FS#69350 - AMD SEV is not supported
Attached to Project:
Community Packages
Opened by Andrej Podzimek (andrej) - Sunday, 17 January 2021, 07:41 GMT
Last edited by Doug Newgard (Scimmia) - Monday, 18 January 2021, 13:14 GMT
Opened by Andrej Podzimek (andrej) - Sunday, 17 January 2021, 07:41 GMT
Last edited by Doug Newgard (Scimmia) - Monday, 18 January 2021, 13:14 GMT
|
Details
Description:
My hardware is an ASRock X570 Creator with a Ryzen 3950X, BIOS version 3.30. (It has 128 GB of ECC RAM, 4 chips of type M391A4G43MB1-CTD, just in case if this matters.) I tried to enable AMD SEV based on this howto: https://libvirt.org/kbase/launch_security_sev.html * I have "mem_encrypt=on kvm_amd.sev=1" on the kernel command line. * /sys/module/kvm_amd/parameters/sev contains "1", as expected. * I cleaned up the capabilities cache, as recommended. * I even added /etc/udev/rules.d/71-sev.rules mentioned (e.g.) here: https://github.com/AMDESE/AMDSEV#opensuse-tumbleweed But the key issue/symptom appears to be the absence of /dev/sev. There is no such device file on my system, which is most likely related to the "ccp: unable to access the device: ..." message (see below). Additional info: * package version(s) linux 5.10.7.arch1-1 libvirt 1:6.5.0-3 qemu 5.2.0-2 * config and/or log files etc. When kvm_amd is loaded: Jan 17 08:02:47 charon kernel: ccp 0000:80:00.1: ccp: unable to access the device: you might be running a broken BIOS. Jan 17 07:54:46 charon kernel: kvm: Nested Virtualization enabled Jan 17 07:54:46 charon kernel: SEV supported Jan 17 07:54:46 charon kernel: SVM: kvm: Nested Paging enabled Jan 17 07:54:46 charon kernel: SVM: Virtual VMLOAD VMSAVE supported Jan 17 07:54:46 charon kernel: SVM: Virtual GIF supported When kvm_amd is unloaded: Jan 17 08:02:42 charon kernel: SEV: DF_FLUSH failed, ret=-19, error=0x0 * link to upstream bug report, if any This seems related: https://bbs.archlinux.org/viewtopic.php?id=257232 This seems related (to the X570 chipset, but it's a Gigabyte MB, not ASRock): https://forum.gigabyte.us/thread/9479/bug-linux-x570-aorus-initialize I couldn't find anything exactly Linux-specific. The thread above suggests that there is a workaround for something called Windows, which I assume is a game console firmware of some sort (no idea; couldn't find its sources on GitHub or the like). Steps to reproduce: Try to use AMD SEV on the hardware described above. What would be the next step here? Should I try to file a ticket with ASRock? If there are any debugging suggestions, I'll be more than happy to test them. |
This task depends upon
I assumed that when SME works on my CPU (so well that it breaks virtualization :-P https://bugs.archlinux.org/task/68541), then SEV should work too.
Unfortunately, this is not that easy: https://github.com/AMDESE/AMDSEV/issues/1 AMD’s own repo has a lot of contradictory comments floating around, but multiple people seem to agree that while a Ryzen would be capable of AMD SEV and has the required hardware in it, the feature is disabled in firmware (perhaps to push more people into buying an EPYC).
Anyway, it looks like this is _not_ a packaging or ArchLinux specific issue.
So IIUC, the feature is somewhere there, in silicon, but the CPU microcode (intentionally) doesn't support it. :-(