qemu-discuss
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using Secure Encrypted Virtulization (SEV) support with VIRTIO disks

From: Louis Bouchard
Subject: Re: Using Secure Encrypted Virtulization (SEV) support with VIRTIO disks
Date: Wed, 24 Feb 2021 16:50:31 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 
Hello,

Le 24/02/2021 à 11:33, Louis Bouchard a écrit :

Hello,
This request follows this Ubuntu bug : https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1915509.
When using the VIRTIO driver, starting a VM with SEV enabled on sev enabled hardware fails. The situation may be tested with the following commands on Ubuntu 20.04 Focal : 

$ dd if=/dev/urandom of=/tmp/sev_key.aes bs=8 count=4
$ cp /usr/share/OVMF/OVMF_CODE.fd /tmp
$ cp /usr/share/OVMF/OVMF_VARS.fd /tmp
$ qemu-system-x86_64 -name real-qemu \
    -machine pc-q35-3.0,accel=kvm,usb=off,vmport=off,dump-guest-core=off,memory-encryption=sev0 \ 
     -display none \
     -monitor none \
     -nographic \
     -nodefaults \
     -m 16384.0M \
     -serial mon:stdio \
     -smp 2 \
     -cpu host \
     -device sga \
    -device pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2 \ 
     -netdev user,id=net0,net=192.168.100.0/24,dhcpstart=192.168.100.1 \
    -device virtio-net-pci,netdev=net0,id=net0,mac=52:54:00:cc:56:90,bus=pci.1,addr=0x0,romfile=,iommu_platform=on \ 
     -drive if=pflash,format=raw,readonly,file=/tmp/OVMF_CODE.fd \
     -drive if=pflash,format=raw,file=/tmp/OVMF_VARS.fd \
    -drive file=/var/lib/libvirt/images/real-qemu.qcow2,if=virtio,id=disk0 \ 
     -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1,policy=0x3 \
     -object secret,id=masterKey0,format=raw,file=/tmp/sev_key.aes

The output when starting the VM shows :

qemu-system-x86_64: Guest says index 53230 is available
When running the same script using the 'ide' driver instead of the 'virtio' driver, the VM starts correctly : 

root@ubuntu:~# dmesg | grep -i sev
[ 0.243361] AMD Secure Encrypted Virtualization (SEV) active
There is a mention in the libvirt knowledge base documentation about the requirement to use IOMMU to make the virtio work (https://libvirt.org/kbase/launch_security_sev.html#virtio) so another test was to enable IOMMU : 

$ qemu-system-x86_64 -name real-qemu \
  -machine pc-q35-3.0,accel=kvm,usb=off,vmport=off,dump-guest-core=off,memory-encryption=sev0 \ 
   -display none \
   -monitor none \
   -nographic \
   -nodefaults \
   -m 16384.0M \
   -serial mon:stdio \
   -smp 2 \
   -cpu host \
   -device sga \
  -device pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2 \ 
   -netdev user,id=net0,net=192.168.100.0/24,dhcpstart=192.168.100.1 \
  -device virtio-net-pci,netdev=net0,id=net0,mac=52:54:00:cc:56:90,bus=pci.1,addr=0x0,romfile=,iommu_platform=on \ 
   -drive if=pflash,format=raw,readonly,file=/tmp/OVMF_CODE.fd \
   -drive if=pflash,format=raw,file=/tmp/OVMF_VARS.fd \
  -device virtio-blk-pci,drive=drive0,id=virblk0,num-queues=4,iommu_platform=on \ 
   -drive file=/var/lib/libvirt/images/real-qemu.qcow2,if=none,id=drive0 \
   -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1,policy=0x3 \
   -object secret,id=masterKey0,format=raw,file=/tmp/sev_key.aes

This also fails and issues the following error message :
qemu-system-x86_64: -device virtio-blk-pci,drive=drive0,id=virblk0,num-queues=4,iommu_platform=on: VIRTIO_F_IOMMU_PLATFORM was supported by neither legacy nor transitional device
Is it possible to use Secure Encrypted Virtualization in conjunction with the VIRTIO driver ? 

TIA,

Louis
To be more precise, this happens on Focal with version 4.2.3 but the same test with version 5.2 has the same behavior. 

...Louis
reply via email to
[Prev in Thread] Current Thread [Next in Thread]