New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
qemu: Using -bios
for firmware does not work with OVMF firmware
#1231
Comments
Some additional digging led me to believe that the
and I got the kernel to boot reasonably far. This is not with secure boot enabled, though, so this may not work as intended if what are looking for is SecureBoot. But at least, |
Setting "low priority" label since this seems to work somewhat OK with the current |
I was wrong about what the code generates. These seems to be a difference between 1.x and 2.0. According to a discussion with Sandeep Gupta on kata-dev, we have a
But a partially correct
It's not very clear where that comes from in the govmm code:
I see nothing there that could produce the |
/cc @devimc, @sboeuf, @markdryan. |
See thread discussing the topic. Answer from Laszlo Ersek:
So pretty clear that we need to change the qemu command-line if we want to support safeboot and SEV. |
Ah, so I hit this problem in my SEV patches and worked around it in the follow way: In Not the most elegant, but it works with few code changes. But, no support for |
Do we have any progress on this? Isn't this a requirement for confidential containers to load OVMF firmware? The other features that rely on this working are secure boot or measured boot. Running with the latest kata code the |
Get your issue reviewed faster
From code inspection, this applies to both the 1.x and 2.0 branches equally.
Description of problem
When using the
firmware
configuration option, the runtime translates that into a-bios
command-line option for qemu. This will not work with an OVMF firmware, which also needs separateOVMF_CODE.fd
for the read-only portion of the firmware andOVMF_VARS.fd
for the associated variables.Expected result
For an OVMF firmware, you'd expect the
qemu
command line to contain two entries, one for the read-only section of the firmware (OVMF_CODE.fd
) and one for the read-write portion (OVMF_VARS.fd
). This is typically done using:See fuller story here, for example: https://wiki.debian.org/SecureBoot/VirtualMachine
Actual result
The current code generates the simpler
-bios
option that looks like:In that case, qemu will most likely not know how to find the related
OVMF_VARS.fd
. This may or may not be important.Further information
Example of command-line option with an OVMF firmware:
The text was updated successfully, but these errors were encountered: