Merge pull request #9151 from niteeshkd/nd_snp_kernel_hashes

runtime: enable kernel-hashes for SNP confidential container
2026-01-29 21:39:23 +00:00 · 2024-06-07 18:19:51 -05:00
parent 03bcc167a4 1dbf5208ac
commit 84280115f6
3 changed files with 11 additions and 4 deletions
--- a/src/runtime/Makefile
+++ b/src/runtime/Makefile
@@ -149,7 +149,7 @@ FIRMWARETDVFPATH := PLACEHOLDER_FOR_DISTRO_OVMF_WITH_TDX_SUPPORT
 FIRMWARETDVFVOLUMEPATH :=

 FIRMWARESEVPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd
-FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd
+FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd

 ROOTMEASURECONFIG ?= ""
 KERNELPARAMS += $(ROOTMEASURECONFIG)
--- a/src/runtime/pkg/govmm/qemu/qemu.go
+++ b/src/runtime/pkg/govmm/qemu/qemu.go
@@ -375,12 +375,19 @@ func (object Object) QemuParams(config *Config) []string {
 		objectParams = append(objectParams, prepareObjectWithTdxQgs(object))
 		config.Bios = object.File
 	case SEVGuest:
-		fallthrough
+		objectParams = append(objectParams, string(object.Type))
+		objectParams = append(objectParams, fmt.Sprintf("id=%s", object.ID))
+		objectParams = append(objectParams, fmt.Sprintf("cbitpos=%d", object.CBitPos))
+		objectParams = append(objectParams, fmt.Sprintf("reduced-phys-bits=%d", object.ReducedPhysBits))
+
+		driveParams = append(driveParams, "if=pflash,format=raw,readonly=on")
+		driveParams = append(driveParams, fmt.Sprintf("file=%s", object.File))
 	case SNPGuest:
 		objectParams = append(objectParams, string(object.Type))
 		objectParams = append(objectParams, fmt.Sprintf("id=%s", object.ID))
 		objectParams = append(objectParams, fmt.Sprintf("cbitpos=%d", object.CBitPos))
 		objectParams = append(objectParams, fmt.Sprintf("reduced-phys-bits=%d", object.ReducedPhysBits))
+		objectParams = append(objectParams, "kernel-hashes=on")

 		driveParams = append(driveParams, "if=pflash,format=raw,readonly=on")
 		driveParams = append(driveParams, fmt.Sprintf("file=%s", object.File))
--- a/versions.yaml
+++ b/versions.yaml
@@ -324,12 +324,12 @@ externals:
    url: "https://github.com/tianocore/edk2"
    x86_64:
      description: "Vanilla firmware build"
-      version: "edk2-stable202202"
+      version: "edk2-stable202402"
      package: "OvmfPkg/OvmfPkgX64.dsc"
      package_output_dir: "OvmfX64"
    sev:
      description: "AmdSev build needed for SEV measured direct boot."
-      version: "edk2-stable202302"
+      version: "edk2-stable202402"
      package: "OvmfPkg/AmdSev/AmdSevX64.dsc"
      package_output_dir: "AmdSev"