search

AMDESE / AMDSEV

AMD Secure Encrypted Virtualization
272 stars 84 forks source link

Does SEV-SNP require a memory-backend? #199

Closed ksy980324 closed 7 months ago

ksy980324 commented 8 months ago

I want to enable SEV-SNP without a memory backend. So I commented out that part of the launch-qemu.sh file 

if [ ${SEV} = "1" ]; then
        add_opts "-machine memory-encryption=sev0,vmport=off"
        get_cbitpos

        if [ "${ALLOW_DEBUG}" = "1" -o "${SEV_ES}" = 1 ]; then
                POLICY=$((0x01))
                [ "${ALLOW_DEBUG}" = "1" ] && POLICY=$((POLICY & ~0x01))
                [ "${SEV_ES}" = "1" ] && POLICY=$((POLICY | 0x04))
                SEV_POLICY=$(printf ",policy=%#x" $POLICY)
        fi

        if [ "${SEV_SNP}" = 1 ]; then
                #add_opts "-object memory-backend-memfd-private,id=ram1,size=${MEM}M,share=true"
                #add_opts "-object sev-snp-guest,id=sev0,cbitpos=${CBITPOS},reduced-phys-bits=1,discard=${DISCARD}"
                #add_opts "-machine memory-backend=ram1,kvm-type=protected"
                add_opts "-object sev-snp-guest,id=sev0${SEV_POLICY},cbitpos=${CBITPOS},reduced-phys-bits=1"
        else
                add_opts "-object sev-guest,id=sev0${SEV_POLICY},cbitpos=${CBITPOS},reduced-phys-bits=1"
        fi
fi
/home/csl/AMDSEV/snp-release-2023-10-31/usr/local/bin/qemu-system-x86_64 
-enable-kvm 
-cpu EPYC-v4 
-machine q35 
-smp 4,maxcpus=255 
-m 2048M,slots=5,maxmem=10240M 
-no-reboot 
-drive if=pflash,format=raw,unit=0,file=/home/csl/AMDSEV/snp-release-2023-10-31/usr/local/share/qemu/OVMF_CODE.fd,readonly 
-drive if=pflash,format=raw,unit=1,file=/home/csl/AMDSEV/snp-release-2023-10-31/ubuntu-20.04.fd 
-netdev tap,id=mynet0,ifname=tap0,script=no,downscript=no -device e1000,netdev=mynet0,mac=52:55:00:d1:55:01 
-drive file=/home/csl/AMDSEV/snp-release-2023-10-31/ubuntu-20.04.qcow2,if=none,id=disk0,format=qcow2 
-device virtio-scsi-pci,id=scsi0,disable-legacy=on,iommu_platform=true -device scsi-hd,drive=disk0 
-machine memory-encryption=sev0,vmport=off -object sev-snp-guest,id=sev0,policy=0x5,cbitpos=51,reduced-phys-bits=1 
-vnc :1 
-monitor pty -monitor unix:monitor,server,nowait

and ran it, but I got the error below

qemu-system-x86_64: sev_snp_launch_start: SNP_LAUNCH_START ret=-22 fw_error=0 ''
qemu-system-x86_64: sev_kvm_init: failed to create encryption context
qemu-system-x86_64: failed to initialize kvm: Operation not permitted

(With the memory backend option, it works fine) Is there a way to enable SEV-SNP without the memory backend option?

tlendacky commented 8 months ago

Is there a way to enable SEV-SNP without the memory backend option?

No, there isn't. The memory backend option is needed for SNP.

ksy980324 commented 8 months ago

Thank you for your response. I looked up the memory backend option and saw that it was updated in March of this year. I'd like to study it, but there's not much information available. What documentation can I use to study about memory backend option?

tlendacky commented 8 months ago

I'm not sure what documentation exists. You can google the guest-mem / gmem patches being proposed for the KVM subsystem and the RFC qemu patches to support the use of it.

Alternatively, you can search for the patches at https://lore.kernel.org/kvm and https://lore.kernel.org/qemu-devel

ksy980324 commented 7 months ago

Thank you for your response.

It was helpful.