** Description changed: - On the plucky release, the launch of SNP QEMU VM with SNP measurement + [ Impact ] + + * On the Plucky release, the launch of SNP QEMU VM with SNP measurement boot option fails due to the absence of OVMF amdsev file in the OVMF - plucky ubuntu package + package - Plucky OVMF package requires the integration of the AMD SEV firmware - file,OVMF.amdsev.fd, to enable support for SEV-secured VM remote + * Plucky OVMF package requires the integration of the AMD SEV firmware + file "OVMF.amdsev.fd", to enable support for SEV-secured VM remote attestation and secret injection. + + * This upload fixes this by adopting the d/rules file according to the + build instructions from comment #2, for creating an additional + "OCMF.amdsev.fd" file. + + [ Test Plan ] + + * Use hardware that supports AMD SEV-SNP features, e.g.: AMD EPYC 9654 + 96-Core Processor + + Jul 17 09:22:29 hoodin kernel: SEV-SNP: RMP table physical range [0x000000000d500000 - 0x000000004ddfffff] + Jul 17 09:22:29 hoodin kernel: SEV-SNP: Reserving start/end of RMP table on a 2MB boundary [0x000000000d400000] + Jul 17 09:22:30 hoodin kernel: ccp 0000:01:00.5: sev enabled + Jul 17 09:22:36 hoodin kernel: ccp 0000:01:00.5: SEV API:1.55 build:40 + Jul 17 09:22:36 hoodin kernel: ccp 0000:01:00.5: SEV-SNP API:1.55 build:40 + Jul 17 09:22:36 hoodin kernel: kvm_amd: SEV enabled (ASIDs 10 - 1006) + Jul 17 09:22:36 hoodin kernel: kvm_amd: SEV-ES enabled (ASIDs 1 - 9) + Jul 17 09:22:36 hoodin kernel: kvm_amd: SEV-SNP enabled (ASIDs 1 - 9) + + + * Launch a QEMU quest, using: + - image: https://cloud-images.ubuntu.com/releases/plucky/release-20250701/ubuntu-25.04-server-cloudimg-amd64.img + - kernel: 6.14.0-23-generic (https://cloud-images.ubuntu.com/releases/plucky/release-20250701/unpacked/ubuntu-25.04-server-cloudimg-amd64-vmlinuz-generic) + + sudo qemu-system-x86_64 \ + -enable-kvm \ + -nographic \ + -cpu EPYC-v4 \ + -machine q35 \ + -smp 6 \ + -m 6G \ + -machine memory-encryption=sev0,vmport=off \ + -object memory-backend-memfd,id=ram1,size=6G,share=true,prealloc=false \ + -machine memory-backend=ram1 \ + -object sev-snp-guest,id=sev0,policy=0x30000,cbitpos=51,reduced-phys-bits=5,kernel-hashes=on \ + -kernel "$VMLINUZ" \ + -append "root=/dev/vda1 console=ttyS0" \ + -drive "if=virtio,format=qcow2,file=$IMAGE" \ + -drive "if=virtio,format=raw,file=cloud-init.img" \ + -bios /usr/share/ovmf/OVMF.amdsev.fd \ + -net nic,model=e1000 -net user,hostfwd=tcp::2222-:22 + + * Inside the guest, confirm AMD SEV-SNP got activated and the character + device created after inserting the "sev-snp" module: + + Jul 17 10:09:21 ubuntu kernel: Memory Encryption Features active: AMD SEV SEV-ES SEV-SNP + Jul 17 10:09:21 ubuntu kernel: SEV: Status: SEV SEV-ES SEV-SNP + + ubuntu@ubuntu:~$ sudo modprobe sev-guest + ubuntu@ubuntu:~$ ls /dev/sev-guest + /dev/sev-guest + + [ Where problems could occur ] + + * we're modifying the d/rules Makefile, to create a new, independent + "OVMF.amdsev.fd" UEFI rom. + + * If anything goes wrong in d/rules, the package could FTBFS + + * Besides that the new 60-edk2-x86_64-amdsev.json could provide wrong + metadata which would make the new "OVMF.amdsev.fd" not be properly + autodetected. Any issues inside the "OVMF.amdsev.fd" rom itself should + be isolated to the specific AMD SEV-SNP usecase itself. + + [ Other Info ] + + * This got forwarded to Debian and got a preliminary +1 from dannf, but + wasn't merged, yet: https://salsa.debian.org/qemu- + team/edk2/-/merge_requests/20 + + * This was pre-tested to be functional in comment #10 below + + --- original bug report --- Currently, the SEV firmware necessary to support SEV Virtual Machine Remote Attestation is not available within the Ubuntu OVMF package. I attempted to execute an SNP QEMU measured boot using the OVMF file packaged with Ubuntu, but this endeavor was unsuccessful due to the provision of an invalid OVMF file within the Ubuntu OVMF package. Error message that I see using Ubuntu OVMF.fd(/usr/share/ovmf/OVMF.fd) as guest bios is as follows: qemu-system-x86_64: SEV: guest firmware hashes table area is invalid (base=0x0 size=0x0) QEMU commandline used for my SNP guest test launch on Plucky release is as follows: qemu-system-x86_64 \ - -enable-kvm \ - -cpu EPYC-v4 \ - -m 2048 \ - -nographic \ - -netdev user,hostfwd=tcp::10030-:22,id=vmnic \ - -device virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=vmnic,romfile= \ - -device virtio-scsi-pci,id=scsi0 \ - -device scsi-hd,drive=disk0 \ - -drive if=none,id=disk0,format=qcow2,file=/home/amd/os-guest-test/os-guest-test-guest.qcow2 \ - -machine memory-encryption=sev0,vmport=off \ - -object memory-backend-memfd,id=ram1,size=2048M,share=true,prealloc=false \ - -machine memory-backend=ram1 \ - -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,kernel-hashes=on \ - -bios /usr/share/ovmf/OVMF.fd \ - -kernel /home/amd/os-guest-test/guest_kernel_initrd/vmlinuz-6.13.9-200.fc41.x86_64 \ - -initrd /home/amd/os-guest-test/guest_kernel_initrd/initramfs-6.13.9-200.fc41.x86_64.img \ - -append "console=tty1 console=ttyS0,115200n8 root=LABEL=fedora ro rootflags=subvol=root" + -enable-kvm \ + -cpu EPYC-v4 \ + -m 2048 \ + -nographic \ + -netdev user,hostfwd=tcp::10030-:22,id=vmnic \ + -device virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=vmnic,romfile= \ + -device virtio-scsi-pci,id=scsi0 \ + -device scsi-hd,drive=disk0 \ + -drive if=none,id=disk0,format=qcow2,file=/home/amd/os-guest-test/os-guest-test-guest.qcow2 \ + -machine memory-encryption=sev0,vmport=off \ + -object memory-backend-memfd,id=ram1,size=2048M,share=true,prealloc=false \ + -machine memory-backend=ram1 \ + -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,kernel-hashes=on \ + -bios /usr/share/ovmf/OVMF.fd \ + -kernel /home/amd/os-guest-test/guest_kernel_initrd/vmlinuz-6.13.9-200.fc41.x86_64 \ + -initrd /home/amd/os-guest-test/guest_kernel_initrd/initramfs-6.13.9-200.fc41.x86_64.img \ + -append "console=tty1 console=ttyS0,115200n8 root=LABEL=fedora ro rootflags=subvol=root" ProblemType: Bug DistroRelease: Ubuntu 25.04 Package: ovmf 2025.02-3ubuntu2 ProcVersionSignature: Ubuntu 6.14.0-13.13-generic 6.14.0 Uname: Linux 6.14.0-13-generic x86_64 ApportVersion: 2.32.0-0ubuntu3 Architecture: amd64 CasperMD5CheckResult: pass Date: Tue Apr 8 05:43:04 2025 Dependencies: - + InstallationDate: Installed on 2025-04-08 (0 days ago) InstallationMedia: Ubuntu-Server 25.04 "Plucky Puffin" - Daily amd64 (20250407) PackageArchitecture: all ProcEnviron: - LANG=en_US.UTF-8 - PATH=(custom, no user) - SHELL=/bin/bash - TERM=tmux-256color - XDG_RUNTIME_DIR=<set> + LANG=en_US.UTF-8 + PATH=(custom, no user) + SHELL=/bin/bash + TERM=tmux-256color + XDG_RUNTIME_DIR=<set> SourcePackage: edk2 UpgradeStatus: No upgrade log present (probably fresh install)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2106771 Title: Add support for QEMU AMD SNP VM Measured linux boot with the addition of new AMDSEV OVMF.fd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2106771/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
