Libvirt SEV support in Kitten
Hello, I have been testing Alma Linux Kitten and libvirt is not properly detecting SEV capabilities. Is Libvirt/QEMU compiled without SEV support ? $ dmesg | grep -i sev [ 1.821468] ccp 0000:45:00.1: sev enabled [ 53.414679] kvm_amd: SEV enabled (ASIDs 250 - 509) [ 53.414701] kvm_amd: SEV-ES enabled (ASIDs 1 - 249) [ 53.414720] kvm_amd: SEV-SNP disabled (ASIDs 1 - 249) $ virsh domcapabilities | grep -i sev <sev supported='no'/> $ virt-host-validate QEMU: Checking for hardware virtualization : PASS QEMU: Checking if device '/dev/kvm' exists : PASS QEMU: Checking if device '/dev/kvm' is accessible : PASS QEMU: Checking if device '/dev/vhost-net' exists : PASS QEMU: Checking if device '/dev/net/tun' exists : PASS QEMU: Checking for cgroup 'cpu' controller support : PASS QEMU: Checking for cgroup 'cpuacct' controller support : PASS QEMU: Checking for cgroup 'cpuset' controller support : PASS QEMU: Checking for cgroup 'memory' controller support : PASS QEMU: Checking for cgroup 'devices' controller support : PASS QEMU: Checking for cgroup 'blkio' controller support : PASS QEMU: Checking for device assignment IOMMU support : PASS QEMU: Checking if IOMMU is enabled by kernel : PASS QEMU: Checking for secure guest support : PASS QEMU: Checking for AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES): PASS QEMU: Checking for AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP): PASS
On Friday, February 21, 2025 7:29:24 AM Eastern Standard Time Teodor Pripoae wrote:
Hello,
I have been testing Alma Linux Kitten and libvirt is not properly detecting SEV capabilities. Is Libvirt/QEMU compiled without SEV support ?
$ dmesg | grep -i sev [ 1.821468] ccp 0000:45:00.1: sev enabled [ 53.414679] kvm_amd: SEV enabled (ASIDs 250 - 509) [ 53.414701] kvm_amd: SEV-ES enabled (ASIDs 1 - 249) [ 53.414720] kvm_amd: SEV-SNP disabled (ASIDs 1 - 249)
$ virsh domcapabilities | grep -i sev <sev supported='no'/>
$ virt-host-validate QEMU: Checking for hardware virtualization : PASS QEMU: Checking if device '/dev/kvm' exists : PASS QEMU: Checking if device '/dev/kvm' is accessible : PASS QEMU: Checking if device '/dev/vhost-net' exists : PASS QEMU: Checking if device '/dev/net/tun' exists : PASS QEMU: Checking for cgroup 'cpu' controller support : PASS QEMU: Checking for cgroup 'cpuacct' controller support : PASS QEMU: Checking for cgroup 'cpuset' controller support : PASS QEMU: Checking for cgroup 'memory' controller support : PASS QEMU: Checking for cgroup 'devices' controller support : PASS QEMU: Checking for cgroup 'blkio' controller support : PASS QEMU: Checking for device assignment IOMMU support : PASS QEMU: Checking if IOMMU is enabled by kernel : PASS QEMU: Checking for secure guest support : PASS QEMU: Checking for AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES): PASS QEMU: Checking for AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP): PASS
I don't own a system to check this myself, but based on what I see in the qemu-kvm and libvirt package sources in CentOS Stream, I expect this feature to be available. According to the Red Hat Enterprise Linux 10.0 Beta release notes, it is available as a technology preview[1]. The following steps are required to enable SEV:
# Enable SEV and memory encryption $ sudo grubby --update-kernel=ALL --args="mem_encrypt=on kvm_amd.sev=1"
# Clean the capabilities cache $ sudo rm -f /var/cache/libvirt/qemu/capabilities/*
# Reboot the system $ sudo systemctl reboot
This should get things working properly. [1]: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10-beta/ht... -- 真実はいつも一つ!/ Always, there's only one truth!
It seems it may be a problem on Fedora as well. https://www.spinics.net/linux/fedora/libvirt-users/msg14452.html According to an answer on the Fedora issue, somebody pointed it may be QEMU that was compiled with some missing flags. Where can I lookup the flags used for compiling QEMU ? On RHEL 9.5 and clones (Alma/Rocky) SEV was properly detected by libvirt on the same machine. Also, it's strange that virt-host-validate sees the SEV capabilities. The kernel has them enabled (mem_encrypt, kvm_amd.sev, etc). On 2/24/25 5:17 PM, Neal Gompa wrote:
On Friday, February 21, 2025 7:29:24 AM Eastern Standard Time Teodor Pripoae wrote:
Hello,
I have been testing Alma Linux Kitten and libvirt is not properly detecting SEV capabilities. Is Libvirt/QEMU compiled without SEV support ?
$ dmesg | grep -i sev [ 1.821468] ccp 0000:45:00.1: sev enabled [ 53.414679] kvm_amd: SEV enabled (ASIDs 250 - 509) [ 53.414701] kvm_amd: SEV-ES enabled (ASIDs 1 - 249) [ 53.414720] kvm_amd: SEV-SNP disabled (ASIDs 1 - 249)
$ virsh domcapabilities | grep -i sev <sev supported='no'/>
$ virt-host-validate QEMU: Checking for hardware virtualization : PASS QEMU: Checking if device '/dev/kvm' exists : PASS QEMU: Checking if device '/dev/kvm' is accessible : PASS QEMU: Checking if device '/dev/vhost-net' exists : PASS QEMU: Checking if device '/dev/net/tun' exists : PASS QEMU: Checking for cgroup 'cpu' controller support : PASS QEMU: Checking for cgroup 'cpuacct' controller support : PASS QEMU: Checking for cgroup 'cpuset' controller support : PASS QEMU: Checking for cgroup 'memory' controller support : PASS QEMU: Checking for cgroup 'devices' controller support : PASS QEMU: Checking for cgroup 'blkio' controller support : PASS QEMU: Checking for device assignment IOMMU support : PASS QEMU: Checking if IOMMU is enabled by kernel : PASS QEMU: Checking for secure guest support : PASS QEMU: Checking for AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES): PASS QEMU: Checking for AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP): PASS I don't own a system to check this myself, but based on what I see in the qemu-kvm and libvirt package sources in CentOS Stream, I expect this feature to be available.
According to the Red Hat Enterprise Linux 10.0 Beta release notes, it is available as a technology preview[1].
The following steps are required to enable SEV:
# Enable SEV and memory encryption $ sudo grubby --update-kernel=ALL --args="mem_encrypt=on kvm_amd.sev=1"
# Clean the capabilities cache $ sudo rm -f /var/cache/libvirt/qemu/capabilities/*
# Reboot the system $ sudo systemctl reboot
This should get things working properly.
[1]: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10-beta/ht...
participants (2)
-
Neal Gompa -
Teodor Pripoae