Oak Containers: QEMU not recognizing SEV-SNP: `parameter 'qom-type' does not accept value 'sev-snp-guest'`

[smherwig]

I'm working on the main branch (commit c5190c07aa8da7436760f39bb5de8e27afb44844).

I'm attempting to run the rust_hello_world_trusted_bundle container using the following command:

sudo RUST_LOG=debug ./target/x86_64-unknown-linux-gnu/release/oak_containers_launcher \
    --system-image oak_containers/system_image/target/image.tar.xz \
    --container-bundle target/rust_hello_world_trusted_bundle.tar \
    --vmm-binary $(which qemu-system-x86_64) \
    --stage0-binary generated/stage0_bin \
    --kernel oak_containers/kernel/target/bzImage \
    --initrd target/stage1.cpio \
    --ramdrive-size 5000000 \
    --vm-type sev-snp

Running this command results in the following log lines:

[2024-10-11T20:18:40Z INFO  oak_containers_launcher] Launcher service listening on port 43977
[2024-10-11T20:18:40Z DEBUG oak_containers_launcher::qemu] QEMU command line: Command { std: "/nix/store/6x9r5ghwq2a6j4r2gmqida8d5wd0ya91-qemu-host-cpu-only-9.0.1/bin/qemu-system-x86_64" "-enable-kvm" "-cpu" "host" "-smp" "1" "-nodefaults" "-nographic" "-no-reboot" "-machine" "microvm,acpi=on,pcie=on,confidential-guest-support=sev0,memory-backend=ram1" "-object" "memory-backend-memfd,id=ram1,size=8G,share=true,reserve=false" "-object" "sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,id-auth=" "-chardev" "socket,id=consock,fd=11" "-serial" "chardev:consock" "-netdev" "user,id=netdev,guestfwd=tcp:10.0.2.100:8080-cmd:nc 127.0.0.1 43977,hostfwd=tcp:127.0.0.1:41161-10.0.2.15:4000,hostfwd=tcp:127.0.0.1:45071-10.0.2.15:8080" "-device" "virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=netdev,romfile=" "-device" "vhost-vsock-pci,guest-cid=1748300,rombar=0" "-bios" "generated/stage0_bin" "-kernel" "oak_containers/kernel/target/bzImage" "-initrd" "target/stage1.cpio" "-append" " console=ttyS0 panic=-1 brd.rd_nr=1 brd.rd_size=5000000 brd.max_part=1 ip=10.0.2.15:::255.255.255.0::eth0:off loglevel=7 -- --launcher-addr=vsock://2:43977", kill_on_drop: true }
qemu-system-x86_64: -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,id-auth=: Parameter 'qom-type' does not accept value 'sev-snp-guest'

The last log line indicates a QEMU issue.

Our setup is:

• server: Supermicro CloudDC A+ Server AS -2015CS-TNR
• cpu: 1x EPYC 7354P 32C/64T CPU. This is an EPYC 4th Generation AMD Genoa chip, and supports SEV-SNP.
• kernel: 6.11.0-rc3-snp-host-85ef1ac03941. We followed AMD's Using SEV with AMD EPYC Processors guide to setup the BIOS, SEV firmware, and host kernel. Specifically, we're running AMD's kernel as per the instructions on AMD's sep-latest branch
• nix: We're using the nix-2.14.1 setup as described in docs/development.md .

Additionally, I manually had to sudo modprobe vhost_vsock.

Thanks. I appreciated any help.

[conradgrobler]

I believe that AMD SEV-SNP support has not been upstreamed for QEMU yet, so the version of QEMU that is installed in the nix environment will not work with it. To use SEV-SNP I think you will have to install the version from the AMD repository and use that version in the launcher.

[smherwig]

To further clarify, we are using the nix install of qemu:

$ which qemu-system-x86_64
/nix/store/6x9r5ghwq2a6j4r2gmqida8d5wd0ya91-qemu-host-cpu-only-9.0.1/bin/qemu-system-x86_64

$ qemu-system-x86_64 --version
QEMU emulator version 9.0.1
Copyright (c) 2003-2024 Fabrice Bellard and the QEMU Project developers

[conradgrobler]

I think that you will have to build QEMU from https://github.com/AMDESE/qemu/tree/snp-latest to support AMD SEV-SNP rather than use the nix version