[AlmaLinux Users] Re: Libvirt SEV support in Kitten

[Neal Gompa]

On Friday, February 21, 2025 7:29:24 AM Eastern Standard Time Teodor Pripoae 
wrote:
> Hello,
> 
> I have been testing Alma Linux Kitten and libvirt is not properly detecting
> SEV capabilities. Is Libvirt/QEMU compiled without SEV support ?
> 
> $ dmesg | grep -i sev
> [    1.821468] ccp 0000:45:00.1: sev enabled
> [   53.414679] kvm_amd: SEV enabled (ASIDs 250 - 509)
> [   53.414701] kvm_amd: SEV-ES enabled (ASIDs 1 - 249)
> [   53.414720] kvm_amd: SEV-SNP disabled (ASIDs 1 - 249)
> 
> $ virsh domcapabilities | grep -i sev
>     <sev supported='no'/>
> 
> $ virt-host-validate
>   QEMU: Checking for hardware virtualization                                
> : PASS QEMU: Checking if device '/dev/kvm' exists                          
>       : PASS QEMU: Checking if device '/dev/kvm' is accessible             
>             : PASS QEMU: Checking if device '/dev/vhost-net' exists        
>                   : PASS QEMU: Checking if device '/dev/net/tun' exists    
>                         : PASS QEMU: Checking for cgroup 'cpu' controller
> support                         : PASS QEMU: Checking for cgroup 'cpuacct'
> controller support                     : PASS QEMU: Checking for cgroup
> 'cpuset' controller support                      : PASS QEMU: Checking for
> cgroup 'memory' controller support                      : PASS QEMU:
> Checking for cgroup 'devices' controller support                     : PASS
> QEMU: Checking for cgroup 'blkio' controller support                      
> : PASS QEMU: Checking for device assignment IOMMU support                  
>       : PASS QEMU: Checking if IOMMU is enabled by kernel                  
>             : PASS QEMU: Checking for secure guest support                 
>                   : PASS QEMU: Checking for AMD Secure Encrypted
> Virtualization-Encrypted State (SEV-ES): PASS QEMU: Checking for AMD Secure
> Encrypted Virtualization-Secure Nested Paging (SEV-SNP): PASS

I don't own a system to check this myself, but based on what I see in the 
qemu-kvm and libvirt package sources in CentOS Stream, I expect this feature 
to be available.

According to the Red Hat Enterprise Linux 10.0 Beta release notes, it is 
available as a technology preview[1].

The following steps are required to enable SEV:

> # Enable SEV and memory encryption
> $ sudo grubby --update-kernel=ALL --args="mem_encrypt=on kvm_amd.sev=1"
> 
> # Clean the capabilities cache
> $ sudo rm -f /var/cache/libvirt/qemu/capabilities/*
> 
> # Reboot the system
> $ sudo systemctl reboot


This should get things working properly.

[1]: 
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10-beta/html-single/10.0_beta_release_notes/index#Jira-RHELDOCS-16800

-- 
真実はいつも一つ！/ Always, there's only one truth!