I tried to test the SEV-ES protection using the testing guest and hypervisor kernels in the AMDESE/linux github repository (branch sev-es-4.19). I used the provided setup script to compile Qemu, OVMF and the hypervisor kernel. However, as soon as I want to start a new guest, Qemu fails with an error.
I took the following steps to track down the issue:
-
When Qemu issues the KVM_SEV_ES_INIT ioctl. KVM tries to set-up the internal data structures for the new SEV-ES guest in sev_es_guest_init which invokes sev_guest_init. In this function, KVM wants to get an ASID for the new VM by invoking sev_asid_new. According to the documentation of the ACTIVATE command (SEV API specification), the ASID for a SEV-ES enabled guest has to be in the range of [1, MIN_SEV_ASID - 1]. However, for my platform min_sev_asid is 1 which causes sev_asid_new to fail.
-
Because of this error, I checked if my platform actually supports SEV-ES using CPUID Fn8000_001F. According to the reply, the CPU has SEV-ES support. However, as stated before there are no valid SEV-ES ASIDs available as MIN_SEV_ASID is 1 (as also reported by the mentioned CPUID function).
-
Nevertheless, the AMD64 specification (Volume 2) is less strict about the SEV-ES ASIDs. According to this specification, there only exists a limitation for the ASIDs that can be used for SEV only VMs, but every ASID can be used for SEV-ES guest. Therefore, I altered the code of sev_asid_new to simply return the fixed ASID 1. However, then the ACTIVATE instruction is failing with INVALID_ASID. Therefore, it seems that the code (which is conform to the SEV API specification) is correct.
As it seems quite strange to me that SEV-ES is supported, but there are no valid ASIDs available, I wanted to ask if this is an issue that may be fixed by a newer firmware version or if this is fixed in hardware.
My CPU is a AMD EPYC 7251. However, the firmware is rather old (API_MAJOR 0 and API_MINOR 14) which makes me believe that this may be fixed by a newer firmware version.
I tried to test the SEV-ES protection using the testing guest and hypervisor kernels in the AMDESE/linux github repository (branch sev-es-4.19). I used the provided setup script to compile Qemu, OVMF and the hypervisor kernel. However, as soon as I want to start a new guest, Qemu fails with an error.
I took the following steps to track down the issue:
When Qemu issues the
KVM_SEV_ES_INITioctl. KVM tries to set-up the internal data structures for the new SEV-ES guest insev_es_guest_initwhich invokessev_guest_init. In this function, KVM wants to get an ASID for the new VM by invokingsev_asid_new. According to the documentation of theACTIVATEcommand (SEV API specification), the ASID for a SEV-ES enabled guest has to be in the range of [1, MIN_SEV_ASID - 1]. However, for my platformmin_sev_asidis 1 which causessev_asid_newto fail.Because of this error, I checked if my platform actually supports SEV-ES using
CPUID Fn8000_001F. According to the reply, the CPU has SEV-ES support. However, as stated before there are no valid SEV-ES ASIDs available as MIN_SEV_ASID is 1 (as also reported by the mentioned CPUID function).Nevertheless, the AMD64 specification (Volume 2) is less strict about the SEV-ES ASIDs. According to this specification, there only exists a limitation for the ASIDs that can be used for SEV only VMs, but every ASID can be used for SEV-ES guest. Therefore, I altered the code of
sev_asid_newto simply return the fixed ASID 1. However, then theACTIVATEinstruction is failing withINVALID_ASID. Therefore, it seems that the code (which is conform to the SEV API specification) is correct.As it seems quite strange to me that SEV-ES is supported, but there are no valid ASIDs available, I wanted to ask if this is an issue that may be fixed by a newer firmware version or if this is fixed in hardware.
My CPU is a AMD EPYC 7251. However, the firmware is rather old (API_MAJOR 0 and API_MINOR 14) which makes me believe that this may be fixed by a newer firmware version.