Skip to content

Commit

Permalink
config: Use standard OVMF with SEV
Browse files Browse the repository at this point in the history 
The AmdSev firmware package should be used with
measured direct boot. If the expected hashes are not
injected into the firmware binary by the VMM, the
guest will not boot. This is required for security.

Currently the main branch does not have the extended
shim support for SEV, which tells the VMM to inject
the expected hashes.

We ship the standard OVMF package to use with SNP,
so let's switch SEV to that for now. This will need
to be changed back when shim support for SEV(-ES)
is added to main.

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
  • Loading branch information
@fitzthum @fidencio
fitzthum authored and fidencio committed May 17, 2023
1 parent 724437e commit cbb9fe8
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/runtime/Makefile
View file
Expand Up @@ -130,7 +130,7 @@ FIRMWAREVOLUMEPATH :=
FIRMWARETDVFPATH := $(PREFIXDEPS)/share/tdvf/OVMF.fd
FIRMWARETDVFVOLUMEPATH :=

FIRMWARESEVPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd
FIRMWARESEVPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd
FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd

# Name of default configuration file the runtime will use.
Expand Down

0 comments on commit cbb9fe8

Please sign in to comment.