Open nicopal opened 2 years ago
tlendacky
commented
2 years ago It looks like you have iommu=pt on your command line, try removing that. I don't think the scripts control or change the command line options. Also, I believe the sev, sev_es and sev_snp module parameters default to true/1, now, so you don't need kvm_amd.sev=1 either. And mem_encrypt=on is only needed if you want SME, it's not required to run SEV guests.
nicopal
commented
2 years ago Thanks, that helped, after removing "iommu=pt" as a command line option SEV-SNP is marked as supported.
cowbon
commented
2 years ago I'm having the same issue, but simply remove iommu=pt doesn't work for me because that is the default mode for my kernel according to dmesg.
[ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-5.14.0-rc2-snp-host-6d4469b86f90 root=/dev/mapper/ol_ca--hcl647p-root ro crashkernel=auto rd.lvm.lv=ol_ca-hcl647p/root rd.lvm.lv=ol_ca-hcl647p/swap rhgb console=ttyS0,115200n8 intel_iommu=on loglevel=8
[ 0.017714] Unknown command line parameters: rhgb BOOT_IMAGE=/vmlinuz-5.14.0-rc2-snp-host-6d4469b86f90 crashkernel=auto intel_iommu=onIf I have to specify something explicitly for IOMMU in boot parameters, which mode should I use? I found this patch disallows the passthrough mode but I'm still not sure about what else to use.
tlendacky
commented
2 years ago Check your kernel config (CONFIG_IOMMU_DEFAULT_PASSTHROUGH) to see if the kernel is configured to do passthrough mode by default. You can either rebuild the kernel with the config option not set or add iommu=nopt to the kernel command line (i think iommu.passthrough=0 also works).
cowbon
commented
2 years ago Check your kernel config (CONFIG_IOMMU_DEFAULT_PASSTHROUGH) to see if the kernel is configured to do passthrough mode by default. You can either rebuild the kernel with the config option not set or add iommu=nopt to the kernel command line (i think iommu.passthrough=0 also works).
Resolved. Setting iommu=nopt changes the mode to Translated
JustPlay
commented
2 years ago why SNP need iommu!=passthrouth?
tlendacky
commented
2 years ago Because the IOMMU provides some required SNP security support. For example, DMA operations that are verified against the RMP.
After installing the new kernel following the guide https://github.com/AMDESE/AMDSEV/tree/sev-snp-devel IOMMU is configured in passthrough mode:
[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-5.14.0-rc2-snp-host-6d4469b86f90 root=UUID=5271158d-59ce-4c94-b0bd-5f67dbc947e1 ro vga=normal nomodeset iommu=pt modprobe.blacklist=btrfs mem_encrypt=on kvm_amd.sev=1 [ 0.080454] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-5.14.0-rc2-snp-host-6d4469b86f90 root=UUID=5271158d-59ce-4c94-b0bd-5f67dbc947e1 ro vga=normal nomodeset iommu=pt modprobe.blacklist=btrfs mem_encrypt=on kvm_amd.sev=1 [ 0.080501] Any video related functionality will be severely degraded, and you may not even be able to suspend the system properly [ 0.500541] AMD-Vi: SEV-SNP: IOMMU is either disabled or configured in passthrough mode. [ 1.458480] ccp 0000:47:00.1: sev enabled [ 1.517255] ccp 0000:47:00.1: SEV firmware update successful [ 1.551278] ccp 0000:47:00.1: SEV API:1.51 build:3 [ 1.660986] SEV supported: 410 ASIDs [ 1.663654] SEV-ES supported: 99 ASIDs [ 145.773431] SEV supported: 410 ASIDs [ 145.773432] SEV-ES supported: 99 ASIDs
Should this be changed through a configuration option in the kernel build script?