search

AMDESE / AMDSEV

AMD Secure Encrypted Virtualization
294 stars 85 forks source link

The snp-host-latest kernel failed to init SEV-SNP without SMT #154

Closed sza-1 closed 1 year ago

sza-1 commented 1 year ago

It seems that CCP unable to init PSP with firmware 1.51.3 when SMT disabled (nosmt=force).

Kernel: https://github.com/AMDESE/linux/commit/93fa8c5918a4ccc81c75b0bc044df70f3837ac98

$ sudo dmesg | grep -i smt
[    0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-6.1.0-rc4-amdese-93fa8c591+ root=UUID=3510ca71-58d8-4718-a506-755997ee5a56 ro nosmt=force
[    0.000000] SMT: Force disabled
[    0.006037] ACPI: WSMT 0x00000000A8E03000 000028 (v01 SUPERM SMCI--MB 03242016 AMI  00010013)
[    0.006059] ACPI: Reserving WSMT table memory at [mem 0xa8e03000-0xa8e03027]
[    0.212938] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-6.1.0-rc4-amdese-93fa8c591+ root=UUID=3510ca71-58d8-4718-a506-755997ee5a56 ro nosmt=force
$ sudo dmesg | grep -i sev
[    1.325750] SEV-SNP: RMP table physical address [0x0000000033900000 - 0x0000000073efffff]
[    9.368366] ccp 0000:49:00.1: sev enabled
[    9.464653] ccp 0000:49:00.1: SEV firmware update successful
[    9.501511] ccp 0000:49:00.1: SEV-SNP: failed to INIT rc -5, error 0x3
[    9.530491] ccp 0000:49:00.1: SEV: failed to INIT error 0x1, rc -5
[    9.530912] ccp 0000:49:00.1: SEV API:1.51 build:3
[    9.588269] kvm_amd: SEV supported: 410 ASIDs
[    9.588270] kvm_amd: SEV-ES and SEV-SNP supported: 99 ASIDs
[   20.131198] ccp 0000:49:00.1: SEV-SNP: failed to INIT rc -5, error 0x3
$ lscpu 
...
CPU(s):                  128
  On-line CPU(s) list:   0-63
  Off-line CPU(s) list:  64-127
Vendor ID:               AuthenticAMD
  Model name:            AMD EPYC 7B13 64-Core Processor
    CPU family:          25
    Model:               1
    Thread(s) per core:  1
    Core(s) per socket:  64
    Socket(s):           1
    Stepping:            1
...

Without nosmt=force SEV-SNP works perfectly.

tlendacky commented 1 year ago

That is to be expected. The firmware does not know about what the software has done and is expecting certain conditions amongst all the CPUs, but software hasn't done that. If you want to truly disable SMT, then you need to use the BIOS option to do that so that firmware is aware. Similarly, if you tried to use less CPUs than the system has, you are likely to fail init, too.

sza-1 commented 1 year ago

@tlendacky Ah, got it, thanks!

(I decided to disable SMT, because the AMD SEV-SNP white paper states that SEV-SNP does not protect against side channel attacks on SMT-enabled systems, and for guest owners this looks like a strong recommendation to disable SMT.)