** Description changed: [ Impact ] - * We cannot run AMD-SEV VMs with libvirt because of a missing Apparmor rule on - /dev/sev - This fix will add this rule to the dynamic VM profile when AMD-SEV is - requested. + * We cannot run AMD-SEV VMs with libvirt because of a missing Apparmor rule on + /dev/sev + This fix will add this rule to the dynamic VM profile when AMD-SEV is + requested. [ Test Plan ] - * On appropriate hardware (AMD EPYC) with AMD-SEV support. - * Create a domain definition file sev.xml: + * On appropriate hardware (AMD EPYC) with AMD-SEV support. + * Create a domain definition file sev.xml: <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'> <name>sev</name> <memory unit='GiB'>16</memory> <memoryBacking> <locked/> </memoryBacking> <vcpu placement="static">32</vcpu> <os> <type arch='x86_64' machine='q35'>hvm</type> <loader type='rom' readonly='yes'>/usr/share/qemu/OVMF.fd</loader> <boot dev='hd'/> </os> <cpu mode='host-model' check='partial'> <model fallback='allow'/> </cpu> <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> <disk type="file" device="disk"> <driver name="qemu" type="qcow2"/> <source file="/tmp/ubuntu-24.04-server-cloudimg-amd64.img"/> <target dev="vda" bus="virtio"/> </disk> </devices> <allowReboot value='no'/> <launchSecurity type='sev'> <policy>0x5</policy> </launchSecurity> </domain> NB: you might want to adapt /tmp/ubuntu-24.04-server-cloudimg-amd64.img to another Ubuntu cloud image. - * Run the VM with virsh: - $ virsh define sev.xml - $ virsh start sev + * Run the VM with virsh: + $ virsh define sev.xml + $ virsh start sev - * Without the fix, there will be an error: + * Without the fix, there will be an error: error: Failed to start domain 'sev' error: internal error: process exited while connecting to monitor: 2025-10-10T15:21:49.413092Z qemu-system-x86_64: -accel kvm: sev_kvm_init: Failed to open /dev/sev 'Permission denied' 2025-10-10T15:21:49.432040Z qemu-system-x86_64: -accel kvm: failed to initialize kvm: Operation not permitted - * With the fix, the VM shoud be started successfully + * With the fix, the VM shoud be started successfully [ Where problems could occur ] - * Since the change adds a rule to the VM profile ONLY when AMD-SEV is - requested. - I do not see potential risk of regression on other features, VMs types nor - on AMD-SEV VM. + * Since the change adds a rule to the VM profile ONLY when AMD-SEV is + requested. + I do not see potential risk of regression on other features, VMs types nor + on AMD-SEV VM. [ Other Info ] - * None + * Applied upstream since 11.9.0: + https://gitlab.com/libvirt/libvirt/-/commit/b90cf0c916cb114ae4cefa082311c05fc5e00193
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2127492 Title: permission denied for /dev/sev when run AMD-SEV ES VM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/2127492/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
