** Description changed: + [ Impact ] + + * On the Noble release, the launch of SNP QEMU VM with SNP measurement + boot option fails due to the absence of OVMF amdsev file in the OVMF + package + + * none of the firmware definition files contain "amd-sev-es" feature so + libvirt fails to detect the appropriate firmware. + + * Noble OVMF package requires the integration of the AMD SEV firmware + file "OVMF.amdsev.fd", to enable support for SEV-secured VM remote + attestation and secret injection. + + * This upload fixes this by adopting the d/rules file according to the + build instructions from bug #2106771 + + [ Test Plan ] + + * Use hardware that supports AMD SEV-ES features, e.g.: AMD EPYC 9654 + 96-Core Processor + + Jul 17 09:22:30 hoodin kernel: ccp 0000:01:00.5: sev enabled + Jul 17 09:22:36 hoodin kernel: ccp 0000:01:00.5: SEV API:1.55 build:40 + Jul 17 09:22:36 hoodin kernel: kvm_amd: SEV enabled (ASIDs 10 - 1006) + Jul 17 09:22:36 hoodin kernel: kvm_amd: SEV-ES enabled (ASIDs 1 - 9) + + * Launch a QEMU quest, using: + - image: https://cloud-images.ubuntu.com/releases/noble/release/ubuntu-24.04-server-cloudimg-amd64.img + - kernel: 6.14.0-23-generic (https://cloud-images.ubuntu.com/releases/noble/release/unpacked/ubuntu-24.04-server-cloudimg-amd64-vmlinuz-generic) + + sudo qemu-system-x86_64 \ + -enable-kvm \ + -nographic \ + -cpu EPYC-v4 \ + -machine q35 \ + -smp 6 \ + -m 6G \ + -machine memory-encryption=sev0,vmport=off \ + -object memory-backend-memfd,id=ram1,size=6G,share=true,prealloc=false \ + -machine memory-backend=ram1 \ + -object sev-snp-guest,id=sev0,policy=0x30000,cbitpos=51,reduced-phys-bits=5,kernel-hashes=on \ + -kernel "$VMLINUZ" \ + -append "root=/dev/vda1 console=ttyS0" \ + -drive "if=virtio,format=qcow2,file=$IMAGE" \ + -drive "if=virtio,format=raw,file=cloud-init.img" \ + -bios /usr/share/ovmf/OVMF.amdsev.fd \ + -net nic,model=e1000 -net user,hostfwd=tcp::2222-:22 + + * Inside the guest, confirm we provide a OVMF image for sev-es: + + $ grep -r amd-sev /usr/share/qemu/firmware/ + + * Inside the guest, confirm AMD SEV-ES got activated and the character + device created after inserting the "sev-guest" module: + + Jul 17 10:09:21 ubuntu kernel: Memory Encryption Features active: AMD SEV SEV-ES + Jul 17 10:09:21 ubuntu kernel: SEV: Status: SEV SEV-ES + + ubuntu@ubuntu:~$ sudo modprobe sev-guest + ubuntu@ubuntu:~$ ls /dev/sev-guest + /dev/sev-guest + + [ Where problems could occur ] + + * we're modifying the d/rules Makefile, to create a new, independent + "OVMF.amdsev.fd" UEFI rom. + + * If anything goes wrong in d/rules, the package could FTBFS + + * Besides that the new 60-edk2-x86_64-amdsev.json could provide wrong + metadata which would make the new "OVMF.amdsev.fd" not be properly + autodetected. Any issues inside the "OVMF.amdsev.fd" rom itself should + be isolated to the specific AMD SEV usecase itself. + + [ Other Info ] + + * This was enabled in Ubuntu Plucky and above in bug #2106771, which + included support for SEV-ES & SEV-SNP (as supported by QEMU 9.1), + whereas on Noble we can only support SEV-ES (as supported by QEMU 6.0) + + --- original bug report --- libvirt has had the capability to select the appropriate UEFI firmware according to the features requested. Especially it introduced the selection logic for AMD SEV-ES in 7.2.0 which depends on the amd-sev-es feature contained in the firmware capability definitions, stored in /usr/share/qemu/firmware/ . https://github.com/libvirt/libvirt/commit/f14ca48ef42e552d97cac096968e95680b3c75b4 However none of the firmware definition files contain "amd-sev-es" feature so libvirt fails to detect the appropriate firmware. --- $ grep -r amd-sev /usr/share/qemu/firmware/ /usr/share/qemu/firmware/40-edk2-x86_64-secure-enrolled.json: "amd-sev", /usr/share/qemu/firmware/60-edk2-x86_64.json: "amd-sev", /usr/share/qemu/firmware/50-edk2-x86_64-secure.json: "amd-sev", --- 1) $ lsb_release -rd No LSB modules are available. Description: Ubuntu 24.04 LTS Release: 24.04 2) --- $ apt-cache policy ovmf ovmf: - Installed: 2024.02-2ubuntu0.4 - Candidate: 2024.02-2ubuntu0.4 - Version table: - *** 2024.02-2ubuntu0.4 500 - 500 http://il.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages - 100 /var/lib/dpkg/status - 2024.02-2ubuntu0.3 500 - 500 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages - 2024.02-2 500 - 500 http://il.archive.ubuntu.com/ubuntu noble/main amd64 Packages + Installed: 2024.02-2ubuntu0.4 + Candidate: 2024.02-2ubuntu0.4 + Version table: + *** 2024.02-2ubuntu0.4 500 + 500 http://il.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages + 100 /var/lib/dpkg/status + 2024.02-2ubuntu0.3 500 + 500 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages + 2024.02-2 500 + 500 http://il.archive.ubuntu.com/ubuntu noble/main amd64 Packages --- 3) At least one firmware definition file with "amd-sev-es" feature exists - 3) None of firmware definition files contain "amd-sev-es" feature
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2122286 Title: firmware definitions lack "amd-sev-es" feature To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2122286/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
