Merge pull request #13106 from fidencio/topic/runtime-rs-ensure-bios-is-passed-to-qemu-on-non-CC-cases

runtime-rs: qemu: pass -bios for non-confidential guests
This commit is contained in:
Fabiano Fidêncio
2026-05-25 09:56:11 +02:00
committed by GitHub
2 changed files with 19 additions and 2 deletions

View File

@@ -65,13 +65,13 @@ kernel_verity_params = "@KERNELVERITYPARAMS_NV@"
# Path to the firmware.
# If you want that qemu uses the default firmware leave this option empty
firmware = "@FIRMWAREPATH@"
firmware = "@FIRMWAREPATH_NV@"
# Path to the firmware volume.
# firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
# as configuration) and FIRMWARE_CODE.fd (UEFI program image). UEFI variables
# can be customized per each user while UEFI code is kept same.
firmware_volume = "@FIRMWAREVOLUMEPATH@"
firmware_volume = "@FIRMWAREVOLUMEPATH_NV@"
# Machine accelerators
# comma-separated list of machine accelerators to pass to the hypervisor.

View File

@@ -2603,9 +2603,26 @@ impl<'a> QemuCmdLine<'a> {
{
qemu_cmd_line.add_seccomp_sandbox(seccomp_sandbox);
}
// For confidential guests (SEV/SEV-SNP/TDX), `-bios` is appended later
// by `add_{sev,sev_snp,tdx}_protection_device()` via the
// ProtectionDevice handling in QemuInner::start_vm(), using the
// firmware copied into the ProtectionDeviceConfig. For non-CC guests
// there is no such code path, so wire `boot_info.firmware` directly
// here. Otherwise the firmware configured in the TOML (e.g. OVMF.fd
// for the nvidia-gpu profile) would silently never reach qemu's
// command line.
if !config.security_info.confidential_guest && !config.boot_info.firmware.is_empty() {
qemu_cmd_line.add_bios(&config.boot_info.firmware);
}
Ok(qemu_cmd_line)
}
fn add_bios(&mut self, firmware: &str) {
self.devices.push(Box::new(Bios::new(firmware.to_owned())));
}
/// Takes ownership of the CCW subchannel, leaving `None` in its place.
/// Used to transfer boot-time CCW state to Qmp for hotplug allocation.
pub fn take_ccw_subchannel(&mut self) -> Option<CcwSubChannel> {