SEV is disabled in BIOS

808 views
Skip to first unread message

江立中

unread,
Sep 1, 2022, 9:20:03 AM9/1/22
to cloudla...@googlegroups.com, shi...@csie.ntu.edu.tw

Hello Cloudlab Team.


My current experiment is https://www.cloudlab.us/status.php?uuid=68e0dd04-279e-11ed-b318-e4434b2381fc

I’m running the experiment with linux version 5.19 on r6525(AMD EPYC 7543 Milan).

I was trying to run SEV-VM by QEMU as follows

root@node0:/mydata# sudo /qemu/build/qemu-system-x86_64 \

    -drive if=pflash,format=raw,unit=0,file=OVMF_CODE.fd,readonly=on \

    -drive if=pflash,format=raw,unit=1,file=OVMF_VARS.fd \

    -object sev-guest,id=sev0,policy=0x00000,cbitpos=51,reduced-phys-bits=1 \

    -machine confidential-guest-support=sev0 …

And I got the following error messages.

Mapping CTRL-C to CTRL-]

qemu-system-x86_64: sev_kvm_init: Failed to open /dev/sev 'No such file or directory'

qemu-system-x86_64: failed to initialize kvm: Operation not permitted


First I checked the cpuid command and get the following results.

root@node0:~# cpuid -1 | grep "SEV:\|SME:\|SEV-ES"

      SME: secure memory encryption support    = true

      SEV: secure encrypted virtualize support = true

      SEV-ES: SEV encrypted state support      = true

It showed that this processor indeed supports SME and SEV.


According to this response https://github.com/AMDESE/AMDSEV/issues/36#issuecomment-523088840 and this webpage https://www.kernel.org/doc/html/v5.7/virt/kvm/amd-memory-encryption.html , I checked the MSR C001_0010 by running the following command and got the result.

root@node0:~# rdmsr -x 0xc0010010

740000

Bit 23 is zero, which means that memory encryption cannot be enabled.


Also, I checked the debug message and got this.

root@node0:~# dmesg | grep SEV

[   20.135524] ccp 0000:22:00.1: SEV: memory encryption not enabled by BIOS

It said that memory encryption has been disabled in BIOS.


However, to the best of my knowledge I cannot modify the BIOS setting by myself.

I wonder if you could help me enable these two features in BIOS on r6525 by default?

Thanks!


Sincerely,

Michael

Mike Hibler

unread,
Sep 1, 2022, 10:37:42 AM9/1/22
to cloudla...@googlegroups.com, shi...@csie.ntu.edu.tw
Sorry for the delay, I have enabled Secure Memory Encryption in the BIOS
(on clnode315 in your experiment). Let's see if that allows you to use SEV_VM.
> --
> You received this message because you are subscribed to the Google Groups
> "cloudlab-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email
> to cloudlab-user...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/
> cloudlab-users/
> CAKJOkPhK3U35OHO4VNxuY3uLifPEmXL4W67CpZMo72UeE%2B29wA%40mail.gmail.com.

江立中

unread,
Sep 1, 2022, 9:10:54 PM9/1/22
to cloudlab-users
Hi

It works very well.
Thanks a lot!

Best,
Michael

江立中

unread,
Sep 15, 2022, 8:37:32 AM9/15/22
to cloudlab-users
Hi

My experiment on clnode315 has expired successfully.
Thanks for your help!

On Thursday, September 1, 2022 at 10:37:42 PM UTC+8 Mike Hibler wrote:
Reply all
Reply to author
Forward
0 new messages