Support for SEV-SNP in guest VMs

[pipo]

Hi @piers, regarding your previous question about Secure Boot—I haven't set it up myself, but I believe it's doable. The main caveat is that Secure Boot must be configured offline since OVMF.fd is volatile.

 

[MarkusF]

In any case, I opted to proceed with 202411, which allowed me to run SNP VMs—provided that OVMF was compiled without SECURE_BOOT_ENABLE and SMM_REQUIRE. The same applied when running SEV-ES VMs.

Oh thanks, that's good to know. If this is correct, I think we would need to build a separate firmware without SECURE_BOOT_ENABLE and SMM_REQUIRE to enable SEV-ES and SEV-SNP. That is, use this separate firmware with the `-bios` parameter only when SEV-ES and SEV-SNP are enabled.

 

[pipo]

@MarkusF Fyi, I sent a patch series to the mailing list.

 

[CRCinAU]

I have a Ryzen 7 3700X - which seems to say it supports SEV:

flags           : ..... sev sev_es

$ cat /run/qemu-server/host-hw-capabilities.json
{ "amd-sev": { "cbitpos": 47, "reduced-phys-bits": 5, "sev-support": true, "sev-support-es": true, "sev-support-snp": false } }

When I try to enable it in a VM however, I get:

vm: sev_common_kvm_init: Failed to open /dev/sev 'No such file or directory'
kvm: failed to initialize kvm: Operation not permitted
kvm: falling back to tcg
kvm: warning: TCG doesn't support requested feature: CPUID[eax=07h,ecx=00h].EBX.avx512f [bit 16]
kvm: warning: TCG doesn't support requested feature: CPUID[eax=07h,ecx=00h].EBX.avx512dq [bit 17]
kvm: warning: TCG doesn't support requested feature: CPUID[eax=07h,ecx=00h].EBX.avx512cd [bit 28]
kvm: warning: TCG doesn't support requested feature: CPUID[eax=07h,ecx=00h].EBX.avx512bw [bit 30]
kvm: warning: TCG doesn't support requested feature: CPUID[eax=07h,ecx=00h].EBX.avx512vl [bit 31]
kvm: TCG doesn't support requested features
TASK ERROR: start failed: QEMU exited with code 1

I added the kernel config options:

$ cat /proc/cmdline
initrd=\EFI\proxmox\6.17.2-1-pve\initrd.img-6.17.2-1-pve root=/dev/mapper/pve-root ro quiet amd_pstate=active mem_encrypt=on kvm_amd.sev=1

however:

$ cat /sys/module/kvm_amd/parameters/sev
N

Am I missing something?

 

[MarkusF]

I have a Ryzen 7 3700X - which seems to say it supports SEV:

AMD SEV only works with AMD EPYC CPUs [1] and it needs to be enabled in BIOS.
You will probably not find an AMD SEV setting in your BIOS.
I do not know why the CPU flags indicate that it supports AMD SEV.
Perhaps AMD SEV was planned for desktop hardware at some point.

This sev flag is not present in the current generation of AMD Ryzen desktop CPUs, and all support-sev flags in the host-hw-capabilities.json file should be false.

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#qm_memory_encryption_sev

 

[CRCinAU]

I do not know why the CPU flags indicate that it supports AMD SEV.

Interesting. I'll consider it a false alarm then hahaha... I was kinda looking forward to tinkering.