Re: [PATCH 00/20] OvmfPkg: SEV: decrypt the initial SMRAM save state map for SMBASE relocation

[Brijesh Singh <brijesh.singh@amd.com>]

Hi Laszlo,



On 03/05/2018 08:00 AM, Laszlo Ersek wrote:
> On 03/02/18 14:17, Brijesh Singh wrote:
>> On 3/2/18 5:53 AM, Laszlo Ersek wrote:
> 
>>> Do you have (maybe updated) instructions for setting up the SEV host?
>>> What are the latest bits that are expected to work together?
> 
>> For host kernel:
>> - use recent kvm/master
>> - make sure following kernel config is enabled
>>    CONFIG_KVM_AMD_SEV
>>    CONFIG_CRYPTO_DEV_SP_PSP
>>    CONFIG_AMD_MEM_ENCRYPT
>>    CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT
>>
>> For guest kernel:
>>   - you can use host kernel or anything >=4.15
>>      make sure you have following config enabled in kernel:
>>        CONFIG_AMD_MEM_ENCRYPT
>>
>> For qemu:
>> - v10 patches from this branch
>> https://github.com/codomania/qemu/tree/v10
> 
> QEMU exits with the following error for me:
> 
> 2018-03-05T13:40:12.478835Z qemu-system-x86_64: sev_ram_block_added: failed to register region (0x7f3df3e00000+0x200000000)
> 2018-03-05T13:40:12.489183Z qemu-system-x86_64: sev_ram_block_added: failed to register region (0x7f3ffaa00000+0x37c000)
> 2018-03-05T13:40:12.497580Z qemu-system-x86_64: sev_ram_block_added: failed to register region (0x7f3ffa800000+0x20000)
> 2018-03-05T13:40:12.504485Z qemu-system-x86_64: sev_launch_update_data: LAUNCH_UPDATE ret=-12 fw_error=0 ''
> 2018-03-05T13:40:12.504493Z qemu-system-x86_64: failed to encrypt pflash rom
> 
> Here's my full QEMU command line (started by libvirt) -- this command line does not restrict pflash access to guest code that runs in SMM, and correspondingly, the OVMF build lacks SMM_REQUIRE:
> 

Are you launching guest as a normal users or root ? If you are launching 
guest as normal user then please make sure you have increased the 'max 
locked memory' limit. The register region function will try to pin the 
memory, while doing so we check the limit and if requested size is 
greater than ulimit then we fail.


# ulimit -a
core file size          (blocks, -c) unlimited
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 966418
max locked memory       (kbytes, -l) 10240000
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 966418
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

If QEMU command is still failing for you then can you please share your 
kernel dmesg. thanks


> /opt/qemu-installed/bin/qemu-system-x86_64 \
>    -name guest=from-brijesh,debug-threads=on \
>    -S \
>    -object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-4-from-brijesh/master-key.aes \
>    -machine pc-q35-2.10,accel=kvm,usb=off,smm=on,dump-guest-core=off \
>    -cpu host \
>    -drive file=/home/virt-images/OVMF_CODE.4m.fd,if=pflash,format=raw,unit=0,readonly=on \
>    -drive file=/var/lib/libvirt/qemu/nvram/from-brijesh_VARS.fd,if=pflash,format=raw,unit=1 \
>    -m 8192 \
>    -realtime mlock=off \
>    -smp 1,sockets=1,cores=1,threads=1 \
>    -uuid e2373f13-f481-4008-88d0-d61fa9da16fe \
>    -no-user-config \
>    -nodefaults \
>    -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-4-from-brijesh/monitor.sock,server,nowait \
>    -mon chardev=charmonitor,id=monitor,mode=control \
>    -rtc base=utc \
>    -no-shutdown \
>    -boot strict=on \
>    -device pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2 \
>    -device pcie-root-port,port=0x11,chassis=2,id=pci.2,bus=pcie.0,addr=0x2.0x1 \
>    -device pcie-root-port,port=0x12,chassis=3,id=pci.3,bus=pcie.0,addr=0x2.0x2 \
>    -device pcie-root-port,port=0x13,chassis=4,id=pci.4,bus=pcie.0,addr=0x2.0x3 \
>    -device nec-usb-xhci,id=usb,bus=pci.1,addr=0x0 \
>    -device virtio-scsi-pci,iommu_platform=on,ats=on,id=scsi0,bus=pci.3,addr=0x0 \
>    -drive file=/var/lib/libvirt/images/rhel-7-server.qcow2,format=qcow2,if=none,id=drive-scsi0-0-0-0,cache=writeback,discard=unmap,werror=enospc \
>    -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1 \
>    -netdev tap,fd=26,id=hostnet0,vhost=on,vhostfd=28 \
>    -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:65:f7:fb,bus=pci.4,addr=0x0,rombar=0 \
>    -chardev pty,id=charserial0 \
>    -device isa-serial,chardev=charserial0,id=serial0 \
>    -device usb-tablet,id=input2,bus=usb.0,port=1 \
>    -spice port=5900,addr=127.0.0.1,disable-ticketing,seamless-migration=on \
>    -device cirrus-vga,id=video0,bus=pcie.0,addr=0x1 \
>    -device virtio-balloon-pci,id=balloon0,bus=pci.2,addr=0x0 \
>    -global isa-debugcon.iobase=0x402 \
>    -debugcon file:/tmp/from-brijesh.log \
>    -fw_cfg name=opt/ovmf/PcdResizeXterm,string=y \
>    -s \
>    -object sev-guest,id=sev0,policy=0x0,cbitpos=47,reduced-phys-bits=5 \
>    -machine memory-encryption=sev0 \
>    -msg timestamp=on
> 
> Thanks,
> Laszlo
>