mkimage: add bios-sev field to metadata.json for SEV firmware#70
Merged
Conversation
When the AMD SEV firmware (ovmf-sev.fd) is present, emit a "bios-sev" field in metadata.json alongside the existing TDX "bios": "ovmf.fd". This lets a VMM pick the right firmware per platform (ovmf.fd on TDX, ovmf-sev.fd on AMD SEV-SNP) instead of hardcoding the TDX firmware. The field is only emitted when the SEV firmware was built/shipped, so non-SEV builds keep the original metadata.json. metadata.json is part of sha256sum.txt, so digest.txt now reflects the bios-sev reference; this does not change any TDX hardware measurement (MRTD comes from ovmf.fd, RTMRs from kernel/cmdline/rootfs), only dstack's image-bundle digest. Verified: metadata.json is valid JSON with .['bios-sev'] = 'ovmf-sev.fd'; the field is omitted (still valid JSON) when no SEV firmware is present.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the image bundle metadata emitted by mkimage.sh so that when AMD SEV firmware (ovmf-sev.fd) is present, it is referenced in metadata.json via a new bios-sev field, enabling consumers (e.g., a VMM) to select firmware per platform without hardcoding.
Changes:
- Conditionally copy
ovmf-sev.fdinto the output bundle when present. - Conditionally emit
"bios-sev": "ovmf-sev.fd"inmetadata.jsononly when the SEV firmware artifact exists. - Update the in-script comment to clarify that while
ovmf-sev.fdis not hashed directly,metadata.jsonis hashed and therefore the overall bundle digest changes when the reference is present.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Emit a
bios-sevfield inmetadata.jsonpointing atovmf-sev.fdwhen the AMD SEV firmware is present, alongside the existing TDX"bios": "ovmf.fd":{ "bios": "ovmf.fd", "bios-sev": "ovmf-sev.fd", "kernel": "bzImage", ... }This lets a VMM select the right firmware per platform (
ovmf.fdon Intel TDX,ovmf-sev.fdon AMD SEV-SNP) from the image metadata instead of hardcoding the TDX firmware. Follow-up to #69 (which built/shippedovmf-sev.fdbut left it unreferenced in metadata).Behaviour
ovmf-sev.fdwas built/shipped (OVMF_BUILD_SEV), so non-SEV builds keep the originalmetadata.json.jq).Measurement note
metadata.jsonis hashed intosha256sum.txt, sodigest.txt(dstack's image-bundle digest) now reflects thebios-sevreference. This does not change any TDX hardware measurement: MRTD is measured fromovmf.fdand the RTMRs from kernel/cmdline/rootfs — none depend onmetadata.json. Only the bundle digest changes, which is expected for a new image build.Not included
The VMM-side logic that reads
bios-sevand selects it based on the detected platform lives in the dstack repo (overlaps the in-progress SEV-SNP work, PR #703) and is out of scope here.