Starting SEV-SNP via virsh start. #253
Comments
|
|
|
Your policy is not correct for SNP. SNP uses a new format for the policy. See section 4.3 here: At a minumum, you want a policy value of 0x30000. |
|
If I change the policy to the one you specified (0x30000), I get the error: LaunchSecurity launch tag: |
|
@tlendacky Yes, your answer helped to solve the problem. However, when the virtual machine starts, it goes into paused state and when virsh resume an error appears: error: internal error: unable to execute QEMU command 'cont': Resetting the Virtual Machine is required virsh destroy does not help. |
|
I would need to see the full XML. Virsh seems to be supplying a CPUID setting that isn't valid. Also, your reduced phys bits value should be 1, not 6. |
Hello everyone. I need to start a virtual machine using libvirt and qemu via virsh start.
I enabled SEV, SEV-ES, SEV-SNP support in the system.
root@vadm:~# dmesg | grep -i sev
[ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-6.11.0-rc3-snp-host-85ef1ac03941 root=/dev/mapper/ubuntu--vg-lv--2 ro kvm_amd.sev=1 quiet splash systemd.unified_cgroup_hierarchy=1 vt.handoff=1
[ 0.000000] SEV-SNP: RMP table physical range [0x0000007fcd100000 - 0x000000804d6fffff]
[ 0.003473] SEV-SNP: Reserving start/end of RMP table on a 2MB boundary [0x0000007fcd000000]
[ 0.003478] SEV-SNP: Reserving start/end of RMP table on a 2MB boundary [0x000000804d600000]
[ 0.364249] Kernel command line: BOOT_IMAGE=/vmlinuz-6.11.0-rc3-snp-host-85ef1ac03941 root=/dev/mapper/ubuntu--vg-lv--2 ro kvm_amd.sev=1 quiet splash systemd.unified_cgroup_hierarchy=1 vt.handoff=1
[ 9.138296] ccp 0000:05:00.5: sev enabled
[ 14.697860] ccp 0000:05:00.5: SEV API:1.55 build:24
[ 14.697866] ccp 0000:05:00.5: SEV-SNP API:1.55 build:24
[ 14.705531] kvm_amd: SEV enabled (ASIDs 253 - 1006)
[ 14.705533] kvm_amd: SEV-ES enabled (ASIDs 1 - 252)
[ 14.705534] kvm_amd: SEV-SNP enabled (ASIDs 1 - 252)
And to launch SEV and SEV-ES I use in domainXml block
51
1
0x007f
Test results:
root@UbuntuSevTest:~# snpguest ok
[PASS] - SEV: ENABLED
[PASS] - SEV-ES: ENABLED
[FAIL] - SNP: DISABLED
[PASS] - Optional Features statuses:
[PASS] - VTOM: DISABLED
[PASS] - ReflectVC: DISABLED
[PASS] - Restricted Injection: DISABLED
[PASS] - Alternate Injection: DISABLED
[PASS] - Debug Swap: DISABLED
[PASS] - Prevent Host IBS: DISABLED
[PASS] - SNP BTB Isolation: DISABLED
[PASS] - VMPL SSS: DISABLED
[PASS] - Secure TSE: DISABLED
[PASS] - VMG Exit Parameter: DISABLED
[ PASS ] - IBS Virtualization: DISABLED
[ PASS ] - VMSA Reg Prot: DISABLED
[ PASS ] - SMT Protection: DISABLED
ERROR: One or more tests in snpguest-ok reported a failure
Error: One or more tests in snpguest-ok reported a failure
To launch SEV-SNP, use the appropriate sev-snp type
51
1
0x007f
And when I enter the virsh start command, an error appears
root@vadm:~# virsh start i-2-323-VM
error: Failed to start domain 'i-2-323-VM'
error: internal error: process exited while connecting to monitor: 2024-12-06T11:38:36.268734Z qemu-system-x86_64: -accel kvm: sev_snp_launch_start: SNP_LAUNCH_START ret=-22 fw_error=0 ''
2024-12-06T11:38:36.268772Z qemu-system-x86_64: -accel kvm: sev_common_kvm_init: failed to create encryption context
2024-12-06T11:38:36.313032Z qemu-system-x86_64: -accel kvm: failed to initialize kvm: Operation not permitted
root@vadm:
# ls -la /dev/kvm# virsh --versioncrw-rw---- 1 root kvm 10, 232 Dec 6 12:21 /dev/kvm
root@vadm:
10.5.0
root@vadm:~# qemu-system-x86_64 --version
QEMU emulator version 9.1.0
Copyright (c) 2003-2024 Fabrice Bellard and the QEMU Project developers
The libvirtd and QEMU version support sev, sev-es and snp
The text was updated successfully, but these errors were encountered: