diff --git a/src/runtime-rs/config/configuration-qemu-nvidia-gpu-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-nvidia-gpu-runtime-rs.toml.in index 8c056f3b09..0edc10ba5e 100644 --- a/src/runtime-rs/config/configuration-qemu-nvidia-gpu-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-nvidia-gpu-runtime-rs.toml.in @@ -65,13 +65,13 @@ kernel_verity_params = "@KERNELVERITYPARAMS_NV@" # Path to the firmware. # If you want that qemu uses the default firmware leave this option empty -firmware = "@FIRMWAREPATH@" +firmware = "@FIRMWAREPATH_NV@" # Path to the firmware volume. # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables # as configuration) and FIRMWARE_CODE.fd (UEFI program image). UEFI variables # can be customized per each user while UEFI code is kept same. -firmware_volume = "@FIRMWAREVOLUMEPATH@" +firmware_volume = "@FIRMWAREVOLUMEPATH_NV@" # Machine accelerators # comma-separated list of machine accelerators to pass to the hypervisor. diff --git a/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs b/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs index ef6326e030..e7d59ea317 100644 --- a/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs +++ b/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs @@ -2603,9 +2603,26 @@ impl<'a> QemuCmdLine<'a> { { qemu_cmd_line.add_seccomp_sandbox(seccomp_sandbox); } + + // For confidential guests (SEV/SEV-SNP/TDX), `-bios` is appended later + // by `add_{sev,sev_snp,tdx}_protection_device()` via the + // ProtectionDevice handling in QemuInner::start_vm(), using the + // firmware copied into the ProtectionDeviceConfig. For non-CC guests + // there is no such code path, so wire `boot_info.firmware` directly + // here. Otherwise the firmware configured in the TOML (e.g. OVMF.fd + // for the nvidia-gpu profile) would silently never reach qemu's + // command line. + if !config.security_info.confidential_guest && !config.boot_info.firmware.is_empty() { + qemu_cmd_line.add_bios(&config.boot_info.firmware); + } + Ok(qemu_cmd_line) } + fn add_bios(&mut self, firmware: &str) { + self.devices.push(Box::new(Bios::new(firmware.to_owned()))); + } + /// Takes ownership of the CCW subchannel, leaving `None` in its place. /// Used to transfer boot-time CCW state to Qmp for hotplug allocation. pub fn take_ccw_subchannel(&mut self) -> Option {