[pve-devel] [PATCH qemu-server v3] QEMU AMD SEV enable

[Thomas Lamprecht]

Am 09/12/2022 um 15:25 schrieb Markus Frank:
> This Patch is for enabling AMD SEV (Secure Encrypted
> Virtualization) support in QEMU
> 
> VM-Config-Examples:
> amd_sev: type=std,nodbg=1,noks=1
> amd_sev: es,nodbg=1,kernel-hashes=1
> 
> Node-Config-Example (gets generated automatically):
> amd_sev: cbitpos=47,reduced-phys-bios=1
> 
> kernel-hashes, reduced-phys-bios & cbitpos correspond to the varibles
> with the same name in qemu.
> 
> kernel-hashes=1 adds kernel-hashes to enable measured linux kernel
> launch since it is per default off for backward compatibility.
> 
> reduced-phys-bios and cbitpos are system specific and can be read out
> with QMP. If not set by the user, a dummy-vm gets started to read QMP
> for these variables out and save them to the node config.
> Afterwards the dummy-vm gets stopped.
> 
> type=std stands for standard sev to differentiate it from sev-es (es)
> or sev-snp (snp) when support is upstream.
> 
> Qemu's sev-guest policy gets calculated with the parameters nodbg & noks
> These parameters correspond to policy-bits 0 & 1.
> If type=es than policy-bit 2 gets set to 1 to activate SEV-ES.
> Policy bit 3 (nosend) is always set to 1, because migration
> features for sev are not upstream yet and are attackable.
> 
> see coherent doc patch
> 
> Signed-off-by: Markus Frank <m.frank at proxmox.com>
> ---
> I still could not get SEV-ES to work.
> After a firmware update I got the same error like Daniel in his testing:
> kvm: ../softmmu/vl.c:2568: qemu_machine_creation_done: Assertion `machine->cgs->ready' failed.
> 


This was one of the main turn-offs for me, but maybe the situation change
here w.r.t newer HW, kernel and QEMU support.

Can you please re-test this rather soonish? E.g. with kernel 6.5 and 6.8,
also trying a newer QEMU like Fiona's 8.2 build and our newer AMD based
HW would be good to check out.