Re: [edk2] [PATCH 00/20] OvmfPkg: SEV: decrypt the initial SMRAM save state map for SMBASE relocation

Mon, 05 Mar 2018 06:44:23 -0800 

Hi Laszlo,



On 03/05/2018 08:00 AM, Laszlo Ersek wrote:

On 03/02/18 14:17, Brijesh Singh wrote:

On 3/2/18 5:53 AM, Laszlo Ersek wrote:



Do you have (maybe updated) instructions for setting up the SEV host?
What are the latest bits that are expected to work together?



For host kernel:
- use recent kvm/master
- make sure following kernel config is enabled
   CONFIG_KVM_AMD_SEV
   CONFIG_CRYPTO_DEV_SP_PSP
   CONFIG_AMD_MEM_ENCRYPT
   CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT

For guest kernel:
  - you can use host kernel or anything >=4.15
     make sure you have following config enabled in kernel:
       CONFIG_AMD_MEM_ENCRYPT

For qemu:
- v10 patches from this branch
https://github.com/codomania/qemu/tree/v10


QEMU exits with the following error for me:

2018-03-05T13:40:12.478835Z qemu-system-x86_64: sev_ram_block_added: failed to 
register region (0x7f3df3e00000+0x200000000)
2018-03-05T13:40:12.489183Z qemu-system-x86_64: sev_ram_block_added: failed to 
register region (0x7f3ffaa00000+0x37c000)
2018-03-05T13:40:12.497580Z qemu-system-x86_64: sev_ram_block_added: failed to 
register region (0x7f3ffa800000+0x20000)
2018-03-05T13:40:12.504485Z qemu-system-x86_64: sev_launch_update_data: 
LAUNCH_UPDATE ret=-12 fw_error=0 ''
2018-03-05T13:40:12.504493Z qemu-system-x86_64: failed to encrypt pflash rom

Here's my full QEMU command line (started by libvirt) -- this command line does 
not restrict pflash access to guest code that runs in SMM, and correspondingly, 
the OVMF build lacks SMM_REQUIRE:
Are you launching guest as a normal users or root ? If you are launching guest as normal user then please make sure you have increased the 'max locked memory' limit. The register region function will try to pin the memory, while doing so we check the limit and if requested size is greater than ulimit then we fail. 


# ulimit -a
core file size          (blocks, -c) unlimited
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 966418
max locked memory       (kbytes, -l) 10240000
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 966418
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited
If QEMU command is still failing for you then can you please share your kernel dmesg. thanks 



/opt/qemu-installed/bin/qemu-system-x86_64 \
   -name guest=from-brijesh,debug-threads=on \
   -S \
   -object 
secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-4-from-brijesh/master-key.aes
 \
   -machine pc-q35-2.10,accel=kvm,usb=off,smm=on,dump-guest-core=off \
   -cpu host \
   -drive 
file=/home/virt-images/OVMF_CODE.4m.fd,if=pflash,format=raw,unit=0,readonly=on \
   -drive 
file=/var/lib/libvirt/qemu/nvram/from-brijesh_VARS.fd,if=pflash,format=raw,unit=1
 \
   -m 8192 \
   -realtime mlock=off \
   -smp 1,sockets=1,cores=1,threads=1 \
   -uuid e2373f13-f481-4008-88d0-d61fa9da16fe \
   -no-user-config \
   -nodefaults \
   -chardev 
socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-4-from-brijesh/monitor.sock,server,nowait
 \
   -mon chardev=charmonitor,id=monitor,mode=control \
   -rtc base=utc \
   -no-shutdown \
   -boot strict=on \
   -device 
pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2
 \
   -device pcie-root-port,port=0x11,chassis=2,id=pci.2,bus=pcie.0,addr=0x2.0x1 \
   -device pcie-root-port,port=0x12,chassis=3,id=pci.3,bus=pcie.0,addr=0x2.0x2 \
   -device pcie-root-port,port=0x13,chassis=4,id=pci.4,bus=pcie.0,addr=0x2.0x3 \
   -device nec-usb-xhci,id=usb,bus=pci.1,addr=0x0 \
   -device virtio-scsi-pci,iommu_platform=on,ats=on,id=scsi0,bus=pci.3,addr=0x0 
\
   -drive 
file=/var/lib/libvirt/images/rhel-7-server.qcow2,format=qcow2,if=none,id=drive-scsi0-0-0-0,cache=writeback,discard=unmap,werror=enospc
 \
   -device 
scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1
 \
   -netdev tap,fd=26,id=hostnet0,vhost=on,vhostfd=28 \
   -device 
virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:65:f7:fb,bus=pci.4,addr=0x0,rombar=0
 \
   -chardev pty,id=charserial0 \
   -device isa-serial,chardev=charserial0,id=serial0 \
   -device usb-tablet,id=input2,bus=usb.0,port=1 \
   -spice port=5900,addr=127.0.0.1,disable-ticketing,seamless-migration=on \
   -device cirrus-vga,id=video0,bus=pcie.0,addr=0x1 \
   -device virtio-balloon-pci,id=balloon0,bus=pci.2,addr=0x0 \
   -global isa-debugcon.iobase=0x402 \
   -debugcon file:/tmp/from-brijesh.log \
   -fw_cfg name=opt/ovmf/PcdResizeXterm,string=y \
   -s \
   -object sev-guest,id=sev0,policy=0x0,cbitpos=47,reduced-phys-bits=5 \
   -machine memory-encryption=sev0 \
   -msg timestamp=on

Thanks,
Laszlo


_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Reply via email to