Public bug reported:
When using the VIRTIO driver, starting a VM with SEV enabled on sev
enabled hardware fails. The situation may be tested with the following
commands :
$ dd if=/dev/urandom of=/tmp/sev_key.aes bs=8 count=4
$ cp /usr/share/OVMF/OVMF_CODE.fd /tmp
$ cp /usr/share/OVMF/OVMF_VARS.fd /tmp
$ qemu-system-x86_64 -name real-qemu \
-machine
pc-q35-3.0,accel=kvm,usb=off,vmport=off,dump-guest-core=off,memory-encryption=sev0
\
-display none \
-monitor none \
-nographic \
-nodefaults \
-m 16384.0M \
-serial mon:stdio \
-smp 2 \
-cpu host \
-device sga \
-device
pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2
\
-netdev user,id=net0,net=192.168.100.0/24,dhcpstart=192.168.100.1 \
-device
virtio-net-pci,netdev=net0,id=net0,mac=52:54:00:cc:56:90,bus=pci.1,addr=0x0,romfile=,iommu_platform=on
\
-drive if=pflash,format=raw,readonly,file=/tmp/OVMF_CODE.fd \
-drive if=pflash,format=raw,file=/tmp/OVMF_VARS.fd \
-drive file=/var/lib/libvirt/images/real-qemu.qcow2,if=virtio,id=disk0 \
-object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1,policy=0x3 \
-object secret,id=masterKey0,format=raw,file=/tmp/sev_key.aes
The output when starting the VM shows :
qemu-system-x86_64: Guest says index 53230 is available
When running the same script using the 'ide' driver instead of the
'virtio' driver, the VM starts correctly :
root@ubuntu:~# dmesg | grep -i sev
[ 0.243361] AMD Secure Encrypted Virtualization (SEV) active
There is a mention in the libvirt knowledge base documentation about the
requirement to use IOMMU to make the virtio work
(https://libvirt.org/kbase/launch_security_sev.html#virtio) so another test was
to enable IOMMU :
$ qemu-system-x86_64 -name real-qemu \
-machine
pc-q35-3.0,accel=kvm,usb=off,vmport=off,dump-guest-core=off,memory-encryption=sev0
\
-display none \
-monitor none \
-nographic \
-nodefaults \
-m 16384.0M \
-serial mon:stdio \
-smp 2 \
-cpu host \
-device sga \
-device
pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2
\
-netdev user,id=net0,net=192.168.100.0/24,dhcpstart=192.168.100.1 \
-device
virtio-net-pci,netdev=net0,id=net0,mac=52:54:00:cc:56:90,bus=pci.1,addr=0x0,romfile=,iommu_platform=on
\
-drive if=pflash,format=raw,readonly,file=/tmp/OVMF_CODE.fd \
-drive if=pflash,format=raw,file=/tmp/OVMF_VARS.fd \
-device virtio-blk-pci,drive=drive0,id=virblk0,num-queues=4,iommu_platform=on
\
-drive file=/var/lib/libvirt/images/real-qemu.qcow2,if=none,id=drive0 \
-object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1,policy=0x3 \
-object secret,id=masterKey0,format=raw,file=/tmp/sev_key.aes
This also fails and issues the following error message :
qemu-system-x86_64: -device
virtio-blk-pci,drive=drive0,id=virblk0,num-queues=4,iommu_platform=on:
VIRTIO_F_IOMMU_PLATFORM was supported by neither legacy nor transitional device
Is it possible to use SEV in conjunction with the VIRTIO driver ?
** Affects: qemu (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1915509
Title:
QEMU 1:4.2-3ubuntu6.12 : Unable to start SEV enabled VM using virtio
driver
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1915509/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
