search

AMDESE / AMDSEV

AMD Secure Encrypted Virtualization
295 stars 85 forks source link

Unable to boot VM #15

Open morbitzer opened 5 years ago

morbitzer commented 5 years ago

I successfully installed everything according to the README. The only changes I had to make:

  1. disable AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT in the kernel. (See #14). However, I was still able to run SEV encrypted VMs previously even with AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT disabled.

  2. Configure qemu with --disable-werror. Otherwise, the compilation would stop due to some warnings:

hw/usb/host-libusb.c: In function ‘usb_host_init’:
hw/usb/host-libusb.c:250:5: error: ‘libusb_set_debug’ is deprecated: Use libusb_set_option instead [-Werror=deprecated-declarations]                         
     libusb_set_debug(ctx, loglevel);
     ^~~~~~~~~~~~~~~~
In file included from hw/usb/host-libusb.c:40:0:
/usr/include/libusb-1.0/libusb.h:1300:18: note: declared here
 void LIBUSB_CALL libusb_set_debug(libusb_context *ctx, int level);
                  ^~~~~~~~~~~~~~~~
[..]
ui/gtk.c: In function ‘gd_vc_vte_init’:
ui/gtk.c:1928:5: warning: ‘vte_terminal_set_encoding’ is deprecated [-Wdeprecated-declarations]
     vte_terminal_set_encoding(VTE_TERMINAL(vc->vte.terminal), "UTF-8", NULL);
     ^~~~~~~~~~~~~~~~~~~~~~~~~
In file included from /usr/include/vte-2.91/vte/vte.h:35:0,
                 from ui/gtk.c:49:
/usr/include/vte-2.91/vte/vtedeprecated.h:120:10: note: declared here
 gboolean vte_terminal_set_encoding(VteTerminal *terminal,

If I now try to start a VM with sudo launch-qemu.sh -hda ubuntu-18.04.qcow2 -cdrom debian-9.6.0-amd64-netinst.iso -vnc 0 -console serial I am able to connect via VNC and see the boot menu from the CD. The last output I see at the console is

FatDiskIo: Cache Page OutBound occurred!
FSOpen: Open '\EFI\BOOT\BOOTX64.EFI' Success
[Bds] Expand PciRoot(0x0)/Pci(0x1F,0x2)/Sata(0x0,0xFFFF,0x0) -> PciRoot(0x0)/Pci(0x1F,0x2)/Sata(0x0,0xFFFF,0x0)/CDROM(0x1,0x3AF,0x340)/\EFI\BOOT\BOOTX64.EFI
[Security] 3rd party image[0] can be loaded after EndOfDxe: PciRoot(0x0)/Pci(0x1F,0x2)/Sata(0x0,0xFFFF,0x0)/CDROM(0x1,0x3AF,0x340)/\EFI\BOOT\BOOTX64.EFI.
InstallProtocolInterface: 5B1B31A1-9562-11D2-8E3F-00A0C969723B 7DE73040
Loading driver at 0x0007D13B000 EntryPoint=0x0007D13B400
InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF 7E600998
ProtectUefiImageCommon - 0x7DE73040
  - 0x000000007D13B000 - 0x000000000005F600
PixelBlueGreenRedReserved8BitPerColor

However, as soon as I select an option, the VM reboots. I attached the full log for details. cdrom.log

When I try to directly start from a disk image, qemu tries to perform PXE instead. After unsuccessfully finishing PXE, it dropps me into UEFI Shell:

UEFI Interactive Shell v2.287477C2-69C7-11D2-8E39-00A0C969723B 7CE46320
EDK IIlProtocolInterface: 752F3136-4E16-4FDC-A22A-E5F46812F4CA 7CE45E18
UEFI v2.70 (EDK II, 0x00010000)008-7F9B-4F30-87AC-60C9FEF5DA4E 7CD5EAC0
Mapping table
      FS0: Alias(s):HD0a0b:;BLK1:
          PciRoot(0x0)/Pci(0x3,0x0)/Scsi(0x0,0x0)/HD(1,GPT,13AA3B25-499D-4414-BA73-2B5232310EDE,0x800,0x100000)                                              
     BLK0: Alias(s):
          PciRoot(0x0)/Pci(0x3,0x0)/Scsi(0x0,0x0)
     BLK2: Alias(s):
          PciRoot(0x0)/Pci(0x3,0x0)/Scsi(0x0,0x0)/HD(2,GPT,AE0A134C-886E-453B-9D8D-7780AE0542DE,0x100800,0x7A000)                                            
     BLK3: Alias(s):
          PciRoot(0x0)/Pci(0x3,0x0)/Scsi(0x0,0x0)/HD(3,GPT,10F8DCF4-1379-4009-AEEA-4EA6AA9E874D,0x17A800,0x120D000)                                          

Press ESC in 1 seconds to skip startup.nsh or any other key to continue.
Shell>

I also attached the log of this proccess. hda.log

From my understanding, something seems to be going wrong with the detection of the virtual disk image. I do see all partions of it in the UEFI shell, but somehow, qemu does not boot from it.

codomania commented 5 years ago

I see that you are trying to install debian-9.6.0-amd64-netinst.iso . It is important to note that the guest kernel must be SEV aware, SEV guest patches was accepted in kernel >= 4.15. Do you know the kernel version used in debian-9.6.0-amd64-netinst.iso ? if its < 4.15 then you will not able to boot it as a SEV guest.

morbitzer commented 5 years ago

Thanks for the hint, it does indeed work when using ubuntu. I tried with the latest debian-installer, but that also didn't work. Might be a problem with the debian installer.

However, I'm still not able to boot the disk image image I used previously for the SEV-encrypted VM. (This was the early process of creating a SEV-kernel on your host, and moving it to the VM ). Is there a way to still use the old images?

Jim8y commented 5 years ago

@codomania Even with the latest Ubuntu desktop 18.04, I still can not boot the guest with qemu, just boot into the UEFI interactive shell every time. Could you please provide a valid guest for me?

Jim8y commented 5 years ago

Alright, I managed to fix that problem.

Jdkhnjggf commented 1 year ago

Liaojinghui

@Liaojinghui Hi, could you please provide your solution? I encountered the same situation.

Jim8y commented 1 year ago

Reference in n

For me, it was about OVMF_VARS.fd and .qcow2, i fixed the problem by creating new OVMF_VARS.fd and .qcow2. But I can not remeber more detail, that is too long ago.