** Description changed: [ Impact ] * We cannot run AMD-SEV VMs with libvirt because of a missing Apparmor rule on /dev/sev This fix will add this rule to the dynamic VM profile when AMD-SEV is requested. [ Test Plan ] * On appropriate hardware (AMD EPYC) with AMD-SEV support. * Create a domain definition file sev.xml: <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'> <name>sev</name> <memory unit='GiB'>16</memory> <memoryBacking> <locked/> </memoryBacking> <vcpu placement="static">32</vcpu> <os> <type arch='x86_64' machine='q35'>hvm</type> <loader type='rom' readonly='yes'>/usr/share/qemu/OVMF.fd</loader> <boot dev='hd'/> </os> <cpu mode='host-model' check='partial'> <model fallback='allow'/> </cpu> <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> <disk type="file" device="disk"> <driver name="qemu" type="qcow2"/> <source file="/tmp/ubuntu-24.04-server-cloudimg-amd64.img"/> <target dev="vda" bus="virtio"/> </disk> </devices> <allowReboot value='no'/> <launchSecurity type='sev'> <policy>0x5</policy> </launchSecurity> </domain> NB: you might want to adapt /tmp/ubuntu-24.04-server-cloudimg-amd64.img to another Ubuntu cloud image. * Run the VM with virsh: $ virsh define sev.xml $ virsh start sev * Without the fix, there will be an error: error: Failed to start domain 'sev' error: internal error: process exited while connecting to monitor: 2025-10-10T15:21:49.413092Z qemu-system-x86_64: -accel kvm: sev_kvm_init: Failed to open /dev/sev 'Permission denied' 2025-10-10T15:21:49.432040Z qemu-system-x86_64: -accel kvm: failed to initialize kvm: Operation not permitted * With the fix, the VM shoud be started successfully [ Where problems could occur ] - * Since the change adds a rule to the VM profile ONLY when AMD-SEV is - requested. - I do not see potential risk of regression on other features, VMs types nor - on AMD-SEV VM. + * This change adds a rule to the VM dynamic profile, I see 2 problems could + potentially happen: + - The rule is not well-formatted and this makes the profile fails to be + loaded by Apparmor. + - The rule might be added for other VMs than AMD-SEV and this will grant the + permission to /dev/sev to all VMs. + However, since the patch is simple and reviewed and merged upstream, I see + the risk of these problems to happen is very low. [ Other Info ] * Applied upstream since 11.9.0: https://gitlab.com/libvirt/libvirt/-/commit/b90cf0c916cb114ae4cefa082311c05fc5e00193
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2127492 Title: permission denied for /dev/sev when run AMD-SEV ES VM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/2127492/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
