[pve-devel] [PATCH qemu-server 1/3] Adapt AMD SEV code for compatibility with other platforms

From: Anton Iacobaeus <anton.iacobaeus@canarybit.eu>
To: pve-devel@lists.proxmox.com
Cc: Anton Iacobaeus <anton.iacobaeus@canarybit.eu>,
	Philipp Giersfeld <philipp.giersfeld@canarybit.eu>
Subject: [pve-devel] [PATCH qemu-server 1/3] Adapt AMD SEV code for compatibility with other platforms
Date: Tue, 16 Sep 2025 09:52:51 +0200	[thread overview]
Message-ID: <20250916075406.33084-9-anton.iacobaeus@canarybit.eu> (raw)
In-Reply-To: <20250916075406.33084-2-anton.iacobaeus@canarybit.eu>

From: Philipp Giersfeld <philipp.giersfeld@canarybit.eu>

Change variable and function names that are specific to AMD SEV to
reflect this. Also, change name of general CC functions and variable
names to be used in conjunction with other platforms.

Signed-off-by: Philipp Giersfeld <philipp.giersfeld@canarybit.eu>
Signed-off-by: Anton Iacobaeus <anton.iacobaeus@canarybit.eu>
---
 src/PVE/API2/Qemu.pm              |  6 ++---
 src/PVE/QemuServer.pm             |  8 +++----
 src/PVE/QemuServer/CPUConfig.pm   | 15 ++++++------
 src/PVE/QemuServer/OVMF.pm        | 40 +++++++++++++++----------------
 src/test/cfg2cmd/sev-es.conf.cmd  |  2 +-
 src/test/cfg2cmd/sev-snp.conf.cmd |  2 +-
 src/test/cfg2cmd/sev-std.conf.cmd |  2 +-
 7 files changed, 38 insertions(+), 37 deletions(-)

diff --git a/src/PVE/API2/Qemu.pm b/src/PVE/API2/Qemu.pm
index 34f615d8..8639065d 100644
--- a/src/PVE/API2/Qemu.pm
+++ b/src/PVE/API2/Qemu.pm
@@ -618,13 +618,13 @@ my sub create_disks : prototype($$$$$$$$$$$) {
                 if ($ds eq 'efidisk0') {
                     my $smm = PVE::QemuServer::Machine::machine_type_is_q35($conf);
 
-                    my $amd_sev_type = PVE::QemuServer::CPUConfig::get_amd_sev_type($conf);
+                    my $cvm_type = PVE::QemuServer::CPUConfig::get_cvm_type($conf);
                     die
                         "SEV-SNP uses consolidated read-only firmware and does not require an EFI disk\n"
-                        if $amd_sev_type && $amd_sev_type eq 'snp';
+                        if $cvm_type && $cvm_type eq 'snp';
 
                     ($volid, $size) = PVE::QemuServer::OVMF::create_efidisk(
-                        $storecfg, $storeid, $vmid, $fmt, $arch, $disk, $smm, $amd_sev_type,
+                        $storecfg, $storeid, $vmid, $fmt, $arch, $disk, $smm, $cvm_type,
                     );
                 } elsif ($ds eq 'tpmstate0') {
                     # swtpm can only use raw volumes, and uses a fixed size
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index cbcad749..eb2a8c7e 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -61,7 +61,7 @@ use PVE::QemuServer::Helpers
 use PVE::QemuServer::Cloudinit;
 use PVE::QemuServer::CGroup;
 use PVE::QemuServer::CPUConfig
-    qw(print_cpu_device get_cpu_options get_cpu_bitness is_native_arch get_amd_sev_object get_amd_sev_type);
+    qw(print_cpu_device get_cpu_options get_cpu_bitness is_native_arch get_amd_sev_object get_cvm_type);
 use PVE::QemuServer::Drive qw(
     is_valid_drivename
     checked_volume_format
@@ -3417,7 +3417,7 @@ sub config_to_command {
             if !$forcecpu && get_cpu_bitness($conf->{cpu}, $arch) == 32;
 
         my $hw_info = {
-            'amd-sev-type' => get_amd_sev_type($conf),
+            'cvm-type' => get_cvm_type($conf),
             arch => $arch,
             'machine-version' => $machine_version,
             q35 => $q35,
@@ -8106,9 +8106,9 @@ sub get_efivars_size {
     my $arch = PVE::QemuServer::Helpers::get_vm_arch($conf);
     $efidisk //= $conf->{efidisk0} ? parse_drive('efidisk0', $conf->{efidisk0}) : undef;
     my $smm = PVE::QemuServer::Machine::machine_type_is_q35($conf);
-    my $amd_sev_type = get_amd_sev_type($conf);
+    my $cvm_type = get_cvm_type($conf);
 
-    return PVE::QemuServer::OVMF::get_efivars_size($arch, $efidisk, $smm, $amd_sev_type);
+    return PVE::QemuServer::OVMF::get_efivars_size($arch, $efidisk, $smm, $cvm_type);
 }
 
 sub update_efidisk_size {
diff --git a/src/PVE/QemuServer/CPUConfig.pm b/src/PVE/QemuServer/CPUConfig.pm
index 786a99d8..65a7b565 100644
--- a/src/PVE/QemuServer/CPUConfig.pm
+++ b/src/PVE/QemuServer/CPUConfig.pm
@@ -18,7 +18,7 @@ our @EXPORT_OK = qw(
     get_cpu_bitness
     is_native_arch
     get_amd_sev_object
-    get_amd_sev_type
+    get_cvm_type
 );
 
 # under certain race-conditions, this module might be loaded before pve-cluster
@@ -881,14 +881,15 @@ sub get_hw_capabilities {
     return $hw_capabilities;
 }
 
-sub get_amd_sev_type {
+sub get_cvm_type {
     my ($conf) = @_;
 
-    return undef if !$conf->{'amd-sev'};
-
-    my $sev = PVE::JSONSchema::parse_property_string($sev_fmt, $conf->{'amd-sev'});
-
-    return $sev->{type};
+    if ($conf->{'amd-sev'}) {
+        my $sev = PVE::JSONSchema::parse_property_string($sev_fmt, $conf->{'amd-sev'});
+        return $sev->{type};
+    } else {
+        return undef;
+    }
 }
 
 sub get_amd_sev_object {
diff --git a/src/PVE/QemuServer/OVMF.pm b/src/PVE/QemuServer/OVMF.pm
index 08134e30..df44d3f1 100644
--- a/src/PVE/QemuServer/OVMF.pm
+++ b/src/PVE/QemuServer/OVMF.pm
@@ -29,10 +29,10 @@ my $OVMF = {
             "$EDK2_FW_BASE/OVMF_CODE_4M.secboot.fd", "$EDK2_FW_BASE/OVMF_VARS_4M.ms.fd",
         ],
         '4m-sev' => [
-            "$EDK2_FW_BASE/OVMF_CVM_CODE_4M.fd", "$EDK2_FW_BASE/OVMF_CVM_VARS_4M.fd",
+            "$EDK2_FW_BASE/OVMF_SEV_CODE_4M.fd", "$EDK2_FW_BASE/OVMF_SEV_VARS_4M.fd",
         ],
         '4m-snp' => [
-            "$EDK2_FW_BASE/OVMF_CVM_4M.fd",
+            "$EDK2_FW_BASE/OVMF_SEV_4M.fd",
         ],
         # FIXME: These are legacy 2MB-sized images that modern OVMF doesn't supports to build
         # anymore. how can we deperacate this sanely without breaking existing instances, or using
@@ -49,19 +49,19 @@ my $OVMF = {
 };
 
 my sub get_ovmf_files($$$$) {
-    my ($arch, $efidisk, $smm, $amd_sev_type) = @_;
+    my ($arch, $efidisk, $smm, $cvm_type) = @_;
 
     my $types = $OVMF->{$arch}
         or die "no OVMF images known for architecture '$arch'\n";
 
     my $type = 'default';
     if ($arch eq 'x86_64') {
-        if ($amd_sev_type && $amd_sev_type eq 'snp') {
+        if ($cvm_type && $cvm_type eq 'snp') {
             $type = "4m-snp";
             my ($ovmf) = $types->{$type}->@*;
             die "EFI base image '$ovmf' not found\n" if !-f $ovmf;
             return ($ovmf);
-        } elsif ($amd_sev_type) {
+        } elsif ($cvm_type && ($cvm_type eq 'std' || $cvm_type eq 'es')) {
             $type = "4m-sev";
         } elsif (defined($efidisk->{efitype}) && $efidisk->{efitype} eq '4m') {
             $type = $smm ? "4m" : "4m-no-smm";
@@ -81,14 +81,14 @@ my sub get_ovmf_files($$$$) {
 my sub print_ovmf_drive_commandlines {
     my ($conf, $storecfg, $vmid, $hw_info, $version_guard, $readonly) = @_;
 
-    my ($amd_sev_type, $arch, $q35) = $hw_info->@{qw(amd-sev-type arch q35)};
+    my ($cvm_type, $arch, $q35) = $hw_info->@{qw(cvm-type arch q35)};
 
     my $d = $conf->{efidisk0} ? parse_drive('efidisk0', $conf->{efidisk0}) : undef;
 
     die "Attempting to configure SEV-SNP with pflash devices instead of using `-bios`\n"
-        if $amd_sev_type && $amd_sev_type eq 'snp';
+        if $cvm_type && $cvm_type eq 'snp';
 
-    my ($ovmf_code, $ovmf_vars) = get_ovmf_files($arch, $d, $q35, $amd_sev_type);
+    my ($ovmf_code, $ovmf_vars) = get_ovmf_files($arch, $d, $q35, $cvm_type);
 
     my $var_drive_str = "if=pflash,unit=1,id=drive-efidisk0";
     if ($d) {
@@ -122,16 +122,16 @@ my sub print_ovmf_drive_commandlines {
 }
 
 sub get_efivars_size {
-    my ($arch, $efidisk, $smm, $amd_sev_type) = @_;
+    my ($arch, $efidisk, $smm, $cvm_type) = @_;
 
-    my (undef, $ovmf_vars) = get_ovmf_files($arch, $efidisk, $smm, $amd_sev_type);
+    my (undef, $ovmf_vars) = get_ovmf_files($arch, $efidisk, $smm, $cvm_type);
     return -s $ovmf_vars;
 }
 
 sub create_efidisk($$$$$$$$) {
-    my ($storecfg, $storeid, $vmid, $fmt, $arch, $efidisk, $smm, $amd_sev_type) = @_;
+    my ($storecfg, $storeid, $vmid, $fmt, $arch, $efidisk, $smm, $cvm_type) = @_;
 
-    my (undef, $ovmf_vars) = get_ovmf_files($arch, $efidisk, $smm, $amd_sev_type);
+    my (undef, $ovmf_vars) = get_ovmf_files($arch, $efidisk, $smm, $cvm_type);
 
     my $vars_size_b = -s $ovmf_vars;
     my $vars_size = PVE::Tools::convert_size($vars_size_b, 'b' => 'kb');
@@ -147,15 +147,15 @@ sub create_efidisk($$$$$$$$) {
 my sub generate_ovmf_blockdev {
     my ($conf, $storecfg, $vmid, $hw_info, $readonly) = @_;
 
-    my ($amd_sev_type, $arch, $machine_version, $q35) =
-        $hw_info->@{qw(amd-sev-type arch machine-version q35)};
+    my ($cvm_type, $arch, $machine_version, $q35) =
+        $hw_info->@{qw(cvm-type arch machine-version q35)};
 
     my $drive = $conf->{efidisk0} ? parse_drive('efidisk0', $conf->{efidisk0}) : undef;
 
     die "Attempting to configure SEV-SNP with pflash devices instead of using `-bios`\n"
-        if $amd_sev_type && $amd_sev_type eq 'snp';
+        if $cvm_type && $cvm_type eq 'snp';
 
-    my ($ovmf_code, $ovmf_vars) = get_ovmf_files($arch, $drive, $q35, $amd_sev_type);
+    my ($ovmf_code, $ovmf_vars) = get_ovmf_files($arch, $drive, $q35, $cvm_type);
 
     my $ovmf_code_blockdev = {
         driver => 'raw',
@@ -203,16 +203,16 @@ my sub generate_ovmf_blockdev {
 sub print_ovmf_commandline {
     my ($conf, $storecfg, $vmid, $hw_info, $version_guard, $readonly) = @_;
 
-    my $amd_sev_type = $hw_info->{'amd-sev-type'};
+    my $cvm_type = $hw_info->{'cvm-type'};
 
     my $cmd = [];
     my $machine_flags = [];
 
-    if ($amd_sev_type && $amd_sev_type eq 'snp') {
+    if ($cvm_type && $cvm_type eq 'snp') {
         if (defined($conf->{efidisk0})) {
-            log_warn("EFI disks are not supported with SEV-SNP and will be ignored");
+            log_warn("EFI disks are not supported with Confidential Virtual Machines and will be ignored");
         }
-        push $cmd->@*, '-bios', get_ovmf_files($hw_info->{arch}, undef, undef, $amd_sev_type);
+        push $cmd->@*, '-bios', get_ovmf_files($hw_info->{arch}, undef, undef, $cvm_type);
     } else {
         if ($version_guard->(10, 0, 0)) { # for the switch to -blockdev
             my ($code_blockdev, $vars_blockdev, $throttle_group) =
diff --git a/src/test/cfg2cmd/sev-es.conf.cmd b/src/test/cfg2cmd/sev-es.conf.cmd
index 3cc2dbc6..f61a72c6 100644
--- a/src/test/cfg2cmd/sev-es.conf.cmd
+++ b/src/test/cfg2cmd/sev-es.conf.cmd
@@ -10,7 +10,7 @@
   -daemonize \
   -smbios 'type=1,uuid=7b10d7af-b932-4c66-b2c3-3996152ec465' \
   -object '{"id":"throttle-drive-efidisk0","limits":{},"qom-type":"throttle-group"}' \
-  -blockdev '{"driver":"raw","file":{"driver":"file","filename":"/usr/share/pve-edk2-firmware//OVMF_CVM_CODE_4M.fd"},"node-name":"pflash0","read-only":true}' \
+  -blockdev '{"driver":"raw","file":{"driver":"file","filename":"/usr/share/pve-edk2-firmware//OVMF_SEV_CODE_4M.fd"},"node-name":"pflash0","read-only":true}' \
   -blockdev '{"detect-zeroes":"on","discard":"ignore","driver":"throttle","file":{"cache":{"direct":false,"no-flush":false},"detect-zeroes":"on","discard":"ignore","driver":"raw","file":{"aio":"io_uring","cache":{"direct":false,"no-flush":false},"detect-zeroes":"on","discard":"ignore","driver":"file","filename":"/var/lib/vz/images/100/vm-100-disk-0.raw","node-name":"e1175f2a490414e7c53337589fde17a","read-only":false},"node-name":"f1175f2a490414e7c53337589fde17a","read-only":false,"size":540672},"node-name":"drive-efidisk0","read-only":false,"throttle-group":"throttle-drive-efidisk0"}' \
   -smp '1,sockets=1,cores=1,maxcpus=1' \
   -nodefaults \
diff --git a/src/test/cfg2cmd/sev-snp.conf.cmd b/src/test/cfg2cmd/sev-snp.conf.cmd
index 3308e86e..14b55d3e 100644
--- a/src/test/cfg2cmd/sev-snp.conf.cmd
+++ b/src/test/cfg2cmd/sev-snp.conf.cmd
@@ -9,7 +9,7 @@
   -pidfile /var/run/qemu-server/8006.pid \
   -daemonize \
   -smbios 'type=1,uuid=7b10d7af-b932-4c66-b2c3-3996152ec465' \
-  -bios /usr/share/pve-edk2-firmware//OVMF_CVM_4M.fd \
+  -bios /usr/share/pve-edk2-firmware//OVMF_SEV_4M.fd \
   -smp '1,sockets=1,cores=1,maxcpus=1' \
   -nodefaults \
   -boot 'menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg' \
diff --git a/src/test/cfg2cmd/sev-std.conf.cmd b/src/test/cfg2cmd/sev-std.conf.cmd
index 6291a302..c23fe6d2 100644
--- a/src/test/cfg2cmd/sev-std.conf.cmd
+++ b/src/test/cfg2cmd/sev-std.conf.cmd
@@ -10,7 +10,7 @@
   -daemonize \
   -smbios 'type=1,uuid=7b10d7af-b932-4c66-b2c3-3996152ec465' \
   -object '{"id":"throttle-drive-efidisk0","limits":{},"qom-type":"throttle-group"}' \
-  -blockdev '{"driver":"raw","file":{"driver":"file","filename":"/usr/share/pve-edk2-firmware//OVMF_CVM_CODE_4M.fd"},"node-name":"pflash0","read-only":true}' \
+  -blockdev '{"driver":"raw","file":{"driver":"file","filename":"/usr/share/pve-edk2-firmware//OVMF_SEV_CODE_4M.fd"},"node-name":"pflash0","read-only":true}' \
   -blockdev '{"detect-zeroes":"on","discard":"ignore","driver":"throttle","file":{"cache":{"direct":false,"no-flush":false},"detect-zeroes":"on","discard":"ignore","driver":"raw","file":{"aio":"io_uring","cache":{"direct":false,"no-flush":false},"detect-zeroes":"on","discard":"ignore","driver":"file","filename":"/var/lib/vz/images/100/vm-100-disk-0.raw","node-name":"e1175f2a490414e7c53337589fde17a","read-only":false},"node-name":"f1175f2a490414e7c53337589fde17a","read-only":false,"size":540672},"node-name":"drive-efidisk0","read-only":false,"throttle-group":"throttle-drive-efidisk0"}' \
   -smp '1,sockets=1,cores=1,maxcpus=1' \
   -nodefaults \
-- 
2.43.0


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

