** Description changed: [ Impact ] - * On the Noble release, the launch of SNP QEMU VM with SNP measurement - boot option fails due to the absence of OVMF amdsev file in the OVMF - package + * On the Noble release, the launch of AMD SEV QEMU VM fails due to the + absence of OVMF amdsev file in the OVMF package * none of the firmware definition files contain "amd-sev-es" feature so libvirt fails to detect the appropriate firmware. * Noble OVMF package requires the integration of the AMD SEV firmware file "OVMF.amdsev.fd", to enable support for SEV-secured VM remote attestation and secret injection. * This upload fixes this by adopting the d/rules file according to the build instructions from bug #2106771 [ Test Plan ] - * Use hardware that supports AMD SEV-ES features, e.g.: AMD EPYC 9654 + * Use hardware that supports AMD SEV-ES features, e.g.: AMD EPYC 9654 96-Core Processor - Jul 17 09:22:30 hoodin kernel: ccp 0000:01:00.5: sev enabled - Jul 17 09:22:36 hoodin kernel: ccp 0000:01:00.5: SEV API:1.55 build:40 - Jul 17 09:22:36 hoodin kernel: kvm_amd: SEV enabled (ASIDs 10 - 1006) - Jul 17 09:22:36 hoodin kernel: kvm_amd: SEV-ES enabled (ASIDs 1 - 9) + Jul 17 09:22:30 hoodin kernel: ccp 0000:01:00.5: sev enabled + Jul 17 09:22:36 hoodin kernel: ccp 0000:01:00.5: SEV API:1.55 build:40 + Jul 17 09:22:36 hoodin kernel: kvm_amd: SEV enabled (ASIDs 10 - 1006) + Jul 17 09:22:36 hoodin kernel: kvm_amd: SEV-ES enabled (ASIDs 1 - 9) * Launch a QEMU quest, using: - - image: https://cloud-images.ubuntu.com/releases/noble/release/ubuntu-24.04-server-cloudimg-amd64.img - - kernel: 6.14.0-23-generic (https://cloud-images.ubuntu.com/releases/noble/release/unpacked/ubuntu-24.04-server-cloudimg-amd64-vmlinuz-generic) + - image: https://cloud-images.ubuntu.com/releases/noble/release/ubuntu-24.04-server-cloudimg-amd64.img + - kernel: 6.14.0-23-generic (https://cloud-images.ubuntu.com/releases/noble/release/unpacked/ubuntu-24.04-server-cloudimg-amd64-vmlinuz-generic) sudo qemu-system-x86_64 \ - -enable-kvm \ - -nographic \ - -cpu EPYC-v4 \ - -machine q35 \ - -smp 6 \ - -m 6G \ - -machine memory-encryption=sev0,vmport=off \ - -object memory-backend-memfd,id=ram1,size=6G,share=true,prealloc=false \ - -machine memory-backend=ram1 \ - -object sev-snp-guest,id=sev0,policy=0x30000,cbitpos=51,reduced-phys-bits=5,kernel-hashes=on \ - -kernel "$VMLINUZ" \ - -append "root=/dev/vda1 console=ttyS0" \ - -drive "if=virtio,format=qcow2,file=$IMAGE" \ - -drive "if=virtio,format=raw,file=cloud-init.img" \ - -bios /usr/share/ovmf/OVMF.amdsev.fd \ - -net nic,model=e1000 -net user,hostfwd=tcp::2222-:22 + -enable-kvm \ + -nographic \ + -cpu EPYC-v4 \ + -machine q35 \ + -smp 6 \ + -m 6G \ + -machine confidential-guest-support=sev0 \ + -object memory-backend-memfd,id=ram1,size=6G,share=true,prealloc=false \ + -machine memory-backend=ram1 \ + -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1 \ + -kernel "$VMLINUZ" \ + -append "root=/dev/vda1 console=ttyS0" \ + -drive "if=virtio,format=qcow2,file=$IMAGE" \ + -drive "if=virtio,format=raw,file=cloud-init.img" \ + -bios /usr/share/ovmf/OVMF.amdsev.fd \ + -net nic,model=e1000 -net user,hostfwd=tcp::2222-:22 * Inside the guest, confirm we provide a OVMF image for sev-es: - $ grep -r amd-sev /usr/share/qemu/firmware/ + $ grep -r amd-sev /usr/share/qemu/firmware/ * Inside the guest, confirm AMD SEV-ES got activated and the character device created after inserting the "sev-guest" module: - Jul 17 10:09:21 ubuntu kernel: Memory Encryption Features active: AMD SEV SEV-ES - Jul 17 10:09:21 ubuntu kernel: SEV: Status: SEV SEV-ES + Jul 17 10:09:21 ubuntu kernel: Memory Encryption Features active: AMD SEV SEV-ES + Jul 17 10:09:21 ubuntu kernel: SEV: Status: SEV SEV-ES - ubuntu@ubuntu:~$ sudo modprobe sev-guest - ubuntu@ubuntu:~$ ls /dev/sev-guest - /dev/sev-guest + ubuntu@ubuntu:~$ sudo modprobe sev-guest + ubuntu@ubuntu:~$ ls /dev/sev-guest + /dev/sev-guest [ Where problems could occur ] - * we're modifying the d/rules Makefile, to create a new, independent + * we're modifying the d/rules Makefile, to create a new, independent "OVMF.amdsev.fd" UEFI rom. - * If anything goes wrong in d/rules, the package could FTBFS + * If anything goes wrong in d/rules, the package could FTBFS - * Besides that the new 60-edk2-x86_64-amdsev.json could provide wrong + * Besides that the new 60-edk2-x86_64-amdsev.json could provide wrong metadata which would make the new "OVMF.amdsev.fd" not be properly autodetected. Any issues inside the "OVMF.amdsev.fd" rom itself should be isolated to the specific AMD SEV usecase itself. [ Other Info ] - * This was enabled in Ubuntu Plucky and above in bug #2106771, which + * This was enabled in Ubuntu Plucky and above in bug #2106771, which included support for SEV-ES & SEV-SNP (as supported by QEMU 9.1), whereas on Noble we can only support SEV-ES (as supported by QEMU 6.0) --- original bug report --- libvirt has had the capability to select the appropriate UEFI firmware according to the features requested. Especially it introduced the selection logic for AMD SEV-ES in 7.2.0 which depends on the amd-sev-es feature contained in the firmware capability definitions, stored in /usr/share/qemu/firmware/ . https://github.com/libvirt/libvirt/commit/f14ca48ef42e552d97cac096968e95680b3c75b4 However none of the firmware definition files contain "amd-sev-es" feature so libvirt fails to detect the appropriate firmware. --- $ grep -r amd-sev /usr/share/qemu/firmware/ /usr/share/qemu/firmware/40-edk2-x86_64-secure-enrolled.json: "amd-sev", /usr/share/qemu/firmware/60-edk2-x86_64.json: "amd-sev", /usr/share/qemu/firmware/50-edk2-x86_64-secure.json: "amd-sev", --- 1) $ lsb_release -rd No LSB modules are available. Description: Ubuntu 24.04 LTS Release: 24.04 2) --- $ apt-cache policy ovmf ovmf: Installed: 2024.02-2ubuntu0.4 Candidate: 2024.02-2ubuntu0.4 Version table: *** 2024.02-2ubuntu0.4 500 500 http://il.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages 100 /var/lib/dpkg/status 2024.02-2ubuntu0.3 500 500 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages 2024.02-2 500 500 http://il.archive.ubuntu.com/ubuntu noble/main amd64 Packages --- 3) At least one firmware definition file with "amd-sev-es" feature exists 3) None of firmware definition files contain "amd-sev-es" feature
** Description changed: [ Impact ] * On the Noble release, the launch of AMD SEV QEMU VM fails due to the absence of OVMF amdsev file in the OVMF package * none of the firmware definition files contain "amd-sev-es" feature so libvirt fails to detect the appropriate firmware. * Noble OVMF package requires the integration of the AMD SEV firmware file "OVMF.amdsev.fd", to enable support for SEV-secured VM remote attestation and secret injection. * This upload fixes this by adopting the d/rules file according to the build instructions from bug #2106771 [ Test Plan ] * Use hardware that supports AMD SEV-ES features, e.g.: AMD EPYC 9654 96-Core Processor Jul 17 09:22:30 hoodin kernel: ccp 0000:01:00.5: sev enabled Jul 17 09:22:36 hoodin kernel: ccp 0000:01:00.5: SEV API:1.55 build:40 Jul 17 09:22:36 hoodin kernel: kvm_amd: SEV enabled (ASIDs 10 - 1006) Jul 17 09:22:36 hoodin kernel: kvm_amd: SEV-ES enabled (ASIDs 1 - 9) * Launch a QEMU quest, using: - image: https://cloud-images.ubuntu.com/releases/noble/release/ubuntu-24.04-server-cloudimg-amd64.img - kernel: 6.14.0-23-generic (https://cloud-images.ubuntu.com/releases/noble/release/unpacked/ubuntu-24.04-server-cloudimg-amd64-vmlinuz-generic) sudo qemu-system-x86_64 \ -enable-kvm \ -nographic \ -cpu EPYC-v4 \ -machine q35 \ -smp 6 \ -m 6G \ - -machine confidential-guest-support=sev0 \ + -machine confidential-guest-support=sev0,vmport=off \ -object memory-backend-memfd,id=ram1,size=6G,share=true,prealloc=false \ -machine memory-backend=ram1 \ - -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1 \ + -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1 \ -kernel "$VMLINUZ" \ -append "root=/dev/vda1 console=ttyS0" \ -drive "if=virtio,format=qcow2,file=$IMAGE" \ -drive "if=virtio,format=raw,file=cloud-init.img" \ -bios /usr/share/ovmf/OVMF.amdsev.fd \ -net nic,model=e1000 -net user,hostfwd=tcp::2222-:22 * Inside the guest, confirm we provide a OVMF image for sev-es: $ grep -r amd-sev /usr/share/qemu/firmware/ * Inside the guest, confirm AMD SEV-ES got activated and the character device created after inserting the "sev-guest" module: Jul 17 10:09:21 ubuntu kernel: Memory Encryption Features active: AMD SEV SEV-ES Jul 17 10:09:21 ubuntu kernel: SEV: Status: SEV SEV-ES ubuntu@ubuntu:~$ sudo modprobe sev-guest ubuntu@ubuntu:~$ ls /dev/sev-guest /dev/sev-guest [ Where problems could occur ] * we're modifying the d/rules Makefile, to create a new, independent "OVMF.amdsev.fd" UEFI rom. * If anything goes wrong in d/rules, the package could FTBFS * Besides that the new 60-edk2-x86_64-amdsev.json could provide wrong metadata which would make the new "OVMF.amdsev.fd" not be properly autodetected. Any issues inside the "OVMF.amdsev.fd" rom itself should be isolated to the specific AMD SEV usecase itself. [ Other Info ] * This was enabled in Ubuntu Plucky and above in bug #2106771, which included support for SEV-ES & SEV-SNP (as supported by QEMU 9.1), whereas on Noble we can only support SEV-ES (as supported by QEMU 6.0) + + * How to launch a AMD SEV VM: + https://www.qemu.org/docs/master/system/i386/amd-memory- + encryption.html#launching-sev-and-sev-es --- original bug report --- libvirt has had the capability to select the appropriate UEFI firmware according to the features requested. Especially it introduced the selection logic for AMD SEV-ES in 7.2.0 which depends on the amd-sev-es feature contained in the firmware capability definitions, stored in /usr/share/qemu/firmware/ . https://github.com/libvirt/libvirt/commit/f14ca48ef42e552d97cac096968e95680b3c75b4 However none of the firmware definition files contain "amd-sev-es" feature so libvirt fails to detect the appropriate firmware. --- $ grep -r amd-sev /usr/share/qemu/firmware/ /usr/share/qemu/firmware/40-edk2-x86_64-secure-enrolled.json: "amd-sev", /usr/share/qemu/firmware/60-edk2-x86_64.json: "amd-sev", /usr/share/qemu/firmware/50-edk2-x86_64-secure.json: "amd-sev", --- 1) $ lsb_release -rd No LSB modules are available. Description: Ubuntu 24.04 LTS Release: 24.04 2) --- $ apt-cache policy ovmf ovmf: Installed: 2024.02-2ubuntu0.4 Candidate: 2024.02-2ubuntu0.4 Version table: *** 2024.02-2ubuntu0.4 500 500 http://il.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages 100 /var/lib/dpkg/status 2024.02-2ubuntu0.3 500 500 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages 2024.02-2 500 500 http://il.archive.ubuntu.com/ubuntu noble/main amd64 Packages --- 3) At least one firmware definition file with "amd-sev-es" feature exists 3) None of firmware definition files contain "amd-sev-es" feature -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2122286 Title: firmware definitions lack "amd-sev-es" feature To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2122286/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
