Cannot launch SEV-SNP VM: `sev_kvm_init: kernel does not support restricted guest memory`

[gianlucascopelliti]

Hi,

I've been trying to launch a SEV-SNP VM using the launch-qemu.sh script in the snp-latest branch, but I am getting the following error when running the script with the -sev-snp flag:

qemu-system-x86_64: sev_kvm_init: kernel does not support restricted guest memory
qemu-system-x86_64: failed to initialize kvm: Operation not permitted

Launching with -sev and -sev-es instead works correctly. The strange thing is that I was actually able to launch a SEV-SNP VM a couple of days ago, but now it does not work anymore for some reason. I did rebuild QEMU and OVMF in the meantime, but I am not sure if this is the cause of the issue.

I am working on a machine with an AMD EPYC 9654 processor running Ubuntu 22.04.3 LTS. I installed the host kernel, QEMU and OVMF from the scripts in the snp-latest branch (commit c24c972e400). Some outputs from the host:

$ uname -r
6.5.0-rc2-snp-host-ad9c0bf475ec

$ sudo dmesg | grep -i sev
[    2.550856] SEV-SNP: RMP table physical address [0x000000bf7e800000 - 0x000000c03f0fffff]
[    7.360098] ccp 0000:01:00.5: sev enabled
[   15.876855] ccp 0000:01:00.5: SEV API:1.53 build:5
[   15.876859] ccp 0000:01:00.5: SEV-SNP API:1.53 build:5
[   15.923923] kvm_amd: SEV-ES and SEV-SNP supported: 509 ASIDs
[   15.923925] kvm_amd: SEV enabled (ASIDs 510 - 1006)
[   15.923926] kvm_amd: SEV-ES enabled (ASIDs 1 - 509)

$ cat /sys/module/kvm_amd/parameters/sev_snp 
Y

Full log from stdout.log:

/home/ecaiogs/sev/AMDSEV/snp-release-2023-10-12/usr/local/bin/qemu-system-x86_64 -enable-kvm -cpu EPYC-v4 -machine q35 -smp 4,maxcpus=255 -m 2048M,slots=5,maxmem=10240M -no-reboot -drive if=pflash,format=raw,unit=0,file=/home/ecaiogs/sev/AMDSEV/snp-release-2023-10-12/usr/local/share/qemu/OVMF_CODE.fd,readonly -drive if=pflash,format=raw,unit=1,file=/home/ecaiogs/sev/AMDSEV/snp-release-2023-10-12/sevsnp.fd -drive file=/home/ecaiogs/sev/sevsnp.qcow2,if=none,id=disk0,format=qcow2 -device virtio-scsi-pci,id=scsi0,disable-legacy=on,iommu_platform=true -device scsi-hd,drive=disk0 -machine memory-encryption=sev0,vmport=off -object memory-backend-memfd-private,id=ram1,size=2048M,share=true -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,discard=none -machine memory-backend=ram1,kvm-type=protected -nographic -monitor pty -monitor unix:monitor,server,nowait 
qemu-system-x86_64: -drive if=pflash,format=raw,unit=0,file=/home/ecaiogs/sev/AMDSEV/snp-release-2023-10-12/usr/local/share/qemu/OVMF_CODE.fd,readonly: warning: short-form boolean option 'readonly' deprecated
Please use readonly=on instead
char device redirected to /dev/pts/7 (label compat_monitor0)
qemu-system-x86_64: warning: Number of hotpluggable cpus requested (255) exceeds the recommended cpus supported by KVM (192)
qemu-system-x86_64: sev_kvm_init: kernel does not support restricted guest memory
qemu-system-x86_64: failed to initialize kvm: Operation not permitted

[mdroth]

You updated to a newer QEMU, but you're still running an older kernel. Install the latest one generated by the build.

[gianlucascopelliti]

Strange, I did not see recent commits in the QEMU snp-latest branch. But anyway, installing the latest kernel (6.6.0-rc1-snp-host-f86c98f8b43d) indeed solved the issue, thank you!