Follow the below steps to build and run the SEV-SNP guest. The step below are tested on Ubuntu 20.04 host and guest. ## Build The following command builds the host and guest Linux kernel, qemu and ovmf bios used for launching SEV-SNP guest. ```` # git clone https://github.com/AMDESE/AMDSEV.git # git checkout sev-snp-devel # ./build.sh --package # sudo cp kvm.conf /etc/modprobe.d/ ```` On succesful build, the binaries will be available in `snp-release-`. ## Prepare Host Verify that the following BIOS settings are enabled. The setting may vary based on the vendor BIOS. The menu option below are from AMD BIOS. ``` CBS -> CPU Common -> SEV-ES ASID space Limit Control -> Manual SEV-ES ASID space limit -> 100 SNP Memory Coverage -> Enabled SMEE -> Enabled -> NBIO common -> SEV-SNP -> Enabled ``` Run the following command to install the Linux kernel on the host machine. ``` # cd snp-release- # ./install.sh ``` Reboot the machine and choose SNP Host kernel from the grub menu. Run the following commands to verify that SNP is enabled in the host. ```` # uname -r 5.14.0-rc2-snp-host # dmesg | grep -i -e rmp -e sev SEV-SNP: RMP table physical address 0x0000000035600000 - 0x0000000075bfffff ccp 0000:23:00.1: sev enabled ccp 0000:23:00.1: SEV-SNP API:1.51 build:1 SEV supported: 410 ASIDs SEV-ES and SEV-SNP supported: 99 ASIDs # cat /sys/module/kvm_amd/parameters/sev Y # cat /sys/module/kvm_amd/parameters/sev_es Y # cat /sys/module/kvm_amd/parameters/sev_snp Y ```` *NOTE: If your SEV-SNP firmware is older than 1.51, see the "Upgrade SEV firmware" section to upgrade the firmware. * ## Prepare Guest Boot up a guest (tested with Ubuntu 18.04 and 20.04, but any standard *.deb or *.rpm-based distro should work) and install the guest kernel packages built in the previous step. The guest kernel packages are available in 'snp-release-/linux/guest' directory. ## Launch SNP Guest To launch the SNP guest use the launch-qemu.sh script provided in this repository ```` # ./launch-qemu.sh -hda -sev-snp ```` To launch SNP disabled guest, simply remove the "-sev-snp" from the above command line. Once the guest is booted, run the following command inside the guest VM to verify that SNP is enabled: ```` $ dmesg | grep -i snp AMD Memory Encryption Features active: SEV SEV-ES SEV-SNP ```` ## Upgrade SEV firmware The SEV-SNP support requires firmware version >= 1.50:1. The latest SEV-SNP firmware is available on developer.amd.com/sev and on linux-firmware project. Follow the below step to upgrade to latest firmware ``` # wget https://developer.amd.com/wp-content/resources/amd_sev_fam19h_model0xh_1.33.01.zip # unzip amd_sev_fam19h_model0xh_1.33.01.zip # sudo mkdir -p /lib/firmware/amd # sudo cp amd_sev_fam19h_model0xh_1.33.01.sbin /lib/firmware/amd/amd_sev_fam19h_model0xh.sbin ``` Then either reboot the host, or reload the ccp driver to complete the firmware upgrade process: ``` sudo rmmod kvm_amd sudo rmmod ccp sudo modprobe ccp sudo modprobe kvm_amd ``` ## Reference https://developer.amd.com/sev/