed in the IGVM file, or would it be knowledge that
is out of band ?

Finally, if we think of the IGVM file as simply yet another firmware
file format, then it raises of question of integration into the
QEMU firmware descriptors.

Right now when defining a guest in libvirt if you can say 'type=bios'
or 'type=uefi', and libvirt consults the firmware descriptors to find
the binary to use.

If the OS distro provides IGVM files instead of traditional raw OVMF
binaries for SEV/TDX/etc, then from libvirt's POV I think having this
expressed in the firmware descriptors is highly desirable.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH 9/9] docs/system: Add documentation on support for IGVM, Daniel P . Berrangé <=
- Re: [PATCH 9/9] docs/system: Add documentation on support for IGVM, Roy Hopkins, 2024/03/18
  - Re: [PATCH 9/9] docs/system: Add documentation on support for IGVM, Daniel P . Berrangé, 2024/03/18
    - Re: [PATCH 9/9] docs/system: Add documentation on support for IGVM, Roy Hopkins, 2024/03/20
    - Re: [PATCH 9/9] docs/system: Add documentation on support for IGVM, Daniel P . Berrangé, 2024/03/20

Prev by Date: Re: [QEMU][PATCH v3 4/7] xen: let xen_ram_addr_from_mapcache() return -1 in case of not found entry
Next by Date: Re: [QEMU][PATCH v3 7/7] hw: arm: Add grant mapping.
Previous by thread: Re: [QEMU][PATCH v3 4/7] xen: let xen_ram_addr_from_mapcache() return -1 in case of not found entry
Next by thread: Re: [PATCH 9/9] docs/system: Add documentation on support for IGVM
Index(es):
- Date
- Thread