Ubuntu
edk2 package

Add support for QEMU AMD SNP VM Measured linux boot with the addition of new AMDSEV OVMF.fd

Bug #2106771 reported by Harika Nittala
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
edk2 (Debian)
New
Unknown
edk2 (Ubuntu)
Status tracked in Questing
Plucky
New
Undecided
Unassigned
Questing
In Progress
Wishlist
Lukas Märdian

Bug Description

On the plucky release, the launch of SNP QEMU VM with SNP measurement boot option fails due to the absence of OVMF amdsev file in the OVMF plucky ubuntu package

Plucky OVMF package requires the integration of the AMD SEV firmware file,OVMF.amdsev.fd, to enable support for SEV-secured VM remote attestation and secret injection.

Currently, the SEV firmware necessary to support SEV Virtual Machine Remote Attestation is not available within the Ubuntu OVMF package.

I attempted to execute an SNP QEMU measured boot using the OVMF file packaged with Ubuntu, but this endeavor was unsuccessful due to the provision of an invalid OVMF file within the Ubuntu OVMF package.

Error message that I see using Ubuntu OVMF.fd(/usr/share/ovmf/OVMF.fd) as guest bios is as follows:
qemu-system-x86_64: SEV: guest firmware hashes table area is invalid (base=0x0 size=0x0)

QEMU commandline used for my SNP guest test launch on Plucky release is as follows:

qemu-system-x86_64 \
 -enable-kvm \
 -cpu EPYC-v4 \
 -m 2048 \
 -nographic \
 -netdev user,hostfwd=tcp::10030-:22,id=vmnic \
 -device virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=vmnic,romfile= \
 -device virtio-scsi-pci,id=scsi0 \
 -device scsi-hd,drive=disk0 \
 -drive if=none,id=disk0,format=qcow2,file=/home/amd/os-guest-test/os-guest-test-guest.qcow2 \
 -machine memory-encryption=sev0,vmport=off \
 -object memory-backend-memfd,id=ram1,size=2048M,share=true,prealloc=false \
 -machine memory-backend=ram1 \
 -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,kernel-hashes=on \
 -bios /usr/share/ovmf/OVMF.fd \
 -kernel /home/amd/os-guest-test/guest_kernel_initrd/vmlinuz-6.13.9-200.fc41.x86_64 \
 -initrd /home/amd/os-guest-test/guest_kernel_initrd/initramfs-6.13.9-200.fc41.x86_64.img \
 -append "console=tty1 console=ttyS0,115200n8 root=LABEL=fedora ro rootflags=subvol=root"

ProblemType: Bug
DistroRelease: Ubuntu 25.04
Package: ovmf 2025.02-3ubuntu2
ProcVersionSignature: Ubuntu 6.14.0-13.13-generic 6.14.0
Uname: Linux 6.14.0-13-generic x86_64
ApportVersion: 2.32.0-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
Date: Tue Apr 8 05:43:04 2025
Dependencies:

InstallationDate: Installed on 2025-04-08 (0 days ago)
InstallationMedia: Ubuntu-Server 25.04 "Plucky Puffin" - Daily amd64 (20250407)
PackageArchitecture: all
ProcEnviron:
 LANG=en_US.UTF-8
 PATH=(custom, no user)
 SHELL=/bin/bash
 TERM=tmux-256color
 XDG_RUNTIME_DIR=<set>
SourcePackage: edk2
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

~slyon/ubuntu/+source/edk2:lp-2106771-libvirt-amdsev-ovmf-plucky
Canonical Server Reporter: Pending requested
git-ubuntu import: Pending requested
Diff: 96 lines (+51/-1)
4 files modified
debian/changelog (+7/-0)
debian/descriptors/60-edk2-x86_64-amdsev.json (+31/-0)
debian/ovmf.install (+1/-0)
debian/rules (+12/-1)
~slyon/ubuntu/+source/edk2:lp-2106771-libvirt-amdsev-ovmf
Hector CAO: Pending requested
Canonical Server Core Reviewers: Pending requested
Canonical Server Reporter: Pending requested
git-ubuntu import: Pending requested
Diff: 96 lines (+51/-1)
4 files modified
debian/changelog (+7/-0)
debian/descriptors/60-edk2-x86_64-amdsev.json (+31/-0)
debian/ovmf.install (+1/-0)
debian/rules (+12/-1)
Revision history for this message
Harika Nittala (harikanittala2021) wrote :
Revision history for this message
Harika Nittala (harikanittala2021) wrote :

As a workaround fix, I used the built AMDSEV OVMF.fd from the OVMF source code extracted from the Ubuntu Plucky Package.

I built the AMDSEV-SNP VM OVMF from the OVMF plucky ubuntu package using the following steps:

Step 1: Get OVMF Source code from the Ubuntu Plucky Package
        apt-get source ovmf

Step 2: Build AMD-SNP OVMF for SNP VM measure direct boot based on the below link:
        https://github.com/tianocore/tianocore.github.io/wiki/Common-instructions

        a) Pre-Install OVMF Dependencies to setup EDK2 Build Environment

            sudo apt install build-essential uuid-dev iasl git nasm python-is-python3

        b) Compile build tools

            $ cd edk2-2025.02/
            $ make -C BaseTools
            $ export EDK_TOOLS_PATH=$HOME/edk2-2025.02/BaseTools
            $ ./edksetup.sh

          When the above steps are done, we can work in the edk2 directory for code development.

        c) Build the EDK II BaseTools

            $ make -C edk2/BaseTools

        d) Setup build shell environment

           $ cd edk2-2025.02/
           $ export EDK_TOOLS_PATH=$HOME/src/edk2/BaseTools

            # Below command populates edk2/Conf directory with the default configuration files
           $ . edksetup.sh BaseTools

        e) Modify Conf files to build AMDSEV OVMF.fd firmwar for SNP remote attestation and secret injection purposes.

           # Create GRUB file under AmdSev to build AmdSev firmware without error
           $ touch OvmfPkg/AmdSev/Grub/grub.efi

           # Modify Conf/target.txt to build AMDSEV Firmware
           # In the Conf/target.txt,
             # Set the build platform, target architecture, tool chain, and multi-threading options as follows:

           ACTIVE_PLATFORM = OvmfPkg/AmdSev/AmdSevX64.dsc
           TARGET_ARCH = X64
           TOOL_CHAIN_TAG = GCC5

           # Build AMDSEV OVMF Firmware
            build

           # After build, OVMF firmware for SNP VM measured boot is located at Build/AmdSev/DEBUG_GCC5/FV/OVMF.fd inside edk2 source directory

Lena Voytek (lvoytek)
tags: added: server-triage-discuss
John Chittum (jchittum)
tags: removed: server-triage-discuss
Revision history for this message
Lukas Märdian (slyon) wrote :

Thank you very much for this report, Harika!

Can you confirm that this never worked on Ubuntu before (e.g. didn't work on 24.04 LTS)?
It sounds like this is a feature request and should be tracked at "Wishlist" priority.

From your report, I can see that it doesn't seem to work on Ubuntu 25.04, due to the missing OVMF.amdsev.fd (or Build/AmdSev/DEBUG_GCC5/FV/OVMF.fd). But I cannot find such file on any other version of Ubuntu either.

IIUC your comment #2 the edk2 source package in Ubuntu provides everything we need, but the build flags/config needs to be adopted in order to produce this file, e.g.:

        e) Modify Conf files to build AMDSEV OVMF.fd firmwar for SNP remote attestation and secret injection purposes.

           # Create GRUB file under AmdSev to build AmdSev firmware without error
           $ touch OvmfPkg/AmdSev/Grub/grub.efi

           # Modify Conf/target.txt to build AMDSEV Firmware
           # In the Conf/target.txt,
             # Set the build platform, target architecture, tool chain, and multi-threading options as follows:

           ACTIVE_PLATFORM = OvmfPkg/AmdSev/AmdSevX64.dsc
           TARGET_ARCH = X64
           TOOL_CHAIN_TAG = GCC5

Ubuntu 25.04 is currently in Final Freeze and we cannot at this time enable any new features. but we can track it as a feature request for the next Ubuntu release.

Changed in edk2 (Ubuntu):
importance: Undecided → Wishlist
status: New → Incomplete
Revision history for this message
Harika Nittala (harikanittala2021) wrote :

Hi Lukas,
  >> Can you confirm that this never worked on Ubuntu before (e.g. didn't work on 24.04 LTS)?
     Yes OVMF.fd ubuntu file did not work on Ubuntu 24.04, and, I could not find AMDSEV OVMF.fd file in the ubuntu OVMF package that supports QEMU AMD SNP VM Measured linux boot

Bryce Harrington (bryce)
Changed in edk2 (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Christian Ehrhardt (paelzer) wrote :

Subscribing also DannF to it as he looks after this in Debian.
While Debian is in freeze and not expected to move soon, they and he in particular should know about it.

We are also forwarding the bug to align where we can in resolving this.

Revision history for this message
Christian Ehrhardt (paelzer) wrote :

FYI - all these special boot types seem to need one extra file, out of TDX work there is the similar [1].
We might want to ensure that eventually all of them flow in build and files in a similar way.
Therefore when implementing this for snp, let us try to use the same pattern.

[1]: https://git.launchpad.net/~kobuk-team/ubuntu/+source/edk2/commit/?id=cbc824d254e5b98073411b3f74a12dbbcbb20380

Revision history for this message
Lukas Märdian (slyon) wrote :

Forwarded to Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103961

Bug Watch Updater (bug-watch-updater)
Changed in edk2 (Debian):
status: Unknown → New
Lukas Märdian (slyon)
Changed in edk2 (Ubuntu Questing):
assignee: nobody → Lukas Märdian (slyon)
status: Confirmed → In Progress
Revision history for this message
Lukas Märdian (slyon) wrote (last edit ):

PPA (shipping /usr/share/ovmf/OVMF.amdsev.fd & /usr/share/qemu/firmware/60-edk2-x86_64-amdsev.json):

https://launchpad.net/~slyon/+archive/ubuntu/lp-2106771-libvirt-amdsev-ovmf

MPs:
Debian: https://salsa.debian.org/qemu-team/edk2/-/merge_requests/20
Questing: https://code.launchpad.net/~slyon/ubuntu/+source/edk2/+git/edk2/+merge/484880
Plucky: https://code.launchpad.net/~slyon/ubuntu/+source/edk2/+git/edk2/+merge/484967

What would be the best way to test this?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.