Building the microVM failed: SecureVirtPrepare(SnpSecVirtPrepare
blenessy opened this issue · comments
I am testing the launch-tee example on a Dell R6515 equipped with AMD 7313P.
I manage to run the sev-config-no-attest.json example up to the point where the LUKS tries to unlock the protected partition. However, the snp-config-no-attest.json does not get that far but fails with:
# RUST_LOG=debug ~/libkrun/examples/launch-tee ~/disk-fedora.raw snp-config-noattest.json
[2022-11-27T20:21:32Z INFO vmm::linux::vstate] Guest memory starts at 0x7f24e7400000
[2022-11-27T20:21:32Z INFO vmm::linux::vstate] Guest memory starts at 0x7f2569b0f000
[2022-11-27T20:21:32Z ERROR krun] Building the microVM failed: SecureVirtPrepare(SnpSecVirtPrepare(CreateLauncher(Custom { kind: Other, error: IoError(Os { code: 22, kind: InvalidInput, message: "Invalid argument" }) })))
Error creating the microVM: Invalid argumentSome more context
- Updated to Latest BIOS (2.8.5)
- Ubuntu 22.10 running Linux 5.19
- sevctl is happy (everything is
PASS) - sev=1 is enabled in
amd_kvmdriver
these are the relevant lines from dmesg dmesg:
[ 4.531915] ccp 0000:46:00.1: no command queues available
[ 4.532609] ccp 0000:46:00.1: sev enabled
[ 4.532611] ccp 0000:46:00.1: psp enabled
[ 4.582819] ccp 0000:46:00.1: SEV API:1.52 build:4
[ 4.633884] kvm: Nested Virtualization enabled
[ 4.633885] SVM: kvm: Nested Paging enabled
[ 4.633888] SEV supported: 410 ASIDs
[ 4.633889] SEV-ES supported: 99 ASIDs
Hi @blenessy, are you using the latest version of libkrunfw?
Yes @tylerfanelli I started off with a clean machine on Nov. 27, and installed the latest of everything (Incl. Ubuntu 22.10).
libkrunfw:
git rev-parse HEAD
481975e688e5161bc00ebe090ff02c8ccde62a7alibkrun:
git rev-parse HEAD
5973a3e168fa658121f08a8903a4547121b3cbdbsevctl:
git rev-parse HEAD
16a2435a06ba5d34fb0e7f6dff0f2ad2e122de50
[ 4.531915] ccp 0000:46:00.1: no command queues available [ 4.532609] ccp 0000:46:00.1: sev enabled [ 4.532611] ccp 0000:46:00.1: psp enabled [ 4.582819] ccp 0000:46:00.1: SEV API:1.52 build:4 [ 4.633884] kvm: Nested Virtualization enabled [ 4.633885] SVM: kvm: Nested Paging enabled [ 4.633888] SEV supported: 410 ASIDs [ 4.633889] SEV-ES supported: 99 ASIDs
From this output I'd say that machine (or kernel, as SNP support is not yet upstream) supports SEV and SEV-ES, but not SEV-SNP. I'm pretty sure that's the reason why running with the snp-config-no-attest.json config fails.
@blenessy I would say that Ubuntu 22.10 does not yet support SEV-SNP, as the SEV-SNP host patches are not even available in the upstream kernel yet.
sevctl does not really concern itself with the firmware, kernel, etc.... It only tests that the hardware (mainly CPU) is SEV-capable.
Got it thanks @slp and @tylerfanelli ! So what kernel do you guys recommend I use to test SNP out on at this point?
(I'm guessing its one of the branches here: https://github.com/AMDESE/linux ).
@blenessy The latest upstream branch is here:
https://github.com/AMDESE/linux/tree/sev-snp-iommu-avic_5.19-rc6_v4
Got it to work @tylerfanelli ! Thank for pointing me in the right direction - to both of you.
FWIW. I created a gist for other AMD SEV-SNP newbies that might come this way:
https://gist.github.com/blenessy/415e30d341bc115edec5b3704d4f4fe9
Feel free to close this issue guys.
@blenessy Glad we could help. Thanks for posting that gist, it looks like it could be of use to others looking to try out SNP.
Closing this issue.