** Description changed: - On Noble 24.04 + [ Impact ] - When I try to run AMD-SEV ES VM on supported hardware: AMD CPU EPYC + * We cannot run AMD-SEV VMs with libvirt because of a missing Apparmor rule on + /dev/sev + This fix will add this rule to the dynamic VM profile when AMD-SEV is + requested. - with this domain definition: + [ Test Plan ] + + * On appropriate hardware (AMD EPYC) with AMD-SEV support. + * Create a domain definition file sev.xml: <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'> <name>sev</name> <memory unit='GiB'>16</memory> <memoryBacking> <locked/> </memoryBacking> <vcpu placement="static">32</vcpu> <os> <type arch='x86_64' machine='q35'>hvm</type> <loader type='rom' readonly='yes'>/usr/share/qemu/OVMF.fd</loader> <boot dev='hd'/> </os> <cpu mode='host-model' check='partial'> <model fallback='allow'/> </cpu> <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> <disk type="file" device="disk"> <driver name="qemu" type="qcow2"/> <source file="/tmp/ubuntu-24.04-server-cloudimg-amd64.img"/> <target dev="vda" bus="virtio"/> </disk> </devices> <allowReboot value='no'/> <launchSecurity type='sev'> <policy>0x5</policy> </launchSecurity> </domain> NB: you might want to adapt /tmp/ubuntu-24.04-server-cloudimg-amd64.img to another Ubuntu cloud image. - I run into this error: + * Run the VM with virsh: + $ virsh define sev.xml + $ virsh start sev + + * Without the fix, there will be an error: error: Failed to start domain 'sev' error: internal error: process exited while connecting to monitor: 2025-10-10T15:21:49.413092Z qemu-system-x86_64: -accel kvm: sev_kvm_init: Failed to open /dev/sev 'Permission denied' 2025-10-10T15:21:49.432040Z qemu-system-x86_64: -accel kvm: failed to initialize kvm: Operation not permitted + * With the fix, the VM shoud be started successfully - If I add: + [ Where problems could occur ] - dev/sev rw, + * Since the change adds a rule to the VM profile ONLY when AMD-SEV is + requested. + I do not see potential risk of regression on other features, VMs types nor + on AMD-SEV VM. - in the libvirt-qemu abstraction (/etc/apparmor.d/abstractions/libvirt- - qemu) and restart libvirtd, the VM can be run fine. + [ Other Info ] + + * None
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2127492 Title: permission denied for /dev/sev when run AMD-SEV ES VM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/2127492/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
