Provide AMD SEV to guests

[Luis Mompó Handen]

Hi.

We are running AMD Epyc CPU on our servers and we would like to use SEV in nested KVM setup of our guests.
I checked:

• /proc/cpuinfo on promox shows the sev extension
• /sys/module/kvm_amd/parameters/nested is set to 1
• Guest VM has CPU type set to host

This what I expect to be done in order to use SEV within the guests, but /proc/cpuinfo on the guests doesn't show the sev extension.
Didn't find a documentation regarding this feature.

 

[Stefan_R]

Hm, I could not find any references to running SEV in a nested environment at all. Do you have a precedent for this working?

It might be as simple as specifying the 'sev' flag to the guest, it might not be implemented at all. You can certainly try doing the former, e.g. create a custom CPU model with the 'sev' flag specified:

# /etc/pve/virtual-guest/cpu-models.conf
cpu-model: nested-sev
    reported-model host
    flags +sev

And then select CPU model "nested-sev" for your VM. See also 'man cpu-models.conf'.

 

[Luis Mompó Handen]

Hi Stefan.

My application for the nested usage is a CI/CD pipeline that needs to spin up multiple VMs nesting VMs for very basic functional tests which use SEV on bare metal. Libvirt supports SEV but I wasn't sure if proxmox does as it uses its own framework.

Best Regards,
Luis

 

[victorhooi]

I'm interested in this as well.

https://github.com/AMDESE/AMDSEV#faq-1

mentions that you can use the following command to check if SEV is support:

virsh domcapabilities

However, this depends on libvirt - which is obviously not present in Proxmox. Is it possible to install the libvirt tools within Proxmox to check this, or is that still not supported?

Do you know if there's another way to get the equivalent of domcapabilities within Proxmox?

 

[Stefan_R]

Enabling SEV for nested guests is not supported AFAIK, but using SEV itself on L1 VMs should be possible.

Enable SEV for the kvm_amd module on the host (make sure SME (but not TSME) is enabled in BIOS before) by adding the following line to your kernel commandline:

mem_encrypt=on kvm_amd.sev=1

Then check if SEV was enabled:

cat /sys/module/kvm_amd/parameters/sev
# should print 1

Lastly, here's a little script asking QEMU if it knows about SEV (somewhat equivalent to 'virsh domcapabilities' for SEV):

#!/bin/bash

qemu-system-x86_64 -enable-kvm \
    -chardev 'socket,id=qmp,path=/tmp/qmp.socket,server,nowait' \
    -mon 'chardev=qmp,mode=control,pretty=on' &

sleep 0.5
echo '{ "execute": "qmp_capabilities" }
      { "execute": "query-sev-capabilities" }
      { "execute": "quit" }' \
    | socat - /tmp/qmp.socket
sleep 0.5

pkill qemu-system-x86

The third reposnse (in { } braces) should contain information about SEV support.

If this reports success, you should be able to enable SEV by adding the following to your VM config (/etc/pve/qemu-server/<vmid>.conf):

args: -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1 -machine memory-encryption=sev0

(make sure 'cbitpos' and 'reduced-phys-bits' correspond to the output from the script above)

Now, that's as far as the theory goes. In practice, I have tried the above steps myself and was unable to progress past the second, since the 'sev' module parameter always stayed 0, even if specified manually on a 'modprobe'. This is a bit unexpected, as my workstation should in theory support it, but it seems like somewhere along the line something doesn't. Could be that the 5.4 kernel shipping with PVE is not new enough to get this to work...

TL;DR: We currently don't support SEV, but in *theory* it's possible to use for L1 guests. In practice, maybe not so much.

 

[zaggynl]

Thread necromancy, +1Y but still not quite supported it seems, bug report: https://bugzilla.proxmox.com/show_bug.cgi?id=3582