Support for SEV-SNP in guest VMs

Hi @piers, regarding your previous question about Secure Boot—I haven't set it up myself, but I believe it's doable. The main caveat is that Secure Boot must be configured offline since OVMF.fd is volatile.
 
pipo said:
In any case, I opted to proceed with 202411, which allowed me to run SNP VMs—provided that OVMF was compiled without SECURE_BOOT_ENABLE and SMM_REQUIRE. The same applied when running SEV-ES VMs.
Click to expand...
Oh thanks, that's good to know. If this is correct, I think we would need to build a separate firmware without SECURE_BOOT_ENABLE and SMM_REQUIRE to enable SEV-ES and SEV-SNP. That is, use this separate firmware with the `-bios` parameter only when SEV-ES and SEV-SNP are enabled.
 
Last edited:
I have a Ryzen 7 3700X - which seems to say it supports SEV:

Code: 
flags           : ..... sev sev_es

Code: 
$ cat /run/qemu-server/host-hw-capabilities.json
{ "amd-sev": { "cbitpos": 47, "reduced-phys-bits": 5, "sev-support": true, "sev-support-es": true, "sev-support-snp": false } }

When I try to enable it in a VM however, I get:
Code: 
vm: sev_common_kvm_init: Failed to open /dev/sev 'No such file or directory'
kvm: failed to initialize kvm: Operation not permitted
kvm: falling back to tcg
kvm: warning: TCG doesn't support requested feature: CPUID[eax=07h,ecx=00h].EBX.avx512f [bit 16]
kvm: warning: TCG doesn't support requested feature: CPUID[eax=07h,ecx=00h].EBX.avx512dq [bit 17]
kvm: warning: TCG doesn't support requested feature: CPUID[eax=07h,ecx=00h].EBX.avx512cd [bit 28]
kvm: warning: TCG doesn't support requested feature: CPUID[eax=07h,ecx=00h].EBX.avx512bw [bit 30]
kvm: warning: TCG doesn't support requested feature: CPUID[eax=07h,ecx=00h].EBX.avx512vl [bit 31]
kvm: TCG doesn't support requested features
TASK ERROR: start failed: QEMU exited with code 1

I added the kernel config options:
Code: 
$ cat /proc/cmdline
initrd=\EFI\proxmox\6.17.2-1-pve\initrd.img-6.17.2-1-pve root=/dev/mapper/pve-root ro quiet amd_pstate=active mem_encrypt=on kvm_amd.sev=1

however:
Code: 
$ cat /sys/module/kvm_amd/parameters/sev
N

Am I missing something?
 
CRCinAU said:
I have a Ryzen 7 3700X - which seems to say it supports SEV:
Click to expand...
AMD SEV only works with AMD EPYC CPUs [1] and it needs to be enabled in BIOS.
You will probably not find an AMD SEV setting in your BIOS.
I do not know why the CPU flags indicate that it supports AMD SEV.
Perhaps AMD SEV was planned for desktop hardware at some point.

This sev flag is not present in the current generation of AMD Ryzen desktop CPUs, and all support-sev flags in the host-hw-capabilities.json file should be false.

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#qm_memory_encryption_sev
 
MarkusF said:
AMD SEV only works with AMD EPYC CPUs [1] and it needs to be enabled in BIOS.
You will probably not find an AMD SEV setting in your BIOS.
I do not know why the CPU flags indicate that it supports AMD SEV.
Perhaps AMD SEV was planned for desktop hardware at some point.

This sev flag is not present in the current generation of AMD Ryzen desktop CPUs, and all support-sev flags in the host-hw-capabilities.json file should be false.

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#qm_memory_encryption_sev
Click to expand...
@MarkusF is it expected that a VM cannot boot when both TPM and SEV-SNP are enabled? Without TPM, the VM boots normally, but when TPM is enabled, KVM exits right after the boot progress bar completes.
 
You must log in or register to reply here.
Top Bottom