Public bug reported: When using the VIRTIO driver, starting a VM with SEV enabled on sev enabled hardware fails. The situation may be tested with the following commands :
$ dd if=/dev/urandom of=/tmp/sev_key.aes bs=8 count=4 $ cp /usr/share/OVMF/OVMF_CODE.fd /tmp $ cp /usr/share/OVMF/OVMF_VARS.fd /tmp $ qemu-system-x86_64 -name real-qemu \ -machine pc-q35-3.0,accel=kvm,usb=off,vmport=off,dump-guest-core=off,memory-encryption=sev0 \ -display none \ -monitor none \ -nographic \ -nodefaults \ -m 16384.0M \ -serial mon:stdio \ -smp 2 \ -cpu host \ -device sga \ -device pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2 \ -netdev user,id=net0,net=192.168.100.0/24,dhcpstart=192.168.100.1 \ -device virtio-net-pci,netdev=net0,id=net0,mac=52:54:00:cc:56:90,bus=pci.1,addr=0x0,romfile=,iommu_platform=on \ -drive if=pflash,format=raw,readonly,file=/tmp/OVMF_CODE.fd \ -drive if=pflash,format=raw,file=/tmp/OVMF_VARS.fd \ -drive file=/var/lib/libvirt/images/real-qemu.qcow2,if=virtio,id=disk0 \ -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1,policy=0x3 \ -object secret,id=masterKey0,format=raw,file=/tmp/sev_key.aes The output when starting the VM shows : qemu-system-x86_64: Guest says index 53230 is available When running the same script using the 'ide' driver instead of the 'virtio' driver, the VM starts correctly : root@ubuntu:~# dmesg | grep -i sev [ 0.243361] AMD Secure Encrypted Virtualization (SEV) active There is a mention in the libvirt knowledge base documentation about the requirement to use IOMMU to make the virtio work (https://libvirt.org/kbase/launch_security_sev.html#virtio) so another test was to enable IOMMU : $ qemu-system-x86_64 -name real-qemu \ -machine pc-q35-3.0,accel=kvm,usb=off,vmport=off,dump-guest-core=off,memory-encryption=sev0 \ -display none \ -monitor none \ -nographic \ -nodefaults \ -m 16384.0M \ -serial mon:stdio \ -smp 2 \ -cpu host \ -device sga \ -device pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2 \ -netdev user,id=net0,net=192.168.100.0/24,dhcpstart=192.168.100.1 \ -device virtio-net-pci,netdev=net0,id=net0,mac=52:54:00:cc:56:90,bus=pci.1,addr=0x0,romfile=,iommu_platform=on \ -drive if=pflash,format=raw,readonly,file=/tmp/OVMF_CODE.fd \ -drive if=pflash,format=raw,file=/tmp/OVMF_VARS.fd \ -device virtio-blk-pci,drive=drive0,id=virblk0,num-queues=4,iommu_platform=on \ -drive file=/var/lib/libvirt/images/real-qemu.qcow2,if=none,id=drive0 \ -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1,policy=0x3 \ -object secret,id=masterKey0,format=raw,file=/tmp/sev_key.aes This also fails and issues the following error message : qemu-system-x86_64: -device virtio-blk-pci,drive=drive0,id=virblk0,num-queues=4,iommu_platform=on: VIRTIO_F_IOMMU_PLATFORM was supported by neither legacy nor transitional device Is it possible to use SEV in conjunction with the VIRTIO driver ? ** Affects: qemu (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1915509 Title: QEMU 1:4.2-3ubuntu6.12 : Unable to start SEV enabled VM using virtio driver To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1915509/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs