Reviewed: https://review.opendev.org/c/openstack/nova/+/843254 Committed: https://opendev.org/openstack/nova/commit/ab51a5dd25b8d4c66562148b43b1022eb5ceed7e Submitter: "Zuul (22348)" Branch: master
commit ab51a5dd25b8d4c66562148b43b1022eb5ceed7e Author: Balazs Gibizer <[email protected]> Date: Wed May 25 12:02:09 2022 +0200 Accept both 1 and Y as AMD SEV KVM kernel param value The libvirt virt dirver checks the AMD KVM kernel module parameter SEV to see if that feature is enabled. However it seems that the /sys/module/kvm_amd/parameters/sev file can either contain "1\n" or "Y\n" to indicate that the feature is enabled. Nova only checked for "1\n" so far making the feature disabled on compute nodes with "Y\n" value. Now the logic is extended to accept both. Closes-Bug: #1975686 Change-Id: I737e1d73242430b6756178eb0bf9bd6ec5c94160 ** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1975686 Title: MEM_ENCRYPTION_CONTEXT trait is missing from the compute RP even if AMD SEV is enabled on the compute node Status in OpenStack Compute (nova): Fix Released Bug description: Compute nodes with amd-sev enabled are reporting that support is available but MEM_ENCRYPTION_CONTEXT is not present in the placement traits for the compute nodes. # Domain capabilites report support [heat-admin@computeamdsev-1 log]$ sudo podman exec -it -u root nova_virtqemud virsh domcapabilities | grep -A 12 features <features> <gic supported='no'/> <vmcoreinfo supported='yes'/> <genid supported='yes'/> <backingStoreInput supported='yes'/> <backup supported='yes'/> <sev supported='yes'> <cbitpos>47</cbitpos> <reducedPhysBits>1</reducedPhysBits> <maxGuests>509</maxGuests> <maxESGuests>0</maxESGuests> </sev> </features> </domainCapabilities> # It is active as well in /sys/module/kvm_amd [heat-admin@computeamdsev-1 log]$ cat /sys/module/kvm_amd/parameters/sev Y [heat-admin@computeamdsev-1 log]$ # I do not see any errors with sev during startup [heat-admin@computeamdsev-1 log]$ sudo dmesg | grep -i sev [ 0.000000] Command line: BOOT_IMAGE=(lvmid/nZkWaZ-f6bk-Bfto-h9OG-k1Sc-Y6RB-1Q3yZV/t77pr1-3H2Y-ml4l-MMJh-bp3H-zk2j-6z4W6w)/boot/vmlinuz-5.14.0-70.5.1.el9_0.x86_64 root=LABEL=img-rootfs ro console=ttyS0 console=ttyS0,115200n81 no_timer_check crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M hugepagesz=1GB hugepages=32 default_hugepagesz=1GB mem_encrypt=on kvm_amd.sev=1 console=tty0 console=ttyS0,115200 no_timer_check nofb nomodeset vga=normal console=tty0 console=ttyS0,115200 audit=1 nousb [ 0.000000] Kernel command line: BOOT_IMAGE=(lvmid/nZkWaZ-f6bk-Bfto-h9OG-k1Sc-Y6RB-1Q3yZV/t77pr1-3H2Y-ml4l-MMJh-bp3H-zk2j-6z4W6w)/boot/vmlinuz-5.14.0-70.5.1.el9_0.x86_64 root=LABEL=img-rootfs ro console=ttyS0 console=ttyS0,115200n81 no_timer_check crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M hugepagesz=1GB hugepages=32 default_hugepagesz=1GB mem_encrypt=on kvm_amd.sev=1 console=tty0 console=ttyS0,115200 no_timer_check nofb nomodeset vga=normal console=tty0 console=ttyS0,115200 audit=1 nousb [ 0.000000] Any video related functionality will be severely degraded, and you may not even be able to suspend the system properly [ 101.753478] ccp 0000:24:00.1: sev enabled [ 101.769894] ccp 0000:24:00.1: SEV firmware update successful [ 102.058746] ccp 0000:24:00.1: SEV API:0.24 build:14 [ 120.398153] systemd[1]: Hostname set to <computeamdsev-1>. [ 149.487548] SEV supported: 509 ASIDs # MEM_ENCRYPTION_CONTEXT is not present (overcloud) [stack@undercloud-0 ~]$ !21 openstack --os-placement-api-version 1.17 resource provider trait list ba3bccf9-c283-4cb5-a14d-35ae7ba88533 /usr/lib/python3.9/site-packages/ansible/_vendor/__init__.py:42: UserWarning: One or more Python packages bundled by this ansible-core distribution were already loaded (pyparsing). This may result in undefined behavior. warnings.warn('One or more Python packages bundled by this ansible-core distribution were already ' +---------------------------------------+ | name | +---------------------------------------+ | COMPUTE_GRAPHICS_MODEL_NONE | | COMPUTE_ACCELERATORS | | COMPUTE_NET_VIF_MODEL_VMXNET3 | | COMPUTE_STORAGE_BUS_VIRTIO | | COMPUTE_NET_VIF_MODEL_E1000E | | COMPUTE_VOLUME_ATTACH_WITH_TAG | | COMPUTE_NET_ATTACH_INTERFACE | | HW_CPU_X86_BMI2 | | COMPUTE_VOLUME_EXTEND | | HW_CPU_X86_SSE | | COMPUTE_NET_VIF_MODEL_RTL8139 | | COMPUTE_GRAPHICS_MODEL_VIRTIO | | COMPUTE_IMAGE_TYPE_RAW | | COMPUTE_TRUSTED_CERTS | | HW_CPU_X86_SSE42 | | HW_CPU_X86_SSSE3 | | HW_CPU_X86_SSE2 | | COMPUTE_STORAGE_BUS_IDE | | COMPUTE_SECURITY_UEFI_SECURE_BOOT | | COMPUTE_SOCKET_PCI_NUMA_AFFINITY | | COMPUTE_IMAGE_TYPE_AMI | | COMPUTE_GRAPHICS_MODEL_CIRRUS | | COMPUTE_VOLUME_MULTI_ATTACH | | HW_CPU_X86_SSE4A | | HW_CPU_X86_SSE41 | | COMPUTE_IMAGE_TYPE_QCOW2 | | COMPUTE_IMAGE_TYPE_AKI | | HW_CPU_X86_AVX2 | | HW_CPU_X86_FMA3 | | HW_CPU_X86_MMX | | HW_CPU_HYPERTHREADING | | COMPUTE_NET_VIF_MODEL_NE2K_PCI | | HW_CPU_X86_SVM | | HW_CPU_X86_AVX | | COMPUTE_IMAGE_TYPE_ISO | | HW_CPU_X86_CLMUL | | HW_CPU_X86_ABM | | COMPUTE_NET_VIF_MODEL_SPAPR_VLAN | | COMPUTE_STORAGE_BUS_SCSI | | HW_CPU_X86_AMD_SVM | | COMPUTE_NET_ATTACH_INTERFACE_WITH_TAG | | COMPUTE_STORAGE_BUS_FDC | | COMPUTE_NET_VIF_MODEL_VIRTIO | | COMPUTE_NET_VIF_MODEL_PCNET | | COMPUTE_STORAGE_BUS_SATA | | HW_CPU_X86_F16C | | COMPUTE_NET_VIF_MODEL_E1000 | | COMPUTE_DEVICE_TAGGING | | COMPUTE_NODE | | COMPUTE_GRAPHICS_MODEL_VGA | | COMPUTE_IMAGE_TYPE_ARI | | HW_CPU_X86_SHA | | HW_CPU_X86_AESNI | | COMPUTE_RESCUE_BFV | | COMPUTE_STORAGE_BUS_USB | | HW_CPU_X86_BMI | +---------------------------------------+ It is seen on stable/wallaby. From the compute logs I see that: 2022-05-23 21:25:20.873 2 DEBUG nova.virt.libvirt.host [req-bc5c2030-5a68-4f5e-be8b-924f24962ef9 - - - - -] /sys/module/kvm_amd/parameters/sev contains [Y ] _kernel_supports_amd_sev /usr/lib/python3.9/site-packages/nova/virt/libvirt/host.py:1557 2022-05-23 21:25:20.873 2 INFO nova.virt.libvirt.host [req-bc5c2030-5a68-4f5e-be8b-924f24962ef9 - - - - -] kernel doesn't support AMD SEV The nova code looks for the "1\n" [1] in the file but it contains "Y\n" instead def _kernel_supports_amd_sev(self) -> bool: if not os.path.exists(SEV_KERNEL_PARAM_FILE): LOG.debug("%s does not exist", SEV_KERNEL_PARAM_FILE) return False with open(SEV_KERNEL_PARAM_FILE) as f: contents = f.read() LOG.debug("%s contains [%s]", SEV_KERNEL_PARAM_FILE, contents) return contents == "1\n" So it seems like a valid bug in nova. [1] https://github.com/openstack/nova/blob/e44b1a940fdc45cc9dbb08e193a8c25052cf64e7/nova/virt/libvirt/host.py#L1696-L1704 To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1975686/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
