Bug 1956837

Summary: Additional build of edk2 without SMM (dual build / sub-package) for SEV-ES
Product: Red Hat Enterprise Linux 8 Reporter: Ademar Reis <areis>
Component: edk2Assignee: Laszlo Ersek <lersek>
Status: CLOSED ERRATA QA Contact: zixchen
Severity: medium Docs Contact:
Priority: medium    
Version: 8.4CC: berrange, coli, jinzhao, juzhang, kraxel, leidwang, lersek, mrezanin, pbonzini, philmd, troels, virt-maint, xuwei, zixchen
Target Milestone: betaKeywords: FutureFeature, Triaged
Target Release: 8.5Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: edk2-20200602gitca407c7246bf-5.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 18:08:20 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1868079, 1938238    

Description Ademar Reis 2021-05-04 14:13:20 UTC 
We would like to evaluate the pros/cons and feasibility of having an extra build of edk2 streamlined for SEV-ES. A minimalistic binary is desired for a reduced footprint and attack surface, but it also might be required due to limitations in the implementation.

The idea here is to have multiple builds of edk2 generated from the same SRPM (as sub-packages).

Some upstream references:

[edk2-devel] [PATCH v3 0/5] SEV-ES TPM enablement fixes
https://edk2.groups.io/g/devel/message/74608 (Merged in commit range ab957f036f67..1e6b0394d6c0, via <https://github.com/tianocore/edk2/pull/1620>).

We're planning a rebase of edk2 in RHEL-8.5: Bug #1938238

(BTW, this bug is open to the public)
Comment 5 Laszlo Ersek 2021-05-10 10:44:58 UTC 
Virt-QE: for the time being, the new subpackage / binary should only be sanity checked; it should work equivalently to the usual edk2-ovmf package, except you should expect that the Secure Boot feature is not built into the binary. Actual SEV-ES support will come with bug 1868079. Thanks!
Comment 6 Laszlo Ersek 2021-05-10 11:01:33 UTC 
Virt-QE: comment 5 applies only to the raw QEMU command line. If you want to regression-test with libvirt, you'll have to wait until a libvirt RHBZ exists (and is fixed) for recognizing the "amd-sev-es" feature in the fw descriptor. The upstream libvirt ticket for that is <https://gitlab.com/libvirt/libvirt/-/issues/156>. Thanks.
Comment 7 Laszlo Ersek 2021-05-10 11:07:45 UTC 
(In reply to Laszlo Ersek from comment #5)
> Virt-QE: for the time being, the new subpackage / binary should only be
> sanity checked; it should work equivalently to the usual edk2-ovmf package,
> except you should expect that the Secure Boot feature is not built into the
> binary. [...]

(In reply to Laszlo Ersek from comment #6)
> Virt-QE: comment 5 applies only to the raw QEMU command line. [...]

Note that the QEMU command line is affected. The following option must be *removed*, relative to what you are used to:

  -global driver=cfi.pflash01,property=secure,value=on

Thanks.
Comment 11 Yanan Fu 2021-05-13 02:31:26 UTC 
Set Verified:Tested,SanityOnly as gating/tier1 test pass.
Comment 15 zixchen 2021-05-17 01:16:46 UTC 
Regression test passed.

version:
edk2-ovmf-20200602gitca407c7246bf-5.el8.noarch
kernel-4.18.0-305.1.el8.x86_64
qemu-kvm-6.0.0-16.module+el8.5.0+10848+2dccc46d.x86_64
Comment 18 errata-xmlrpc 2021-11-09 18:08:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: edk2 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4198