Recommended update for ovmf

Announcement ID: SUSE-RU-2025:0113-1
Release Date: 2025-01-15T03:34:36Z
Rating: moderate
References:
Affected Products:
  • openSUSE Leap 15.6
  • Server Applications Module 15-SP6
  • SUSE Linux Enterprise Desktop 15 SP6
  • SUSE Linux Enterprise Real Time 15 SP6
  • SUSE Linux Enterprise Server 15 SP6
  • SUSE Linux Enterprise Server for SAP Applications 15 SP6
  • SUSE Package Hub 15 15-SP6

An update that has one fix can now be installed.

Description:

This update for ovmf fixes the following issues:

  • Added ovmf-x86_64-sev flavor to X64 against AMD SEV (bsc#1232762):

    • Moved "-D SECURE_BOOT_ENABLE" from OVMF_FLAGS to EXTRA_FLAGS_X64, BUILD_OPTIONS_AA64 and BUILD_OPTIONS_RV64 because SEV can NOT work with secure boot.
    • Add "-D SECURE_BOOT_ENABLE" to BUILD_OPTIONS_X86 because the building option be removed from OVMF_FLAGS.
    • The ovmf-x86_64-sev-code.bin, ovmf-x86_64-sev-vars.bin and a unified image ovmf-x86_64-sev.bin can be used.

  • Added 50-ovmf-x86_64-sev.json and 60-ovmf-x86_64-sev.json to descriptors.tar.xz for SEV flavor:

    • Removed features tag:

    • "acpi-s4", "acpi-s3", "requires-smm", "secure-boot", "enrolled-keys"

    • Added features tag:

    • "amd-sev", "amd-sev-es", "amd-sev-snp"

    • The 50-ovmf-x86_64-sev.json is for the ovmf-x86_64-sev.bin unified image which is stateless mode.

    • The 60-ovmf-x86_64-sev.json is for the ovmf-x86_64-sev-code/vars.bin. Please note that the -vars storage is non-secure because SEV does NOT support SMM (requires-smm).

  • Removed "amd-sev" and "amd-sev-es" from descriptors/60-ovmf-x86_64.json and descriptors/60-ovmf-x86_64-2m.json.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.6
    zypper in -t patch SUSE-2025-113=1 openSUSE-SLE-15.6-2025-113=1
  • SUSE Package Hub 15 15-SP6
    zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-113=1
  • Server Applications Module 15-SP6
    zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP6-2025-113=1

Package List:

  • openSUSE Leap 15.6 (aarch64 x86_64)
    • ovmf-tools-202308-150600.5.6.1
    • ovmf-202308-150600.5.6.1
  • openSUSE Leap 15.6 (noarch)
    • qemu-uefi-aarch32-202308-150600.5.6.1
    • qemu-ovmf-ia32-202308-150600.5.6.1
    • qemu-uefi-aarch64-202308-150600.5.6.1
    • qemu-ovmf-x86_64-202308-150600.5.6.1
  • openSUSE Leap 15.6 (x86_64)
    • qemu-ovmf-x86_64-debug-202308-150600.5.6.1
  • SUSE Package Hub 15 15-SP6 (noarch)
    • qemu-uefi-aarch32-202308-150600.5.6.1
    • qemu-uefi-aarch64-202308-150600.5.6.1
    • qemu-ovmf-x86_64-202308-150600.5.6.1
  • SUSE Package Hub 15 15-SP6 (x86_64)
    • qemu-ovmf-x86_64-debug-202308-150600.5.6.1
  • Server Applications Module 15-SP6 (aarch64 x86_64)
    • ovmf-tools-202308-150600.5.6.1
    • ovmf-202308-150600.5.6.1
  • Server Applications Module 15-SP6 (noarch)
    • qemu-uefi-aarch64-202308-150600.5.6.1
    • qemu-ovmf-x86_64-202308-150600.5.6.1

References: