From: Daniel P. Berrangé <berrange@redhat.com>
Date: Thu, 31 Jul 2025 18:31:16 +0000 (+0100)
Subject: qemu: don't warn about missing SMM for CVM firmware
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=63a0103df3cca5bcc34d767a4cb7c38b4825b3fd;p=thirdparty%2Flibvirt.git

qemu: don't warn about missing SMM for CVM firmware

Neither Intel TDX / AMD SEV(SNP) allow use of SMM, but the EDK2
firmware none the less supports secureboot. Libvirt currently
issues bogus warnings about Fedora firmware

  warning : qemuFirmwareSanityCheck:1575 : Firmware description
  '/usr/share/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json' has
  invalid set of features: requires-smm = 0, secure-boot = 1,
  enrolled-keys = 1

This removes the warning if the firmware descriptor indicates use
of any confidential VM technology.

Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---

diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index f10137144e..c5f42af3ce 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -1540,6 +1540,7 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
     bool requiresSMM = false;
     bool supportsSecureBoot = false;
     bool hasEnrolledKeys = false;
+    bool isConfidential = false;
 
     for (i = 0; i < fw->nfeatures; i++) {
         switch (fw->features[i]) {
@@ -1552,13 +1553,15 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
         case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
             hasEnrolledKeys = true;
             break;
-        case QEMU_FIRMWARE_FEATURE_NONE:
-        case QEMU_FIRMWARE_FEATURE_ACPI_S3:
-        case QEMU_FIRMWARE_FEATURE_ACPI_S4:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
         case QEMU_FIRMWARE_FEATURE_INTEL_TDX:
+            isConfidential = true;
+            break;
+        case QEMU_FIRMWARE_FEATURE_NONE:
+        case QEMU_FIRMWARE_FEATURE_ACPI_S3:
+        case QEMU_FIRMWARE_FEATURE_ACPI_S4:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
         case QEMU_FIRMWARE_FEATURE_LAST:
@@ -1566,7 +1569,15 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
         }
     }
 
-    if ((supportsSecureBoot != requiresSMM) ||
+    /*
+     * NB, SMM is normally required to protect EFI variables from
+     * unauthorized guest modifications, but confidential VMs don't
+     * support SMM. This is OK, because EFI binaries for confidential
+     * VMs also don't support EFI variable storage in NVRAM, instead
+     * the secureboot state is hardcoded to enabled.
+     */
+    if ((!isConfidential &&
+         (supportsSecureBoot != requiresSMM)) ||
         (hasEnrolledKeys && !supportsSecureBoot)) {
         VIR_WARN("Firmware description '%s' has invalid set of features: "
                  "%s = %d, %s = %d, %s = %d",