diff options
| -rw-r--r-- | README | 50 | ||||
| -rwxr-xr-x | build.sh | 41 | ||||
| -rwxr-xr-x | launch-qemu.sh | 73 | ||||
| -rw-r--r-- | stable-commits | 15 |
4 files changed, 115 insertions, 64 deletions
@@ -1,4 +1,5 @@ -The repository contains the code to enable the SEV support on AMD Eypc Processor. +The repository contains the script to build the various components required to +enable the SEV support on AMD Eypc Processor. Prepare Hypervisor: =================== @@ -7,45 +8,56 @@ Follow the below steps to prepare the host OS (hypervisor) for SEV support: # cd /home/user/ # git clone --single-branch -b master https://github.com/AMDESE/AMDSEV.git # cd AMDSEV -# ./build.sh (this should take a while, it will build the linux kernel, qemu and ovmf) +# ./build.sh (this should take a while) -The script is designed to produce a kernel debain packages. Install the new kernel +The script is designed to produce a kernel deb packages. Install the new kernel image as shown below: -# cd /home/user/AMDSEV/output/kernel/ +# cd /home/user/AMDSEV/output/kvm # sudo dpkg -i linux-image-*.deb -Reboot the host OS and select the "-sev" image from the grub menu. +Reboot the host OS and select the newly built kernel image from the grub menu. -On successful boot, verify that /dev/sev1 device is created. +On successful boot, verify that /dev/sev device is created. Prepare guest OS ================= -Follow the below steps to update your guest image with SEV kernel. The step assumes you -have a working guest image. In below steps we will boot the guest and update the kernel -image to use our kernel. +1) Download ubuntu iso image -1) Launch a guest (non sev) - # cd /home/user/AMDSEV/output/qemu-output - # sudo ./launch-qmeu.sh -nosev -hda <your disk image> +2) Install Ubuntu image -NOTE: The launch scripts are setup to use UEFI based guest BIOS image (aka OVMF), it is -assumed that your hard disk image was installed using UEFI based guest BIOS. +# cd /home/user/AMDSEV/output/qemu-output +# qemu-img create -f qcow2 ubuntu-img.qcow2 30G (create empty qcow2 file) +# sudo ./launch-qemu.sh -hda ubuntu-img.qcow2 -nosev -cdrom <your_iso_image> -vnc 1 + +The installer GUI can be accessed via vnc port 1. Follow the installation screen +to complete the installation and reboot the guest with newly installed image. + +3) Install SEV aware guest kernel image + +SEV aware guest kernel deb packages is available in /home/user/AMDSEV/output/tip +directory. -2) Login to the guest and copy the linux-image-*deb created during host prepration. +a) Boot the guest image +# cd /home/user/AMDSEV/output/qemu-output +# sudo ./launch-qemu.sh -hda ubuntu-img.qcow2 -nosev -vnc 1 + +b) copy the SEV aware guest kernel deb packges from host to guest (hint use scp) -3) Install the kernel image using "dpkg -i linux-image-*.deb" +c) install the kernel image +# sudo dpkg -i linux-image*.deb -4) Shutdown the guest +d) reboot the guest and verify +NOTE: +To boot ubuntu using serial console follow the below recommendation: +https://askubuntu.com/questions/924913/how-to-get-to-the-grub-menu-at-boot-time-using-serial-console Launching SEV Guest =================== - To launch SEV enabled guest, use: # cd /home/user/AMDSEV/output/qemu-output # sudo ./launch-qemu.sh -hda <your disk image> - NOTE: when guest is booting, CTRL-C is mapped to CTRL-], use CTRL-] to stop the guest @@ -19,28 +19,39 @@ run_cmd() fetch_kernel() { - run_cmd "mkdir -p ${BUILD_DIR}/kernel" - run_cmd "git clone --single-branch -b ${KERNEL_COMMIT} ${KERNEL_GIT_URL} ${BUILD_DIR}/kernel" - cd ${BUILD_DIR}/kernel + echo "Fetching $1" + if [ "$1" = "kvm" ]; then + KERNEL_COMMIT=${KVM_KERNEL_COMMIT} + KERNEL_GIT_URL=${KVM_GIT_URL} + elif [ "$1" = "tip" ]; then + KERNEL_COMMIT=${TIP_KERNEL_COMMIT} + KERNEL_GIT_URL=${TIP_GIT_URL} + else + echo "** ERROR **" + exit 1 + fi + + run_cmd "mkdir -p ${BUILD_DIR}/$1" + run_cmd "git clone --single-branch -b ${KERNEL_COMMIT} ${KERNEL_GIT_URL} ${BUILD_DIR}/$1" } build_kernel() { - if [ ! -d $BUILD_DIR/kernel ]; then - fetch_kernel + if [ ! -d $BUILD_DIR/$1 ]; then + fetch_kernel "$1" fi - cd $BUILD_DIR/kernel + cd $BUILD_DIR/$1 cp /boot/config-$(uname -r) .config sed -ie s/CONFIG_LOCALVERSION.*/CONFIG_LOCALVERSION=\"\"/g .config ./scripts/config --enable CONFIG_AMD_MEM_ENCRYPT - ./scripts/config --enable CONFIG_CRYPTO_DEV_CCP - ./scripts/config --enable CONFIG_CRYPTO_DEV_SP_PSP - ./scripts/config --enable CONFIG_CRYPTO_DEV_PSP_SEV + ./scripts/config --enable CONFIG_AMD_KVM_SEV ./scripts/config --disable CONFIG_DEBUG_INFO ./scripts/config --module CRYPTO_DEV_CCP_DD ./scripts/config --disable CONFIG_LOCALVERSION_AUTO yes "" | make olddefconfig - run_cmd "make -j `getconf _NPROCESSORS_ONLN` deb-pkg LOCALVERSION=-sev" + run_cmd "make -j `getconf _NPROCESSORS_ONLN` deb-pkg LOCALVERSION=-$1" + run_cmd "mkdir -p $OUTPUT_DIR/$1" + run_cmd "mv ../linux-*${1}*.deb $OUTPUT_DIR/$1" } fetch_ovmf() @@ -87,12 +98,6 @@ build_qemu() --prefix=$OUTPUT_DIR/qemu-output" run_cmd "make -j$(getconf _NPROCESSORS_ONLN)" run_cmd "make -j$(getconf _NPROCESSORS_ONLN) install" -} - -finalize_output() -{ - run_cmd "mkdir -p $OUTPUT_DIR/kernel" - run_cmd "mv $BUILD_DIR/linux-* $OUTPUT_DIR/kernel" run_cmd "cp $BUILD_DIR/../launch-qemu.sh $OUTPUT_DIR/qemu-output" } @@ -103,7 +108,7 @@ dep_install () } dep_install -build_kernel +build_kernel "kvm" +build_kernel "tip" build_qemu build_ovmf -finalize_output diff --git a/launch-qemu.sh b/launch-qemu.sh index f9baad5..a065110 100755 --- a/launch-qemu.sh +++ b/launch-qemu.sh @@ -13,24 +13,26 @@ UEFI_BIOS_CODE="`pwd`/share/qemu/OVMF_CODE.fd" UEFI_BIOS_VARS="`pwd`/OVMF_VARS.fd" #VNC_PORT="" AUTOSTART="1" +ALLOW_DEBUG="0" +USE_VIRTIO="1" usage() { echo "$0 [options]" echo "Available <commands>:" - echo " -hda hard disk" + echo " -hda hard disk ($HDA_FILE)" echo " -nosev disable sev support" echo " -mem guest memory" echo " -smp number of cpus" echo " -console display console to use (serial or graphics)" echo " -vnc VNC port to use" echo " -bios bios to use (default $UEFI_BIOS_CODE)" - echo " -netconsole redirect console to tcp port" echo " -kernel kernel to use" echo " -initrd initrd to use" echo " -noauto do not autostart the guest" echo " -cdrom CDROM image" echo " -hugetlb use hugetlbfs" - echo " -background background the launch" + echo " -allow-debug allow debugging the VM" + echo " -novirtio do not use virtio devices" exit 1 } @@ -80,21 +82,26 @@ setup_hugetlbfs() { setup_bridge_network() { # Get last tap device on host - TAP_NUM=`ifconfig | grep tap | tail -1 | cut -c4- | cut -f1 -d ' '` + TAP_NUM=`ifconfig | grep tap | tail -1 | cut -c4- | cut -f1 -d ' ' | cut -f1 -d:` if [ "$TAP_NUM" = "" ]; then TAP_NUM="1" fi TAP_NUM=`echo $(( TAP_NUM + 1 ))` GUEST_TAP_NAME="tap${TAP_NUM}" - GUEST_MAC_ADDR=$(printf "00:16:3e:%02x:01:01" 0x${TAP_NUM}) + GUEST_MAC_ADDR=$(printf "02:16:1e:%02x:01:01" 0x${TAP_NUM}) echo "Starting network adapter '${GUEST_TAP_NAME}' MAC=$GUEST_MAC_ADDR" run_cmd "ip tuntap add $GUEST_TAP_NAME mode tap user `whoami`" run_cmd "ip link set $GUEST_TAP_NAME up" run_cmd "ip link set $GUEST_TAP_NAME master br0" - add_opts "-device e1000,mac=${GUEST_MAC_ADDR},netdev=net0" - add_opts "-netdev tap,id=net0,ifname=$GUEST_TAP_NAME,script=no,downscript=no" + if [ "$USE_VIRTIO" = "1" ]; then + add_opts "-netdev type=tap,script=no,downscript=no,id=net0,ifname=$GUEST_TAP_NAME" + add_opts "-device virtio-net-pci,netdev=net0,disable-legacy=on,iommu_platform=true,romfile=" + else + add_opts "-device e1000,mac=${GUEST_MAC_ADDR},netdev=net0" + add_opts "-netdev tap,id=net0,ifname=$GUEST_TAP_NAME,script=no,downscript=no" + fi } trap exit_from_int SIGINT @@ -109,7 +116,7 @@ while [[ $1 != "" ]]; do -hda) HDA_FILE="${2}" shift ;; - -nosev) SEV_GUEST="" + -nosev) SEV_GUEST="0" ;; -mem) GUEST_SIZE_IN_MB=${2} shift @@ -145,6 +152,10 @@ while [[ $1 != "" ]]; do ;; -hugetlb) USE_HUGETLBFS="1" ;; + -allow-debug) ALLOW_DEBUG="1" + ;; + -novirtio) USE_VIRTIO="0" + ;; *) usage;; esac shift @@ -157,7 +168,7 @@ rm -rf ${QEMU_CMDLINE} add_opts "${QEMU_INSTALL_DIR}qemu-system-x86_64" # Basic virtual machine property -add_opts "-enable-kvm -cpu host" +add_opts "-enable-kvm -cpu EPYC" # add number of VCPUs [ ! -z ${SMP_NCPUS} ] && add_opts "-smp ${SMP_NCPUS},maxcpus=64" @@ -176,30 +187,37 @@ add_opts "-drive if=pflash,format=raw,unit=1,file=${UEFI_BIOS_VARS}" # If harddisk file is specified then add the HDD drive if [ ! -z ${HDA_FILE} ]; then - if [[ ${HDA_FILE} = *"qcow2" ]]; then - add_opts "-drive file=${HDA_FILE},format=qcow2" + if [ "$USE_VIRTIO" = "1" ]; then + if [[ ${HDA_FILE} = *"qcow2" ]]; then + add_opts "-drive file=${HDA_FILE},if=none,id=disk0,format=qcow2" + else + add_opts "-drive file=${HDA_FILE},if=none,id=disk0,format=raw" + fi + add_opts "-device virtio-scsi-pci,id=scsi,disable-legacy=on,iommu_platform=true" + add_opts "-device scsi-hd,drive=disk0" + # virtio-blk + # add_opts "-device virtio-blk-pci,drive=disk0,disable-legacy=on,iommu_platform=true" else - add_opts "-drive file=${HDA_FILE},format=raw" + if [[ ${HDA_FILE} = *"qcow2" ]]; then + add_opts "-drive file=${HDA_FILE},format=qcow2" + else + add_opts "-drive file=${HDA_FILE},format=raw" + fi fi fi -# If this is SEV guest then add the encryption device objects to enable SEV -if [ ! -z ${SEV_GUEST} ]; then - add_opts "-object sev-guest,id=sev0" +# If this is SEV guest then add the encryption device objects to enable support +if [ ${SEV_GUEST} = "1" ]; then + if [ "${ALLOW_DEBUG}" = "1" ]; then + SEV_DEBUG_POLICY=",policy=0x0" + fi + add_opts "-object sev-guest,id=sev0${SEV_DEBUG_POLICY}" add_opts "-machine memory-encryption=sev0" fi # if we are asked to use hugetlbfs [ ! -z ${USE_HUGETLBFS} ] && setup_hugetlbfs -# If we are asked to redirect the serial console to network port -if [ "${NETCONSOLE_PORT}" != "" ]; then - HOST_ADDR="`ifconfig | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`" - add_opts "-chardev socket,host=$HOST_ADDR,port=$NETCONSOLE_PORT,id=gnc1,server,nowait" - add_opts "-device isa-serial,chardev=gnc1" - echo "Setting network console $HOST_ADDR:$NETCONSOLE_PORT" -fi - # if console is serial then disable graphical interface if [ "${CONSOLE}" = "serial" ]; then add_opts "-nographic" @@ -230,6 +248,14 @@ if [ "$BR0_STATUS" != "" ]; then setup_bridge_network fi +# start gdbserver +add_opts "-s" + +# add virtio ring +if [ "$USE_VIRTIO" = "1" ]; then + add_opts "-device virtio-rng-pci,disable-legacy=on,iommu_platform=true" +fi + # log the console output in stdout.log QEMU_CONSOLE_LOG=`pwd`/stdout.log @@ -237,6 +263,7 @@ QEMU_CONSOLE_LOG=`pwd`/stdout.log cat $QEMU_CMDLINE | tee ${QEMU_CONSOLE_LOG} echo | tee -a ${QEMU_CONSOLE_LOG} + # map CTRL-C to CTRL ] echo "Mapping CTRL-C to CTRL-]" stty intr ^] diff --git a/stable-commits b/stable-commits index 118d653..ae3d9b6 100644 --- a/stable-commits +++ b/stable-commits @@ -2,10 +2,17 @@ # stable commit for SEV test builds # -KERNEL_GIT_URL=https://github.com/AMDESE/AMDSEV.git -KERNEL_COMMIT=kernel-rfc-3 +# hypervisor commit +KVM_GIT_URL=https://github.com/AMDESE/kvm.git +KVM_KERNEL_COMMIT=sev-v6-p2+fixes -QEMU_GIT_URL=https://github.com/AMDESE/AMDSEV.git -QEMU_COMMIT=qemu-sev-rfc-v4+ +# guest kernel commit +TIP_GIT_URL=https://github.com/AMDESE/tip.git +TIP_KERNEL_COMMIT=sev-v7-p1 +# qemu commit +QEMU_GIT_URL=https://github.com/AMDESE/qemu.git +QEMU_COMMIT=v5-wip-1 + +# guest bios EDK2_GIT_URL=https://github.com/tianocore/edk2.git |