From 63a0103df3cca5bcc34d767a4cb7c38b4825b3fd Mon Sep 17 00:00:00 2001 From: =?utf8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 31 Jul 2025 19:31:16 +0100 Subject: [PATCH] qemu: don't warn about missing SMM for CVM firmware MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Neither Intel TDX / AMD SEV(SNP) allow use of SMM, but the EDK2 firmware none the less supports secureboot. Libvirt currently issues bogus warnings about Fedora firmware warning : qemuFirmwareSanityCheck:1575 : Firmware description '/usr/share/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json' has invalid set of features: requires-smm = 0, secure-boot = 1, enrolled-keys = 1 This removes the warning if the firmware descriptor indicates use of any confidential VM technology. Reviewed-by: Andrea Bolognani Signed-off-by: Daniel P. Berrangé --- src/qemu/qemu_firmware.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c index f10137144e..c5f42af3ce 100644 --- a/src/qemu/qemu_firmware.c +++ b/src/qemu/qemu_firmware.c @@ -1540,6 +1540,7 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw, bool requiresSMM = false; bool supportsSecureBoot = false; bool hasEnrolledKeys = false; + bool isConfidential = false; for (i = 0; i < fw->nfeatures; i++) { switch (fw->features[i]) { @@ -1552,13 +1553,15 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw, case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS: hasEnrolledKeys = true; break; - case QEMU_FIRMWARE_FEATURE_NONE: - case QEMU_FIRMWARE_FEATURE_ACPI_S3: - case QEMU_FIRMWARE_FEATURE_ACPI_S4: case QEMU_FIRMWARE_FEATURE_AMD_SEV: case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES: case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP: case QEMU_FIRMWARE_FEATURE_INTEL_TDX: + isConfidential = true; + break; + case QEMU_FIRMWARE_FEATURE_NONE: + case QEMU_FIRMWARE_FEATURE_ACPI_S3: + case QEMU_FIRMWARE_FEATURE_ACPI_S4: case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC: case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC: case QEMU_FIRMWARE_FEATURE_LAST: @@ -1566,7 +1569,15 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw, } } - if ((supportsSecureBoot != requiresSMM) || + /* + * NB, SMM is normally required to protect EFI variables from + * unauthorized guest modifications, but confidential VMs don't + * support SMM. This is OK, because EFI binaries for confidential + * VMs also don't support EFI variable storage in NVRAM, instead + * the secureboot state is hardcoded to enabled. + */ + if ((!isConfidential && + (supportsSecureBoot != requiresSMM)) || (hasEnrolledKeys && !supportsSecureBoot)) { VIR_WARN("Firmware description '%s' has invalid set of features: " "%s = %d, %s = %d, %s = %d", -- 2.47.2