This bug was initially created as a copy of Bug #1689341 I am copying this bug because the fix spans both kernel and qemu-kvm. Description of problem: Libvirt queries SEV support via QEMU's qmp_query_sev_capabilities command the result of which then reports in its domain capabilities. The problem is that QEMU returns success even if SEV is not enabled in the kernel module (although the platform supports it), so libvirt reports SEV as supported, but any attempt launching a SEV VM will fail. Version-Release number of selected component (if applicable): libvirt-5.1.0 qemu-kvm-3.1.0 How reproducible: Steps to Reproduce: 1. Take an AMD EPYC machine and disable SEV in the kernel # cat /sys/module/kvm_amd/parameters/sev 0 2. make sure to clear libvirt capabilities # systemctl stop libvirtd # rm -f /var/cache/libvirt/qemu/capabilities # systemctl restart libvirtd 3. check libvirt's domain capabilities # virsh domcapabilities <features> ... <sev supported='yes'> <cbitpos>47</cbitpos> <reducedPhysBits>1</reducedPhysBits> </sev> ... </features> 4. try launching a sev VM # virsh start <vm> Failed to start domain <vm> the following will be contained in the internal error reported by libvirt: "sev_guest_init: failed to initialize ret=-25 fw_error=0 ''" Actual results: QEMU returns data about SEV making libvirt think SEV is supported on the platform while actually it is disabled in kernel Expected results: QEMU's qmp_query_sev_capabilities can already report "SEV feature is not available" error when it fails to provide the data to libvirt for some reason. The same error should be reported in this case too which will result in libvirt reporting <sev supported='no'> in the domain capabilities. Additional info: This is the plan: (b) In the kernel, introduce a *VM-independent* KVM ioctl, for checking whether KVM_MEMORY_ENCRYPT_OP is generally available. This could take the form of e.g. a KVM_CHECK_EXTENSION ioctl, with KVM_CAP_MEMORY_ENCRYPTION as arg. Then propagate this new feature all the way from the host kernel through QEMU/QMP to libvirt. As I quoted above, the existent documentation for "KVM_MEMORY_ENCRYPT_OP" starts with, "If the platform supports creating encrypted VMs [...]" -- so introduce a way to query KVM about that fact precisely (as a read-only operation).
Hi Paolo, I suppose this bug should be Future Feature request bug, can we add a Future Feature keyword? Thanks! BR/ Zhiyi, Guo
It's a small enhancement to error reporting so it will be 8.2 material, but I don't think it's FutureFeature.
QEMU has been recently split into sub-components and as a one-time operation to avoid breakage of tools, we are setting the QEMU sub-component of this BZ to "General". Please review and change the sub-component if necessary the next time you review this BZ. Thanks
Test with qemu-kvm-4.2.0-32.module+el8.3.0+7629+c86ce105.x86_64, reported bug is not exits, test steps return RuntimeError: SEV launch security is not supported on this platform which is correct error report for this test. Test version: qemu-kvm-5.1.0-2.module+el8.3.0+7652+b30e6901.x86_64 kernel-4.18.0-232.el8.x86_64 Test steps: . Take an AMD EPYC machine and disable SEV in the kernel # cat /sys/module/kvm_amd/parameters/sev 0 2. make sure to clear libvirt capabilities # systemctl stop libvirtd # rm -f /var/cache/libvirt/qemu/capabilities # systemctl restart libvirtd 3. check libvirt's domain capabilities # virsh domcapabilities| grep sev <sev supported='no'/> 4. try launching a sev VM virt-install --name rhel83sev --cpu EPYC-IBPB,-hypervisor --ram=4096 --memtune hard_limit=5000000 --vcpus=2,sockets=1,cores=1,threads=2 --boot uefi --machine q35 --noreboot --network bridge=br0 --os-variant rhel8.3 --os-type=linux --location=http://download.eng.bos.redhat.com/rhel-8/rel-eng/RHEL-8/latest-RHEL-8.3.0/compose/BaseOS/x86_64/os/ --disk path=/home/rhel83sev.qcow2,bus=scsi,format=qcow2,cache=none,size=80 --controller type=scsi,model=virtio-scsi,driver.iommu=on --controller type=virtio-serial,driver.iommu=on --network network=default,model=virtio,driver.iommu=on --rng type=/dev/random,driver.iommu=on --memballoon driver.iommu=on --launchSecurity sev --graphics vnc,listen=0.0.0.0 --console unix,path=/tmp/rhel83sev,mode=bind --debug --extra-args console=ttyS0,115200 [Tue, 18 Aug 2020 03:23:40 virt-install 38372] DEBUG (cli:208) Launched with command line: /usr/share/virt-manager/virt-install --name rhel83sev --cpu EPYC-IBPB,-hypervisor --ram=4096 --memtune hard_limit=5000000 --vcpus=2,sockets=1,cores=1,threads=2 --boot uefi --machine q35 --noreboot --network bridge=br0 --os-variant rhel8.3 --os-type=linux --location=http://download.eng.bos.redhat.com/rhel-8/rel-eng/RHEL-8/latest-RHEL-8.3.0/compose/BaseOS/x86_64/os/ --disk path=/home/rhel83sev.qcow2,bus=scsi,format=qcow2,cache=none,size=80 --controller type=scsi,model=virtio-scsi,driver.iommu=on --controller type=virtio-serial,driver.iommu=on --network network=default,model=virtio,driver.iommu=on --rng type=/dev/random,driver.iommu=on --memballoon driver.iommu=on --launchSecurity sev --graphics vnc,listen=0.0.0.0 --console unix,path=/tmp/rhel83sev,mode=bind --debug --extra-args console=ttyS0,115200 Actual result: [Tue, 18 Aug 2020 04:34:32 virt-install 64727] ERROR (cli:264) SEV launch security is not supported on this platform [Tue, 18 Aug 2020 04:34:32 virt-install 64727] DEBUG (cli:266) Traceback (most recent call last): File "/usr/share/virt-manager/virt-install", line 1009, in <module> sys.exit(main()) File "/usr/share/virt-manager/virt-install", line 997, in main guest, installer = build_guest_instance(conn, options) File "/usr/share/virt-manager/virt-install", line 564, in build_guest_instance installer.set_install_defaults(guest) File "/usr/share/virt-manager/virtinst/install/installer.py", line 340, in set_install_defaults guest.set_defaults(None) File "/usr/share/virt-manager/virtinst/guest.py", line 746, in set_defaults self.launchSecurity.set_defaults(self) File "/usr/share/virt-manager/virtinst/domain/launch_security.py", line 56, in set_defaults return self._set_defaults_sev(guest) File "/usr/share/virt-manager/virtinst/domain/launch_security.py", line 39, in _set_defaults_sev raise RuntimeError(_("SEV launch security is not supported on this platform")) RuntimeError: SEV launch security is not supported on this platform Expected result: Same with actual result.
Sorry, I made a tying error in Comment 7, this bug is verified by qemu-kvm-5.1.0-2.module+el8.3.0+7652+b30e6901.x86_64.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (virt:8.3 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:5137