Re: Adjusting the default ROM option for SEV guests

[Claudio Fontana]

Hello all

any comment on this one? It seems it would make sense to disable option roms 
for SEV by default in QEMU, any feedback anyone?

Thanks,

Claudio

On 5/11/22 13:30, Vasily Ulyanov wrote:
> Hello QEMU devs,
> 
> Currently to launch an SEV guest there are certain requirements for the VM
> configuration. One such is that ROM option needs to be disabled for virtio-net
> devices [1]. The tools like virt-install or libvirt rely on the QEMU defaults 
> if
> the ROM value is not provided (the default for virtio-net is set to
> romfile=efi-virtio.rom). Eventually this leads to unbootable guest and poor 
> user
> experience as it is now mandatory to explicitly disable the ROM option.
> 
> There is a similar situation with iommu_platform, though that seems to be
> addressed already in [2] and QEMU adjusts the defaults depending on whether it
> is a confidential guest or not.
> 
> Wouldn't it make sense to also handle the romfile like that in QEMU? I.e. in 
> the
> case when an SEV guest is run and no romfile is explicitly specified set it to
> an empty value? This will also be useful when running an SEV VM directly with 
> QEMU.
> 
> Are there any objections or concerns? I could work on the patches but wanted 
> to
> ping the community first and get some feedback. Would QEMU be the proper place
> to handle that? Any thoughts?
> 
> [1] https://libvirt.org/kbase/launch_security_sev.html#virtio-net
> [2] https://gitlab.com/qemu-project/qemu/-/commit/9f88a7a3df
>