public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Fiona Ebner <f.ebner@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
	Anton Iacobaeus <anton.iacobaeus@canarybit.eu>
Subject: Re: [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX
Date: Wed, 12 Nov 2025 15:48:03 +0100	[thread overview]
Message-ID: <56e09334-ea26-437a-960c-4ec257a5d432@proxmox.com> (raw)
In-Reply-To: <ea2fefd6-1cf6-43bb-9f58-a55636d7a574@proxmox.com>

Am 12.11.25 um 2:48 PM schrieb Fiona Ebner:
> I did not go ahead with applying the edk2 patches yet, because I got a
> question: Don't we want to enroll the Microsoft and distro keys for the
> image? Debian upstream added TDX support just a few days ago and they
> enroll the Microsoft and distro keys and even dropped the variant
> without pre-enrolled keys [1] that was part of the initial merge. The
> changes [0] include an "enroll_vendor" helper so we could use that and
> get an OVMF_TDX_4M.ms.fd image.
> 
> What do you think?

My proposal to add on top:

> diff --git a/debian/pve-edk2-firmware-ovmf.install b/debian/pve-edk2-firmware-ovmf.install
> index 22186563bb..cd5313bb0d 100644
> --- a/debian/pve-edk2-firmware-ovmf.install
> +++ b/debian/pve-edk2-firmware-ovmf.install
> @@ -3,7 +3,7 @@ debian/ovmf-install/OVMF_VARS*.fd       /usr/share/pve-edk2-firmware
>  debian/ovmf-sev-install/OVMF_SEV_CODE*.fd      /usr/share/pve-edk2-firmware
>  debian/ovmf-sev-install/OVMF_SEV_VARS*.fd      /usr/share/pve-edk2-firmware
>  debian/ovmf-sev-install/OVMF_SEV_4M.fd /usr/share/pve-edk2-firmware
> -debian/ovmf-tdx-install/OVMF_TDX_4M.fd /usr/share/pve-edk2-firmware
> +debian/ovmf-tdx-install/OVMF_TDX_4M.ms.fd      /usr/share/pve-edk2-firmware
>  debian/ovmf32-install/OVMF32_CODE*.fd          /usr/share/pve-edk2-firmware
>  debian/ovmf32-install/OVMF32_VARS*.fd          /usr/share/pve-edk2-firmware
>  debian/PkKek-1-snakeoil.*                      /usr/share/pve-edk2-firmware
> diff --git a/debian/rules b/debian/rules
> index 9def34d267..044071cf90 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -95,8 +95,10 @@ OVMF_TDX_INSTALL_DIR = debian/ovmf-tdx-install
>  OVMF_TDX_BUILD_ROOT = Build/IntelTdx
>  OVMF_TDX_BUILD_DIR = $(OVMF_TDX_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)

(Note that I already split the above to follow commit "16bb13da3d
debian/rules: Define *_BUILD_ROOT variables" that was picked up from
Debian).

>  OVMF_TDX_SHELL = $(OVMF_TDX_BUILD_DIR)/X64/Shell.efi
> +OVMF_TDX_ENROLL = $(OVMF_TDX_BUILD_DIR)/X64/EnrollDefaultKeys.efi
>  OVMF_TDX_BINARIES = $(OVMF_TDX_SHELL)
>  OVMF_TDX_IMAGES  := $(addprefix $(OVMF_TDX_INSTALL_DIR)/,OVMF_TDX_4M.fd)
> +OVMF_TDX_PREENROLLED_IMAGES := $(addprefix $(OVMF_TDX_INSTALL_DIR)/,OVMF_TDX_4M.ms.fd)
>  
>  QEMU_EFI_BUILD_ROOT = Build/ArmVirtQemu-$(EDK2_HOST_ARCH)
>  QEMU_EFI_BUILD_DIR = $(QEMU_EFI_BUILD_ROOT)/$(BUILD_TYPE)_$(EDK2_TOOLCHAIN)
> @@ -145,7 +147,7 @@ $(OVMF_SEV_BINARIES) $(OVMF_SEV_IMAGES): debian/setup-build-stamp
>         cp $(OVMF_SEV_BUILD_DIR)/FV/OVMF.fd \
>                 $(OVMF_SEV_INSTALL_DIR)/OVMF_SEV_4M.fd
>  
> -build-ovmf-tdx: $(OVMF_TDX_BINARIES) $(OVMF_TDX_IMAGES)
> +build-ovmf-tdx: $(OVMF_TDX_BINARIES) $(OVMF_TDX_IMAGES) $(OVMF_TDX_PREENROLLED_IMAGES)
>  $(OVMF_TDX_BINARIES) $(OVMF_TDX_IMAGES): debian/setup-build-stamp
>         rm -rf $(OVMF_TDX_INSTALL_DIR)
>         mkdir $(OVMF_TDX_INSTALL_DIR)
> @@ -215,6 +217,9 @@ enroll_snakeoil = virt-fw-vars --input $(1) --output $(2) \
>  %/OVMF_VARS_4M.snakeoil.fd: %/OVMF_CODE_4M.fd %/OVMF_VARS_4M.fd debian/PkKek-1-snakeoil.pem $(OVMF_ENROLL) $(OVMF_SHELL)
>         $(call enroll_snakeoil,$(OVMF_INSTALL_DIR)/OVMF_VARS_4M.fd,$@)
>  
> +%/OVMF_TDX_4M.ms.fd: %/OVMF_TDX_4M.fd debian/PkKek-1-vendor.pem $(OVMF_TDX_ENROLL) $(OVMF_TDX_SHELL)
> +       $(call enroll_vendor,$(OVMF_TDX_INSTALL_DIR)/OVMF_TDX_4M.fd,$@,amd64)
> +
>  BaseTools/Bin/GccLto/liblto-aarch64.a: BaseTools/Bin/GccLto/liblto-aarch64.s
>         $($(EDK2_TOOLCHAIN)_AARCH64_PREFIX)gcc -c -fpic $< -o $@
>  

Let me know if this looks good to you or if you prefer something else :)

Best Regards,
Fiona


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


  reply	other threads:[~2025-11-12 14:47 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-28 12:54 Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH edk2-firmware v3 1/3] Change name of SEV-related OVMF files Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH edk2-firmware v3 2/3] Add firmware target for TDFV Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH edk2-firmware v3 3/3] Add SCSI in NCCFV for TD guest Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH manager v3 1/2] Add support for Intel TDX Anton Iacobaeus
2025-11-14 10:06   ` [pve-devel] applied: " Fiona Ebner
2025-10-28 12:54 ` [pve-devel] [PATCH manager v3 2/2] Add support for TDX attestation Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 1/4] Adapt AMD SEV code for compatibility with other platforms Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 2/4] Add check for TDX support Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 3/4] Add support for Intel TDX Anton Iacobaeus
2025-10-28 12:54 ` [pve-devel] [PATCH qemu-server v3 4/4] Add support for TDX quote-generation-socket object Anton Iacobaeus
2025-11-13 11:35   ` Fiona Ebner
2025-11-13 11:54     ` Thomas Lamprecht
2025-11-13 12:12       ` Fiona Ebner
2025-11-14  6:47     ` Anton Iacobaeus
2025-11-14 10:08       ` Fiona Ebner
2025-11-10 15:03 ` [pve-devel] [PATCH edk2-firmware/manager/qemu-server v3 0/9] Add support for Intel TDX Anton Iacobaeus
2025-11-12 13:48   ` Fiona Ebner
2025-11-12 14:48     ` Fiona Ebner [this message]
2025-11-13 11:21 ` [pve-devel] partially-applied: " Fiona Ebner
2025-11-14  6:39   ` Anton Iacobaeus

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56e09334-ea26-437a-960c-4ec257a5d432@proxmox.com \
    --to=f.ebner@proxmox.com \
    --cc=anton.iacobaeus@canarybit.eu \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal