search

coconut-svsm / svsm

COCONUT-SVSM
MIT License
104 stars 40 forks source link

SNP support #409

Open pegahnikbakht opened 1 month ago

pegahnikbakht commented 1 month ago

Hi,

I tried to install a SNP based kernel from this repo https://github.com/coconut-svsm/linux but only SEV and SEV-ES are enabled when I boot the kernel, previously I had a kernel with SNP support and the pre-requisites are met. Is there any specific config in make menuconfig that needs to be enabled in order to enable SNP?

Regards, Pegah

ramagali24 commented 1 month ago

Did you enable all these in your BIOS settings before you install host kernel.

CBS -> CPU Common ->

SEV-ES ASID space limit -> 100

SNP Memory Coverage -> Enabled

SMEE -> Enabled

-> NBIO common ->

SEV-SNP -> Enabled

If you still not see these messages from your host, you can try compile kernel using script. sudo dmesg | grep SEV [ 0.000000] SEV-SNP: RMP table physical range [0x000000bf8d200000 - 0x000000c04d7fffff] [ 22.544585] ccp 0000:03:00.5: SEV API:1.55 build:24 [ 22.544597] ccp 0000:03:00.5: SEV-SNP API:1.55 build:24 [ 22.563664] kvm_amd: SEV enabled (ASIDs 100 - 1006) [ 22.563666] kvm_amd: SEV-ES enabled (ASIDs 1 - 99) [ 22.563667] kvm_amd: SEV-SNP enabled (ASIDs 1 - 99)

HOST kernel build script.

set -eux

VER="-snp-host" COMMIT=$(git log --format="%h" -1 HEAD)

cp /boot/config-$(uname -r) .config ./scripts/config --set-str LOCALVERSION "$VER-$COMMIT" ./scripts/config --disable LOCALVERSION_AUTO ./scripts/config --enable DEBUG_INFO ./scripts/config --enable DEBUG_INFO_REDUCED ./scripts/config --enable EXPERT ./scripts/config --enable AMD_MEM_ENCRYPT ./scripts/config --disable AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT ./scripts/config --enable KVM_AMD_SEV ./scripts/config --module CRYPTO_DEV_CCP_DD ./scripts/config --disable SYSTEM_TRUSTED_KEYS ./scripts/config --disable SYSTEM_REVOCATION_KEYS ./scripts/config --module SEV_GUEST ./scripts/config --disable IOMMU_DEFAULT_PASSTHROUGH

yes "" | make olddefconfig

make -j$(nproc) LOCAL_VERSION= sudo make -j$(nproc) modules_install sudo make -j$(nproc) install

pegahnikbakht commented 1 month ago

@ramagali24 I have the bios settings enabled and previously I had a kernel 6.9 with SNP which worked fine, but I tired to install SVSM (downgrade to kernel 6.8) even with the script that you provided above, but still SNP is not enabled. I get the following error or warning: 

sudo dmesg | grep SEV

[   16.294186] ccp 0000:47:00.1: SEV API:1.55 build:17
[   16.332809] kvm_amd: SEV enabled (ASIDs 100 - 509)
[   16.332810] kvm_amd: SEV-ES enabled (ASIDs 1 - 99)
sudo dmesg | grep sev
[    0.000000] Command line: BOOT_IMAGE=/vmlinuz-6.8.0-rc6-snp-host-d206a76d7d27 root=UUID=8368bb81-e86c-4e21-a51d-8a39b7b503ed ro nomodeset console=tty0 console=ttyS1,115200n8 modprobe.blacklist=btrfs mem_encrypt=on kvm_amd.sev=1
[    0.082135] Kernel command line: BOOT_IMAGE=/vmlinuz-6.8.0-rc6-snp-host-d206a76d7d27 root=UUID=8368bb81-e86c-4e21-a51d-8a39b7b503ed ro nomodeset console=tty0 console=ttyS1,115200n8 modprobe.blacklist=btrfs mem_encrypt=on kvm_amd.sev=1
[   16.219512] ccp 0000:47:00.1: sev enabled
[   16.309452] kvm_amd: unknown parameter 'sev-snp' ignored
pegahnikbakht commented 1 month ago

This is what I get with kernel 6.9 that I had before:

 sudo dmesg | grep SEV
[    0.000000] SEV-SNP: RMP table physical range [0x0000000097f00000 - 0x00000000a84fffff]
[   17.031219] ccp 0000:47:00.1: SEV API:1.55 build:17
[   17.038573] ccp 0000:47:00.1: SEV-SNP API:1.55 build:17
[   17.084122] kvm_amd: SEV enabled (ASIDs 100 - 509)
[   17.099101] kvm_amd: SEV-ES enabled (ASIDs 1 - 99)
[   17.099102] kvm_amd: SEV-SNP enabled (ASIDs 1 - 99)
roy-hopkins commented 1 month ago

Which branch are you using? It should be: https://github.com/coconut-svsm/linux/tree/svsm.

pegahnikbakht commented 1 month ago

@roy-hopkins Yes I'm using this branch https://github.com/coconut-svsm/linux/tree/svsm I tried main and some of the releases, same issue.

rnldourado commented 1 week ago

I have the same problem, I'm the SNP enabled in the BIOS and using the kernel host at the SVSM branch, but in the dmesg output we can see only SEV and SEV-ES enabled.

rnldourado commented 1 week ago

@pegahnikbakht So I found a solution to this problem, you need to upgrade the SEV firmware, to do this follow the instructions in this link: https://github.com/AMDESE/AMDSEV/tree/snp-latest?tab=readme-ov-file#upgrade-sev-firmware I hope to help!

pegahnikbakht commented 1 week ago

@rnldourado Thanks, will try that!

pegahnikbakht commented 3 days ago

I'm getting this error now: The host kenerl is 6.8.0-snp-host-bc4de28e0cc1+

[   17.316107] kvm_amd: SEV enabled (ASIDs 100 - 509)
[   17.316109] kvm_amd: SEV-ES enabled (ASIDs 1 - 99)
[   17.316110] kvm_amd: SEV-SNP enabled (ASIDs 1 - 99)
[   55.775887] kvm_amd: SEV-SNP requires private memory support via guest_memfd.
[   70.668578] kvm_amd: SEV-SNP requires private memory support via guest_memfd.
[   83.668449] kvm_amd: SEV-SNP requires private memory support via guest_memfd.
[   95.652849] kvm_amd: SEV-SNP requires private memory support via guest_memfd.
[  108.672256] kvm_amd: SEV-SNP requires private memory support via guest_memfd.
[  123.693292] kvm_amd: SEV-SNP requires private memory support via guest_memfd.
[  136.646189] kvm_amd: SEV-SNP requires private memory support via guest_memfd.
[  149.656732] kvm_amd: SEV-SNP requires private memory support via guest_memfd.
[  164.666443] kvm_amd: SEV-SNP requires private memory support via guest_memfd.

any idea?

Freax13 commented 3 days ago

I'm getting this error now: The host kenerl is 6.8.0-snp-host-bc4de28e0cc1+

[   17.316107] kvm_amd: SEV enabled (ASIDs 100 - 509)
[   17.316109] kvm_amd: SEV-ES enabled (ASIDs 1 - 99)
[   17.316110] kvm_amd: SEV-SNP enabled (ASIDs 1 - 99)
[   55.775887] kvm_amd: SEV-SNP requires private memory support via guest_memfd.
[   70.668578] kvm_amd: SEV-SNP requires private memory support via guest_memfd.
[   83.668449] kvm_amd: SEV-SNP requires private memory support via guest_memfd.
[   95.652849] kvm_amd: SEV-SNP requires private memory support via guest_memfd.
[  108.672256] kvm_amd: SEV-SNP requires private memory support via guest_memfd.
[  123.693292] kvm_amd: SEV-SNP requires private memory support via guest_memfd.
[  136.646189] kvm_amd: SEV-SNP requires private memory support via guest_memfd.
[  149.656732] kvm_amd: SEV-SNP requires private memory support via guest_memfd.
[  164.666443] kvm_amd: SEV-SNP requires private memory support via guest_memfd.

any idea?

Did you use the patched QEMU mentioned in the docs?

pegahnikbakht commented 3 days ago

I'm following this doc installation guide , and I get the error before building the Qemu, not in that step yet! I got the error in preparing the host.

Freax13 commented 3 days ago

Fair enough. Try enabling the CONFIG_KVM_PRIVATE_MEM config option for the kernel.