Hi,
> Assuming that
>
> * the need to use -bios for SEV-SNP is intended;
Yes. SEV-SNP (and TDX too) are by design incompatible with pflash
emulation. Both do not allow the host change guest memory layout
after launch, and pflash needs to do that to switch between reading
mode and programming mode.
> * pflash still needs to be used for SEV (-ES?);
You can use pflash with SEV + SEV-ES. It makes sense to do that if
you want use a persistent variable store in pflash. Otherwise it
doesn't make much of a difference whenever you use -bios or read-only
pflash for the firmware.
> then I think that we need to have the edk2 package ship two separate
> descriptors pointing to the same file, one containing
>
> {
> "mapping": {
> "device": "flash",
> "mode": "stateless",
> "executable": {
> "filename": "/usr/share/edk2/ovmf/OVMF.amdsev.fd",
> "format": "raw"
> }
> },
> "features": [
> "amd-sev",
> "amd-sev-es"
> ]
> }
>
> for SEV(-ES) and one containing
>
> {
> "mapping": {
> "device": "memory",
> "filename": "/usr/share/edk2/ovmf/OVMF.amdsev.fd"
> },
> "features": [
> "amd-sev-snp"
> ]
> }
>
> for SEV-SNP.
That should work. Using device=memory for all three amd-sev* variants
should work too I think.
take care,
Gerd
