From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id E88701FF17A for ; Tue, 28 Oct 2025 13:56:27 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 754B01AF75; Tue, 28 Oct 2025 13:56:13 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1761656131; x=1762260931; d=canarybit.eu; s=rsa1; h=content-transfer-encoding:mime-version:references:in-reply-to:message-id:date: subject:cc:to:from:from; bh=STdKipb7q0y9re7Xziv76Pj1fbLo4fK3jY/w/XNu+74=; b=DBc/Aw/jkXm+P3GdudNg+XB5LFLPHrYLtZ5Lqkue5G4TkXCdDRgxMrzgbPI6zBGhkX8AEWT2Vjm31 5D9DmO9HT0wC7PtxTH4NnI7WssZWhJXxK0U+IrkurDxC+GOv7XTsmYgYbq6ayqvBV9KhRREDo1a6b+ 0UhkGsjRfUHg75Ijr9wWWnj4zVY0s5WfAB+Hv5vrGfwG3iS6w5OS5sTC1Y065qF4Jz1KJuvMjVlSlT k68MNWWXFB8bLA/q09k3rLosNw2CC9pIsmoUpHRpR4pDDsSHQ/FsPZiN+R9VjIy2sIO3D9EVOWDMGZ Vjs9jepSJ6jkzPh90mwkZmqPGM3lqgQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; t=1761656131; x=1762260931; d=canarybit.eu; s=ed1; h=content-transfer-encoding:mime-version:references:in-reply-to:message-id:date: subject:cc:to:from:from; bh=STdKipb7q0y9re7Xziv76Pj1fbLo4fK3jY/w/XNu+74=; b=uXlpYyPaLw1VqD0dHUWdBTFfNVe36mlFt+s34V4FVTd2g6IiuQyqhSjq7pk7i1ZplkXiWIXzzVZTP Lx8f3KnBA== X-HalOne-ID: 615fe09a-b3fd-11f0-ada5-d510462faafc From: Anton Iacobaeus To: pve-devel@lists.proxmox.com Date: Tue, 28 Oct 2025 13:54:28 +0100 Message-ID: <20251028125459.287308-7-anton.iacobaeus@canarybit.eu> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251028125459.287308-1-anton.iacobaeus@canarybit.eu> References: <20251028125459.287308-1-anton.iacobaeus@canarybit.eu> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.495 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain DMARC_MISSING 0.1 Missing DMARC policy MIME_BASE64_TEXT 1.741 Message text disguised using base64 encoding RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust SPF_HELO_PASS -0.001 SPF: HELO matches SPF record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH qemu-server v3 1/4] Adapt AMD SEV code for compatibility with other platforms X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: Philipp Giersfeld Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" From: Philipp Giersfeld Change variable and function names that are specific to AMD SEV to reflect this. Also, change name of general CC functions and variable names to be used in conjunction with other platforms. Signed-off-by: Philipp Giersfeld Signed-off-by: Anton Iacobaeus --- src/PVE/API2/Qemu.pm | 6 ++--- src/PVE/QemuServer.pm | 8 +++--- src/PVE/QemuServer/CPUConfig.pm | 15 +++++------ src/PVE/QemuServer/OVMF.pm | 42 ++++++++++++++++--------------- src/test/cfg2cmd/sev-es.conf.cmd | 2 +- src/test/cfg2cmd/sev-snp.conf.cmd | 2 +- src/test/cfg2cmd/sev-std.conf.cmd | 2 +- 7 files changed, 40 insertions(+), 37 deletions(-) diff --git a/src/PVE/API2/Qemu.pm b/src/PVE/API2/Qemu.pm index 71bedc1e..29b4f1b2 100644 --- a/src/PVE/API2/Qemu.pm +++ b/src/PVE/API2/Qemu.pm @@ -618,13 +618,13 @@ my sub create_disks : prototype($$$$$$$$$$$) { if ($ds eq 'efidisk0') { my $smm = PVE::QemuServer::Machine::machine_type_is_q35($conf); - my $amd_sev_type = PVE::QemuServer::CPUConfig::get_amd_sev_type($conf); + my $cvm_type = PVE::QemuServer::CPUConfig::get_cvm_type($conf); die "SEV-SNP uses consolidated read-only firmware and does not require an EFI disk\n" - if $amd_sev_type && $amd_sev_type eq 'snp'; + if $cvm_type && $cvm_type eq 'snp'; ($volid, $size) = PVE::QemuServer::OVMF::create_efidisk( - $storecfg, $storeid, $vmid, $fmt, $arch, $disk, $smm, $amd_sev_type, + $storecfg, $storeid, $vmid, $fmt, $arch, $disk, $smm, $cvm_type, ); } elsif ($ds eq 'tpmstate0') { # swtpm can only use raw volumes, and uses a fixed size diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm index df2476aa..9e2cef3a 100644 --- a/src/PVE/QemuServer.pm +++ b/src/PVE/QemuServer.pm @@ -62,7 +62,7 @@ use PVE::QemuServer::Helpers use PVE::QemuServer::Cloudinit; use PVE::QemuServer::CGroup; use PVE::QemuServer::CPUConfig - qw(print_cpu_device get_cpu_options get_cpu_bitness is_native_arch get_amd_sev_object get_amd_sev_type); + qw(print_cpu_device get_cpu_options get_cpu_bitness is_native_arch get_amd_sev_object get_cvm_type); use PVE::QemuServer::Drive qw( is_valid_drivename checked_volume_format @@ -3226,7 +3226,7 @@ sub config_to_command { if !$forcecpu && get_cpu_bitness($conf->{cpu}, $arch) == 32; my $hw_info = { - 'amd-sev-type' => get_amd_sev_type($conf), + 'cvm-type' => get_cvm_type($conf), arch => $arch, 'machine-version' => $machine_version, q35 => $q35, @@ -7922,9 +7922,9 @@ sub get_efivars_size { my $arch = PVE::QemuServer::Helpers::get_vm_arch($conf); $efidisk //= $conf->{efidisk0} ? parse_drive('efidisk0', $conf->{efidisk0}) : undef; my $smm = PVE::QemuServer::Machine::machine_type_is_q35($conf); - my $amd_sev_type = get_amd_sev_type($conf); + my $cvm_type = get_cvm_type($conf); - return PVE::QemuServer::OVMF::get_efivars_size($arch, $efidisk, $smm, $amd_sev_type); + return PVE::QemuServer::OVMF::get_efivars_size($arch, $efidisk, $smm, $cvm_type); } sub update_efidisk_size { diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm index 786a99d8..65a7b565 100644 --- a/src/PVE/QemuServer/CPUConfig.pm +++ b/src/PVE/QemuServer/CPUConfig.pm @@ -18,7 +18,7 @@ our @EXPORT_OK = qw( get_cpu_bitness is_native_arch get_amd_sev_object - get_amd_sev_type + get_cvm_type ); # under certain race-conditions, this module might be loaded before pve-cluster @@ -881,14 +881,15 @@ sub get_hw_capabilities { return $hw_capabilities; } -sub get_amd_sev_type { +sub get_cvm_type { my ($conf) = @_; - return undef if !$conf->{'amd-sev'}; - - my $sev = PVE::JSONSchema::parse_property_string($sev_fmt, $conf->{'amd-sev'}); - - return $sev->{type}; + if ($conf->{'amd-sev'}) { + my $sev = PVE::JSONSchema::parse_property_string($sev_fmt, $conf->{'amd-sev'}); + return $sev->{type}; + } else { + return undef; + } } sub get_amd_sev_object { diff --git a/src/PVE/QemuServer/OVMF.pm b/src/PVE/QemuServer/OVMF.pm index 08134e30..8b02d089 100644 --- a/src/PVE/QemuServer/OVMF.pm +++ b/src/PVE/QemuServer/OVMF.pm @@ -29,10 +29,10 @@ my $OVMF = { "$EDK2_FW_BASE/OVMF_CODE_4M.secboot.fd", "$EDK2_FW_BASE/OVMF_VARS_4M.ms.fd", ], '4m-sev' => [ - "$EDK2_FW_BASE/OVMF_CVM_CODE_4M.fd", "$EDK2_FW_BASE/OVMF_CVM_VARS_4M.fd", + "$EDK2_FW_BASE/OVMF_SEV_CODE_4M.fd", "$EDK2_FW_BASE/OVMF_SEV_VARS_4M.fd", ], '4m-snp' => [ - "$EDK2_FW_BASE/OVMF_CVM_4M.fd", + "$EDK2_FW_BASE/OVMF_SEV_4M.fd", ], # FIXME: These are legacy 2MB-sized images that modern OVMF doesn't supports to build # anymore. how can we deperacate this sanely without breaking existing instances, or using @@ -49,19 +49,19 @@ my $OVMF = { }; my sub get_ovmf_files($$$$) { - my ($arch, $efidisk, $smm, $amd_sev_type) = @_; + my ($arch, $efidisk, $smm, $cvm_type) = @_; my $types = $OVMF->{$arch} or die "no OVMF images known for architecture '$arch'\n"; my $type = 'default'; if ($arch eq 'x86_64') { - if ($amd_sev_type && $amd_sev_type eq 'snp') { + if ($cvm_type && $cvm_type eq 'snp') { $type = "4m-snp"; my ($ovmf) = $types->{$type}->@*; die "EFI base image '$ovmf' not found\n" if !-f $ovmf; return ($ovmf); - } elsif ($amd_sev_type) { + } elsif ($cvm_type && ($cvm_type eq 'std' || $cvm_type eq 'es')) { $type = "4m-sev"; } elsif (defined($efidisk->{efitype}) && $efidisk->{efitype} eq '4m') { $type = $smm ? "4m" : "4m-no-smm"; @@ -81,14 +81,14 @@ my sub get_ovmf_files($$$$) { my sub print_ovmf_drive_commandlines { my ($conf, $storecfg, $vmid, $hw_info, $version_guard, $readonly) = @_; - my ($amd_sev_type, $arch, $q35) = $hw_info->@{qw(amd-sev-type arch q35)}; + my ($cvm_type, $arch, $q35) = $hw_info->@{qw(cvm-type arch q35)}; my $d = $conf->{efidisk0} ? parse_drive('efidisk0', $conf->{efidisk0}) : undef; die "Attempting to configure SEV-SNP with pflash devices instead of using `-bios`\n" - if $amd_sev_type && $amd_sev_type eq 'snp'; + if $cvm_type && $cvm_type eq 'snp'; - my ($ovmf_code, $ovmf_vars) = get_ovmf_files($arch, $d, $q35, $amd_sev_type); + my ($ovmf_code, $ovmf_vars) = get_ovmf_files($arch, $d, $q35, $cvm_type); my $var_drive_str = "if=pflash,unit=1,id=drive-efidisk0"; if ($d) { @@ -122,16 +122,16 @@ my sub print_ovmf_drive_commandlines { } sub get_efivars_size { - my ($arch, $efidisk, $smm, $amd_sev_type) = @_; + my ($arch, $efidisk, $smm, $cvm_type) = @_; - my (undef, $ovmf_vars) = get_ovmf_files($arch, $efidisk, $smm, $amd_sev_type); + my (undef, $ovmf_vars) = get_ovmf_files($arch, $efidisk, $smm, $cvm_type); return -s $ovmf_vars; } sub create_efidisk($$$$$$$$) { - my ($storecfg, $storeid, $vmid, $fmt, $arch, $efidisk, $smm, $amd_sev_type) = @_; + my ($storecfg, $storeid, $vmid, $fmt, $arch, $efidisk, $smm, $cvm_type) = @_; - my (undef, $ovmf_vars) = get_ovmf_files($arch, $efidisk, $smm, $amd_sev_type); + my (undef, $ovmf_vars) = get_ovmf_files($arch, $efidisk, $smm, $cvm_type); my $vars_size_b = -s $ovmf_vars; my $vars_size = PVE::Tools::convert_size($vars_size_b, 'b' => 'kb'); @@ -147,15 +147,15 @@ sub create_efidisk($$$$$$$$) { my sub generate_ovmf_blockdev { my ($conf, $storecfg, $vmid, $hw_info, $readonly) = @_; - my ($amd_sev_type, $arch, $machine_version, $q35) = - $hw_info->@{qw(amd-sev-type arch machine-version q35)}; + my ($cvm_type, $arch, $machine_version, $q35) = + $hw_info->@{qw(cvm-type arch machine-version q35)}; my $drive = $conf->{efidisk0} ? parse_drive('efidisk0', $conf->{efidisk0}) : undef; die "Attempting to configure SEV-SNP with pflash devices instead of using `-bios`\n" - if $amd_sev_type && $amd_sev_type eq 'snp'; + if $cvm_type && $cvm_type eq 'snp'; - my ($ovmf_code, $ovmf_vars) = get_ovmf_files($arch, $drive, $q35, $amd_sev_type); + my ($ovmf_code, $ovmf_vars) = get_ovmf_files($arch, $drive, $q35, $cvm_type); my $ovmf_code_blockdev = { driver => 'raw', @@ -203,16 +203,18 @@ my sub generate_ovmf_blockdev { sub print_ovmf_commandline { my ($conf, $storecfg, $vmid, $hw_info, $version_guard, $readonly) = @_; - my $amd_sev_type = $hw_info->{'amd-sev-type'}; + my $cvm_type = $hw_info->{'cvm-type'}; my $cmd = []; my $machine_flags = []; - if ($amd_sev_type && $amd_sev_type eq 'snp') { + if ($cvm_type && $cvm_type eq 'snp') { if (defined($conf->{efidisk0})) { - log_warn("EFI disks are not supported with SEV-SNP and will be ignored"); + log_warn( + "EFI disks are not supported with Confidential Virtual Machines and will be ignored" + ); } - push $cmd->@*, '-bios', get_ovmf_files($hw_info->{arch}, undef, undef, $amd_sev_type); + push $cmd->@*, '-bios', get_ovmf_files($hw_info->{arch}, undef, undef, $cvm_type); } else { if ($version_guard->(10, 0, 0)) { # for the switch to -blockdev my ($code_blockdev, $vars_blockdev, $throttle_group) = diff --git a/src/test/cfg2cmd/sev-es.conf.cmd b/src/test/cfg2cmd/sev-es.conf.cmd index 3cc2dbc6..f61a72c6 100644 --- a/src/test/cfg2cmd/sev-es.conf.cmd +++ b/src/test/cfg2cmd/sev-es.conf.cmd @@ -10,7 +10,7 @@ -daemonize \ -smbios 'type=1,uuid=7b10d7af-b932-4c66-b2c3-3996152ec465' \ -object '{"id":"throttle-drive-efidisk0","limits":{},"qom-type":"throttle-group"}' \ - -blockdev '{"driver":"raw","file":{"driver":"file","filename":"/usr/share/pve-edk2-firmware//OVMF_CVM_CODE_4M.fd"},"node-name":"pflash0","read-only":true}' \ + -blockdev '{"driver":"raw","file":{"driver":"file","filename":"/usr/share/pve-edk2-firmware//OVMF_SEV_CODE_4M.fd"},"node-name":"pflash0","read-only":true}' \ -blockdev '{"detect-zeroes":"on","discard":"ignore","driver":"throttle","file":{"cache":{"direct":false,"no-flush":false},"detect-zeroes":"on","discard":"ignore","driver":"raw","file":{"aio":"io_uring","cache":{"direct":false,"no-flush":false},"detect-zeroes":"on","discard":"ignore","driver":"file","filename":"/var/lib/vz/images/100/vm-100-disk-0.raw","node-name":"e1175f2a490414e7c53337589fde17a","read-only":false},"node-name":"f1175f2a490414e7c53337589fde17a","read-only":false,"size":540672},"node-name":"drive-efidisk0","read-only":false,"throttle-group":"throttle-drive-efidisk0"}' \ -smp '1,sockets=1,cores=1,maxcpus=1' \ -nodefaults \ diff --git a/src/test/cfg2cmd/sev-snp.conf.cmd b/src/test/cfg2cmd/sev-snp.conf.cmd index 3308e86e..14b55d3e 100644 --- a/src/test/cfg2cmd/sev-snp.conf.cmd +++ b/src/test/cfg2cmd/sev-snp.conf.cmd @@ -9,7 +9,7 @@ -pidfile /var/run/qemu-server/8006.pid \ -daemonize \ -smbios 'type=1,uuid=7b10d7af-b932-4c66-b2c3-3996152ec465' \ - -bios /usr/share/pve-edk2-firmware//OVMF_CVM_4M.fd \ + -bios /usr/share/pve-edk2-firmware//OVMF_SEV_4M.fd \ -smp '1,sockets=1,cores=1,maxcpus=1' \ -nodefaults \ -boot 'menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg' \ diff --git a/src/test/cfg2cmd/sev-std.conf.cmd b/src/test/cfg2cmd/sev-std.conf.cmd index 6291a302..c23fe6d2 100644 --- a/src/test/cfg2cmd/sev-std.conf.cmd +++ b/src/test/cfg2cmd/sev-std.conf.cmd @@ -10,7 +10,7 @@ -daemonize \ -smbios 'type=1,uuid=7b10d7af-b932-4c66-b2c3-3996152ec465' \ -object '{"id":"throttle-drive-efidisk0","limits":{},"qom-type":"throttle-group"}' \ - -blockdev '{"driver":"raw","file":{"driver":"file","filename":"/usr/share/pve-edk2-firmware//OVMF_CVM_CODE_4M.fd"},"node-name":"pflash0","read-only":true}' \ + -blockdev '{"driver":"raw","file":{"driver":"file","filename":"/usr/share/pve-edk2-firmware//OVMF_SEV_CODE_4M.fd"},"node-name":"pflash0","read-only":true}' \ -blockdev '{"detect-zeroes":"on","discard":"ignore","driver":"throttle","file":{"cache":{"direct":false,"no-flush":false},"detect-zeroes":"on","discard":"ignore","driver":"raw","file":{"aio":"io_uring","cache":{"direct":false,"no-flush":false},"detect-zeroes":"on","discard":"ignore","driver":"file","filename":"/var/lib/vz/images/100/vm-100-disk-0.raw","node-name":"e1175f2a490414e7c53337589fde17a","read-only":false},"node-name":"f1175f2a490414e7c53337589fde17a","read-only":false,"size":540672},"node-name":"drive-efidisk0","read-only":false,"throttle-group":"throttle-drive-efidisk0"}' \ -smp '1,sockets=1,cores=1,maxcpus=1' \ -nodefaults \ -- 2.43.0 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel