search

containers / libkrun

A dynamic library providing Virtualization-based process isolation capabilities
Apache License 2.0
901 stars 74 forks source link

Building the microVM failed: SecureVirtPrepare(SnpSecVirtPrepare #100

Closed blenessy closed 1 year ago

blenessy commented 1 year ago

I am testing the launch-tee example on a Dell R6515 equipped with AMD 7313P.

I manage to run the sev-config-no-attest.json example up to the point where the LUKS tries to unlock the protected partition. However, the snp-config-no-attest.json does not get that far but fails with:

# RUST_LOG=debug ~/libkrun/examples/launch-tee ~/disk-fedora.raw snp-config-noattest.json 
[2022-11-27T20:21:32Z INFO  vmm::linux::vstate] Guest memory starts at 0x7f24e7400000
[2022-11-27T20:21:32Z INFO  vmm::linux::vstate] Guest memory starts at 0x7f2569b0f000
[2022-11-27T20:21:32Z ERROR krun] Building the microVM failed: SecureVirtPrepare(SnpSecVirtPrepare(CreateLauncher(Custom { kind: Other, error: IoError(Os { code: 22, kind: InvalidInput, message: "Invalid argument" }) })))
Error creating the microVM: Invalid argument

Some more context

these are the relevant lines from dmesg dmesg:

[    4.531915] ccp 0000:46:00.1: no command queues available
[    4.532609] ccp 0000:46:00.1: sev enabled
[    4.532611] ccp 0000:46:00.1: psp enabled
[    4.582819] ccp 0000:46:00.1: SEV API:1.52 build:4
[    4.633884] kvm: Nested Virtualization enabled
[    4.633885] SVM: kvm: Nested Paging enabled
[    4.633888] SEV supported: 410 ASIDs
[    4.633889] SEV-ES supported: 99 ASIDs
tylerfanelli commented 1 year ago

Hi @blenessy, are you using the latest version of libkrunfw?

https://github.com/containers/libkrunfw

blenessy commented 1 year ago

Yes @tylerfanelli I started off with a clean machine on Nov. 27, and installed the latest of everything (Incl. Ubuntu 22.10).

libkrunfw:

git rev-parse HEAD
481975e688e5161bc00ebe090ff02c8ccde62a7a

libkrun:

git rev-parse HEAD
5973a3e168fa658121f08a8903a4547121b3cbdb

sevctl:

git rev-parse HEAD
16a2435a06ba5d34fb0e7f6dff0f2ad2e122de50
slp commented 1 year ago 
[    4.531915] ccp 0000:46:00.1: no command queues available
[    4.532609] ccp 0000:46:00.1: sev enabled
[    4.532611] ccp 0000:46:00.1: psp enabled
[    4.582819] ccp 0000:46:00.1: SEV API:1.52 build:4
[    4.633884] kvm: Nested Virtualization enabled
[    4.633885] SVM: kvm: Nested Paging enabled
[    4.633888] SEV supported: 410 ASIDs
[    4.633889] SEV-ES supported: 99 ASIDs

From this output I'd say that machine (or kernel, as SNP support is not yet upstream) supports SEV and SEV-ES, but not SEV-SNP. I'm pretty sure that's the reason why running with the snp-config-no-attest.json config fails.

tylerfanelli commented 1 year ago

@blenessy I would say that Ubuntu 22.10 does not yet support SEV-SNP, as the SEV-SNP host patches are not even available in the upstream kernel yet.

sevctl does not really concern itself with the firmware, kernel, etc.... It only tests that the hardware (mainly CPU) is SEV-capable.

blenessy commented 1 year ago

Got it thanks @slp and @tylerfanelli ! So what kernel do you guys recommend I use to test SNP out on at this point? (I'm guessing its one of the branches here: https://github.com/AMDESE/linux ).

tylerfanelli commented 1 year ago

@blenessy The latest upstream branch is here:

https://github.com/AMDESE/linux/tree/sev-snp-iommu-avic_5.19-rc6_v4

blenessy commented 1 year ago

Got it to work @tylerfanelli ! Thank for pointing me in the right direction - to both of you.

FWIW. I created a gist for other AMD SEV-SNP newbies that might come this way:

https://gist.github.com/blenessy/415e30d341bc115edec5b3704d4f4fe9

Feel free to close this issue guys.

tylerfanelli commented 1 year ago

@blenessy Glad we could help. Thanks for posting that gist, it looks like it could be of use to others looking to try out SNP. Closing this issue.