AMD SEV - Secure Virtualisation

a how to make usage of AMD's SEV

Secure Encrypted Virtualization (SEV) #

see: https://developer.amd.com/sev

> edit /etc/default/grub
  GRUB_CMDLINE_LINUX=".... nomodeset rhgb quiet mem_encrypt=on kvm_amd.sev=1"

> grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfg
  Generating grub configuration file ...

> reboot

> cat /proc/cmdline
  BOOT_IMAGE=(hd0,gpt2)/vmlinuz-4.18.0-305.12.1.el8_4.x86_64 root=/dev/mapper/almalinux-root ro crashkernel=auto resume=/dev/mapper/almalinux-swap rd.lvm.lv=almalinux/root rd.lvm.lv=almalinux/swap nomodeset rhgb quiet mem_encrypt=on kvm_amd.sev=1

> dnf install git-core
> git clone https://github.com/AMDESE/AMDSEV.git
> cd AMDSEV/distros/rhel-8.0
> ./build.sh
  Last metadata expiration check: 2:53:23 ago on Wed 08 Sep 2021 03:31:19 PM CEST.
  Package qemu-kvm-15:4.2.0-48.module_el8.4.0+2523+3300d70f.3.x86_64 is already installed.
  Package qemu-img-15:4.2.0-48.module_el8.4.0+2523+3300d70f.3.x86_64 is already installed.
  Package edk2-ovmf-20200602gitca407c7246bf-4.el8_4.1.noarch is already installed.
  Dependencies resolved.
  Nothing to do.
  Complete!

> cp ../launch-qemu.sh /usr/local/bin

> qemu-img create -f qcow2 rhel-8.qcow2 30G
> cp /usr/share/OVMF/OVMF_VARS.fd OVMF_VARS.fd
> launch-qemu.sh -hda rhel-8.qcow2 -cdrom /var/lib/libvirt/images/AlmaLinux-8.4-x86_64-boot.iso
  char device redirected to /dev/pts/1 (label compat_monitor0)
  qemu-kvm: sev_guest_init: Failed to open /dev/sev 'No such file or directory'
  qemu-kvm: failed to initialize KVM: Operation not permitted
  #memory encryption disabled?

> cat /sys/devices/virtual/dmi/id/board_{vendor,name,version}
  ASUSTeK COMPUTER INC.
  PRIME B450M-A
  Rev X.0x

> dmesg|grep -i sme
  [    0.001000] AMD Memory Encryption Features active: SME

> dmesg|grep -i sev
  [    4.464266] SEV supported

> cat /sys/module/kvm_amd/parameters/sev
  1

# "-nosev" didnt works sadly
> launch-qemu.sh -hda rhel-8.qcow2 -cdrom /var/lib/libvirt/images/AlmaLinux-8.4-x86_64-boot.iso -nosev