info kvm_intel: no symbol version for __seamcall_saved_ret and tdx is disabled

[tingyuz]

Followed the steps in the readme to install fresh Ubuntu 23.01 server, got code from github repo, compiled and installed. checked and make sure the BIOS settings related to tdx are correct. after rebooting I notice that tdx was enabled then disabled again.

sudo dmesg | grep -i tdx

[ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-6.5.0-1003-intel-opt root=/dev/mapper/ubuntu--vg-ubuntu--lv ro kvm_intel.tdx=1 nomodeset [ 1.872847] Kernel command line: BOOT_IMAGE=/vmlinuz-6.5.0-1003-intel-opt root=/dev/mapper/ubuntu--vg-ubuntu--lv ro kvm_intel.tdx=1 nomodeset [ 3.833617] tdx: BIOS enabled: private KeyID range [1, 64) [ 15.287540] tdx: not enabled by BIOS.

Checked the dmesg and notice line related to seamcall right before the tdx is disabled.

[ 15.271035] kvm_intel: no symbol version for __seamcall_saved_ret [ 15.287540] tdx: not enabled by BIOS.

Questions:

1. Do we need to install intel-tdx package to get tdx working? ( the readme didn't mention such requirement)
2. if intel tdx-tool is required, which version will work ( there are two versions from Intel, 1.0 and 1.5)?

Thanks!

[fanchen2]

Hi @tingyuz, there should be nothing to do with intel-tdx package, it should be some setup missing on HW or BIOS, the setup will be different for different machine, sometimes we need more configuration than we showed in README. You are using SPR or EMR? Do you know the vendor of your machine? Could you execute below 3 command and share the output? sudo rdmsr 0xa0 sudo rdmsr 0x1f5 -f 11:11 sudo rdmsr 0x1401 --bitfield 11:11

[tingyuz]

@fanchen2 thanks very much for the reply!

1. We are using EMR on Dell R760 server

2. Here is the output of the command $ sudo rdmsr 0xa0 64c9 $ sudo rdmsr 0x1f5 -f 11:11 0 $ sudo rdmsr 0x1401 --bitfield 11:11 0

[fanchen2]

@tingyuz We got some advice from experts, there probably be a mcheck error from msr 0xa0, but need more info to confirm. Is that possible to capture the whole serial log of host boot? Or find out the memory config on the platform.

And also, I thought this machine is a production level EMR(from DELL), DELL should have BIOS manual, the BIOS setup is different from different vendor, the vendor may add some more configuration, it happens, so can you ask for the BIOS manual from DELL and check how to enable TDX from it?

[tingyuz]

@fanchen2 do you recommend some commands for capturing the memory config of the platform? And in the meantime we are checking if there is BIOS manual available for TDx.

[fanchen2]

We found another user who got the same error as you(if that's not you), he is also using DELL, the team is working with DELL US to figure out the set in BIOS, will keep you update. BTW, did you enable UEFI boot in BIOS? It's not for TDX specific, but should be necessary.

[tingyuz]

Yes we enabled UEFI boot in the BIOS.

[fanchen2]

@tingyuz The memory configuration is in serial log. If it's impossible to capture the serial log, we cannot root cause. We got an advice, not sure if it works for you, if you want to have a try: In BIOS, disable "Disable excluding Mem" in the same page of TDX setup, like the attached picture.

BTW, this is not a validated solution(I have no DELL in hand), if "disable" doesn't work, you can try "enable" also.

[tingyuz]

@fanchen2 this is the magic setting that made it working. . After disabling "Disable excluding Mem" (Under "System Security" of the Bios setting), the TDx enabling and related logs are showing up in dmesg. Thanks!

May I suggest to add this setting into the Bios section of the document of the repo so that others can follow?

For the record purpose, here is the hardware/Bios info :

Server: PowerEdge R760 BIOS version: 2.2.0 [X-REV] iDRAC Firmware Version | 7.00.30.00 CPU: INTEL(R) XEON(R) GOLD 6554S

[fanchen2]

@tingyuz That's great! Thanks for your testing and advice, we will find a way to share this info in readme. Could you help to close this issue?