On Friday, February 21, 2025 7:29:24 AM Eastern Standard Time Teodor Pripoae wrote:
Hello,
I have been testing Alma Linux Kitten and libvirt is not properly detecting SEV capabilities. Is Libvirt/QEMU compiled without SEV support ?
$ dmesg | grep -i sev [ 1.821468] ccp 0000:45:00.1: sev enabled [ 53.414679] kvm_amd: SEV enabled (ASIDs 250 - 509) [ 53.414701] kvm_amd: SEV-ES enabled (ASIDs 1 - 249) [ 53.414720] kvm_amd: SEV-SNP disabled (ASIDs 1 - 249)
$ virsh domcapabilities | grep -i sev <sev supported='no'/>
$ virt-host-validate QEMU: Checking for hardware virtualization : PASS QEMU: Checking if device '/dev/kvm' exists : PASS QEMU: Checking if device '/dev/kvm' is accessible : PASS QEMU: Checking if device '/dev/vhost-net' exists : PASS QEMU: Checking if device '/dev/net/tun' exists : PASS QEMU: Checking for cgroup 'cpu' controller support : PASS QEMU: Checking for cgroup 'cpuacct' controller support : PASS QEMU: Checking for cgroup 'cpuset' controller support : PASS QEMU: Checking for cgroup 'memory' controller support : PASS QEMU: Checking for cgroup 'devices' controller support : PASS QEMU: Checking for cgroup 'blkio' controller support : PASS QEMU: Checking for device assignment IOMMU support : PASS QEMU: Checking if IOMMU is enabled by kernel : PASS QEMU: Checking for secure guest support : PASS QEMU: Checking for AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES): PASS QEMU: Checking for AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP): PASS
I don't own a system to check this myself, but based on what I see in the qemu-kvm and libvirt package sources in CentOS Stream, I expect this feature to be available. According to the Red Hat Enterprise Linux 10.0 Beta release notes, it is available as a technology preview[1]. The following steps are required to enable SEV:
# Enable SEV and memory encryption $ sudo grubby --update-kernel=ALL --args="mem_encrypt=on kvm_amd.sev=1"
# Clean the capabilities cache $ sudo rm -f /var/cache/libvirt/qemu/capabilities/*
# Reboot the system $ sudo systemctl reboot
This should get things working properly. [1]: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10-beta/ht... -- 真実はいつも一つ!/ Always, there's only one truth!