[AlmaLinux Users] Re: Libvirt SEV support in Kitten

[Teodor Pripoae]

It seems it may be a problem on Fedora as well.

https://www.spinics.net/linux/fedora/libvirt-users/msg14452.html
According to an answer on the Fedora issue, somebody pointed it may be 
QEMU that was compiled with some missing flags. Where can I lookup the 
flags used for compiling QEMU ?

On RHEL 9.5 and clones (Alma/Rocky) SEV was properly detected by libvirt 
on the same machine.

Also, it's strange that virt-host-validate sees the SEV capabilities. 
The kernel has them enabled (mem_encrypt, kvm_amd.sev, etc).

On 2/24/25 5:17 PM, Neal Gompa wrote:
On Friday, February 21, 2025 7:29:24 AM Eastern Standard Time Teodor Pripoae
wrote:
Hello,

I have been testing Alma Linux Kitten and libvirt is not properly detecting
SEV capabilities. Is Libvirt/QEMU compiled without SEV support ?

$ dmesg | grep -i sev
[    1.821468] ccp 0000:45:00.1: sev enabled
[   53.414679] kvm_amd: SEV enabled (ASIDs 250 - 509)
[   53.414701] kvm_amd: SEV-ES enabled (ASIDs 1 - 249)
[   53.414720] kvm_amd: SEV-SNP disabled (ASIDs 1 - 249)

$ virsh domcapabilities | grep -i sev
     <sev supported='no'/>

$ virt-host-validate
   QEMU: Checking for hardware virtualization
: PASS QEMU: Checking if device '/dev/kvm' exists
       : PASS QEMU: Checking if device '/dev/kvm' is accessible
             : PASS QEMU: Checking if device '/dev/vhost-net' exists
                   : PASS QEMU: Checking if device '/dev/net/tun' exists
                         : PASS QEMU: Checking for cgroup 'cpu' controller
support                         : PASS QEMU: Checking for cgroup 'cpuacct'
controller support                     : PASS QEMU: Checking for cgroup
'cpuset' controller support                      : PASS QEMU: Checking for
cgroup 'memory' controller support                      : PASS QEMU:
Checking for cgroup 'devices' controller support                     : PASS
QEMU: Checking for cgroup 'blkio' controller support
: PASS QEMU: Checking for device assignment IOMMU support
       : PASS QEMU: Checking if IOMMU is enabled by kernel
             : PASS QEMU: Checking for secure guest support
                   : PASS QEMU: Checking for AMD Secure Encrypted
Virtualization-Encrypted State (SEV-ES): PASS QEMU: Checking for AMD Secure
Encrypted Virtualization-Secure Nested Paging (SEV-SNP): PASS
I don't own a system to check this myself, but based on what I see in the
qemu-kvm and libvirt package sources in CentOS Stream, I expect this feature
to be available.

According to the Red Hat Enterprise Linux 10.0 Beta release notes, it is
available as a technology preview[1].

The following steps are required to enable SEV:

# Enable SEV and memory encryption
$ sudo grubby --update-kernel=ALL --args="mem_encrypt=on kvm_amd.sev=1"

# Clean the capabilities cache
$ sudo rm -f /var/cache/libvirt/qemu/capabilities/*

# Reboot the system
$ sudo systemctl reboot

This should get things working properly.

[1]: 
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10-beta/html-single/10.0_beta_release_notes/index#Jira-RHELDOCS-16800