[Bug 2106771] Re: Add support for QEMU AMD SNP VM Measured linux boot with the addition of new AMDSEV OVMF.fd

Gauthier Jolly Thu, 17 Jul 2025 03:32:00 -0700

I was able to confirm that the OVMF.amdsev.fd firmware works as expected
on Plucky.


** SETUP **

Model name: AMD EPYC 9654 96-Core Processor

SEV-SNP feature enabled:

  Jul 17 09:22:29 hoodin kernel: SEV-SNP: RMP table physical range 
[0x000000000d500000 - 0x000000004ddfffff]
  Jul 17 09:22:29 hoodin kernel: SEV-SNP: Reserving start/end of RMP table on a 
2MB boundary [0x000000000d400000]
  Jul 17 09:22:30 hoodin kernel: ccp 0000:01:00.5: sev enabled
  Jul 17 09:22:36 hoodin kernel: ccp 0000:01:00.5: SEV API:1.55 build:40
  Jul 17 09:22:36 hoodin kernel: ccp 0000:01:00.5: SEV-SNP API:1.55 build:40
  Jul 17 09:22:36 hoodin kernel: kvm_amd: SEV enabled (ASIDs 10 - 1006)
  Jul 17 09:22:36 hoodin kernel: kvm_amd: SEV-ES enabled (ASIDs 1 - 9)
  Jul 17 09:22:36 hoodin kernel: kvm_amd: SEV-SNP enabled (ASIDs 1 - 9)

Host Packages:
qemu-system-x86/plucky,now 1:9.2.1+ds-1ubuntu5 amd64 [installed]
ovmf/plucky,now 2025.02-3ubuntu2.1~ppa2 all [installed,automatic]

Host kernel: 6.14.0-24-generic

Guest:
  image: 
https://cloud-images.ubuntu.com/releases/plucky/release-20250701/ubuntu-25.04-server-cloudimg-amd64.img
  kernel: 6.14.0-23-generic 
(https://cloud-images.ubuntu.com/releases/plucky/release-20250701/unpacked/ubuntu-25.04-server-cloudimg-amd64-vmlinuz-generic)

** Launch script **

sudo qemu-system-x86_64 \
        -enable-kvm \
        -nographic \
        -cpu EPYC-v4 \
        -machine q35 \
        -smp 6 \
        -m 6G \
        -machine memory-encryption=sev0,vmport=off \
        -object memory-backend-memfd,id=ram1,size=6G,share=true,prealloc=false \
        -machine memory-backend=ram1 \
        -object 
sev-snp-guest,id=sev0,policy=0x30000,cbitpos=51,reduced-phys-bits=5,kernel-hashes=on
 \
        -kernel "$VMLINUZ" \
        -append "root=/dev/vda1 console=ttyS0" \
        -drive "if=virtio,format=qcow2,file=$IMAGE" \
        -drive "if=virtio,format=raw,file=cloud-init.img" \
        -bios /usr/share/ovmf/OVMF.amdsev.fd \
        -net nic,model=e1000 -net user,hostfwd=tcp::2222-:22

** On the guest **

Logs:

  Jul 17 10:09:21 ubuntu kernel: Memory Encryption Features active: AMD SEV 
SEV-ES SEV-SNP
  Jul 17 10:09:21 ubuntu kernel: SEV: Status: SEV SEV-ES SEV-SNP

After inserting the sev-snp module, I can see the character device:

  ubuntu@ubuntu:~$ sudo modprobe sev-guest
  ubuntu@ubuntu:~$ ls /dev/sev-guest
  /dev/sev-guest

** Generate a test report **

Finally, I was able to generate a report on the guest using AMD's tool:
https://github.com/virtee/snpguest (that we should probably package).

ubuntu@ubuntu:~$ sudo ./snpguest report --random attestation-report.bin 
request-file.txt
ubuntu@ubuntu:~$ sudo ./snpguest display report attestation-report.bin
Attestation Report:

Version:                      3

Guest SVN:                    0

Guest Policy (0x30000):
  ABI Major:     0
  ABI Minor:     0
  SMT Allowed:   true
  Migrate MA:    false
  Debug Allowed: false
  Single Socket: false

Family ID:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Image ID:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VMPL:                         1

Signature Algorithm:          1

Current TCB:

TCB Version:
  Microcode:   84
  SNP:         23
  TEE:         0
  Boot Loader: 10
  FMC:         None

Platform Info (39):
  SMT Enabled:               true
  TSME Enabled:              true
  ECC Enabled:               true
  RAPL Disabled:             false
  Ciphertext Hiding Enabled: false
  Alias Check Complete:      true

Key Information:
    author key enabled: false
    mask chip key:      false
    signing key:        vcek

Report Data:
76 94 01 33 15 1B 6B 97 A6 4B 8F 35 DF 3D 4E 9A
8B DF 3E FF 6A 0D 17 87 73 8C 6F 6C D0 75 65 4F
49 10 E7 05 D7 87 61 D9 34 31 FC 9D 86 F0 B8 10
AB 76 DE E5 EB C8 B8 90 08 2B E4 E9 26 23 E0 67

Measurement:
1A DE 39 B1 13 F3 DC F6 EE F1 A8 C0 53 F8 1D C4
D4 07 19 50 15 C3 41 EF 25 CC B7 E5 60 6B 7B 2C
DA 4A 30 35 4C 17 02 F4 5C 1C 3D 6C 59 BE 39 55

Host Data:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

ID Key Digest:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Author Key Digest:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Report ID:
58 2C DF E2 63 6C A4 6E 7A 00 D3 E0 54 BE D4 45
0F 7D 9D 49 C0 B3 35 C3 91 6B 08 54 0A C0 94 0D

Report ID Migration Agent:
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Reported TCB:

TCB Version:
  Microcode:   84
  SNP:         23
  TEE:         0
  Boot Loader: 10
  FMC:         None

CPUID Family ID:              25

CPUID Model ID:               17

CPUID Stepping:               1

Chip ID:
2C 4E DA 5B E5 75 68 F3 47 6F 92 0B FA 63 44 16
8E A2 B6 D8 A5 74 C9 41 52 8B B7 E9 E3 64 8D 92
20 6F 68 F9 37 D3 99 6C DF 50 04 4A 6D DE 94 F7
AA F2 42 33 65 88 83 81 F0 4B B2 48 F7 9F A2 2F

Committed TCB:

TCB Version:
  Microcode:   84
  SNP:         23
  TEE:         0
  Boot Loader: 10
  FMC:         None

Current Version:              1.55.40

Committed Version:            1.55.40

Launch TCB:

TCB Version:
  Microcode:   84
  SNP:         23
  TEE:         0
  Boot Loader: 10
  FMC:         None

Signature:
  R:
57 F8 63 B9 C7 05 89 EB AC 0C 12 87 BF 35 F9 C6
A3 2F FD 78 9E 5E 6D CD F4 DA 96 69 75 01 88 DD
2B D4 2D A1 BC 64 0B 06 7E 8B 6E 65 D2 63 4E 91
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
  S:
90 16 BB 6D B5 3E C1 00 1D 0F 5D 35 A2 38 5B 7B
0D DA 64 D4 5C E3 A8 6F 2D 9E 54 38 16 C9 52 CA
7E E0 87 02 57 A4 2F 26 11 BC 2D AC 23 29 9C 9A
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2106771

Title:
  Add support for QEMU AMD SNP VM Measured linux boot with the addition
  of new AMDSEV OVMF.fd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2106771/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2106771] Re: Add support for QEMU AMD SNP VM Measured linux boot with the addition of new AMDSEV OVMF.fd

Reply via email to