README.md (3951B)
1Follow the below steps to build and run the SEV-SNP guest. The step below are tested on Ubuntu 20.04 host and guest. 2 3## Build 4 5The following command builds the host and guest Linux kernel, qemu and ovmf bios used for launching SEV-SNP guest. 6 7```` 8# git clone https://github.com/AMDESE/AMDSEV.git 9# git checkout sev-snp-devel 10# ./build.sh --package 11# sudo cp kvm.conf /etc/modprobe.d/ 12```` 13On succesful build, the binaries will be available in `snp-release-<DATE>`. 14 15## Prepare Host 16 17Verify that the following BIOS settings are enabled. The setting may vary based on the vendor BIOS. The menu option below are from AMD BIOS. 18 19``` 20 CBS -> CPU Common -> 21 SEV-ES ASID space Limit Control -> Manual 22 SEV-ES ASID space limit -> 100 23 SNP Memory Coverage -> Enabled 24 SMEE -> Enabled 25 -> NBIO common -> 26 SEV-SNP -> Enabled 27``` 28 29Run the following command to install the Linux kernel on the host machine. 30 31``` 32# cd snp-release-<date> 33# ./install.sh 34``` 35 36Reboot the machine and choose SNP Host kernel from the grub menu. 37 38Run the following commands to verify that SNP is enabled in the host. 39 40```` 41# uname -r 425.19.0-rc6-sev-es-snp+ 43 44# dmesg | grep -i -e rmp -e sev 45SEV-SNP: RMP table physical address 0x0000000035600000 - 0x0000000075bfffff 46ccp 0000:23:00.1: sev enabled 47ccp 0000:23:00.1: SEV-SNP API:1.51 build:1 48SEV supported: 410 ASIDs 49SEV-ES and SEV-SNP supported: 99 ASIDs 50# cat /sys/module/kvm_amd/parameters/sev 51Y 52# cat /sys/module/kvm_amd/parameters/sev_es 53Y 54# cat /sys/module/kvm_amd/parameters/sev_snp 55Y 56 57```` 58 59*NOTE: If your SEV-SNP firmware is older than 1.51, see the "Upgrade SEV firmware" section to upgrade the firmware. * 60 61## Prepare Guest 62 63Note: SNP requires OVMF be used as the guest BIOS in order to boot. This implies that the guest must have been initially installed using OVMF so that a UEFI partition is present. 64 65If you do not already have an installed guest, you can use the launch-qemu.sh script to create it: 66 67```` 68# ./launch-qemu.sh -hda <your_qcow2_file> -cdrom <your_distro_installation_iso_file> 69```` 70 71Boot up a guest (tested with Ubuntu 18.04 and 20.04, but any standard *.deb or *.rpm-based distro should work) and install the guest kernel packages built in the previous step. The guest kernel packages are available in 'snp-release-<DATE>/linux/guest' directory. 72 73## Launch SNP Guest 74 75To launch the SNP guest use the launch-qemu.sh script provided in this repository 76 77```` 78# ./launch-qemu.sh -hda <your_qcow2_file> -sev-snp 79```` 80 81To launch SNP disabled guest, simply remove the "-sev-snp" from the above command line. 82 83Once the guest is booted, run the following command inside the guest VM to verify that SNP is enabled: 84 85```` 86$ dmesg | grep -i snp 87AMD Memory Encryption Features active: SEV SEV-ES SEV-SNP 88```` 89 90## Upgrade SEV firmware 91 92The SEV-SNP support requires firmware version >= 1.51:1 (or 1.33 in hexadecimal, which is what developer.amd.com uses when uploading firmware versions). The latest SEV-SNP firmware is available on https://developer.amd.com/sev and via the linux-firmware project. 93 94The below steps document the firmware upgrade process for the latest SEV-SNP firmware available on https://developer.amd.com/sev at the time this was written. A similar procedure can be used for newer firmwares as well: 95 96``` 97# wget https://developer.amd.com/wp-content/resources/amd_sev_fam19h_model0xh_1.33.03.zip 98# unzip amd_sev_fam19h_model0xh_1.33.03.zip 99# sudo mkdir -p /lib/firmware/amd 100# sudo cp amd_sev_fam19h_model0xh_1.33.03.sbin /lib/firmware/amd/amd_sev_fam19h_model0xh.sbin 101``` 102Then either reboot the host, or reload the ccp driver to complete the firmware upgrade process: 103 104``` 105sudo rmmod kvm_amd 106sudo rmmod ccp 107sudo modprobe ccp 108sudo modprobe kvm_amd 109``` 110 111 112## Reference 113 114https://developer.amd.com/sev/