[Request for Help] How to utilize Secure Encrypted Virtualization (AMD_SEV) on Threadripper 3000 series with QEMU?

Mu7en · September 11, 2022, 11:05pm

I have a TR 3990X platform with Manjaro being my host OS and serval virtual machines running under KVM. I’m following this doc trying to enable SEV, but no luck so far

The sketchy part is, I cannot seem to find an option in BIOS about SEV, whereas AMD mentioned that there should be an option. My motherboard is MSI Creator TRX40.

Here’s some more detailed information:

$ uname -r
5.15.60-1-MANJARO

$ lscpu | grep -w 'sev'
Flags: ....  sme sev sev_es

$ cat /etc/default/grub | grep 'sev'
GRUB_CMDLINE_LINUX_DEFAULT="quiet udev.log_priority=3 mem_encrypt=on kvm_amd.sev=1 amd_iommu=on rd.driver.pre=vfio-pci kvm.ignore_msrs=1"

$ cat /sys/module/kvm_amd/parameters/sev
Y

$ virsh domcapabilities | grep -w 'sev'
    <sev supported='no'/>

$ libvirtd --version
libvirtd (libvirt) 8.6.0

$ qemu-x86_64 --version
qemu-x86_64 version 7.0.0
Copyright (c) 2003-2022 Fabrice Bellard and the QEMU Project developers

My questions are:

does TRX40 platform really support SEV?
if it does, am I having a motherboard related issue?
if it doesn’t support SEV, then are the flags in /proc/cpuinfo untrustworthy? Or AMD be trolling?

Any information or pointing out my wrong doing would be much appreciated!

cowphrase · September 19, 2022, 9:56am

Sounds like this may be a libvirt issue checking sev parameters - 2012386 – virt-host-validate: Detetion results of AMD SEV is not expected. It looks like the patch for this was merged into libvirt in November last year, and there have been many releases since then (0.8.6 was earlier this year). So I’m surprised you’re still hitting it.

What does virt-host-validate show?

Mu7en · September 24, 2022, 5:47am

~ cat /sys/module/kvm_amd/parameters/sev
Y

~ libvirtd --version
libvirtd (libvirt) 8.7.0

~ virt-host-validate 
  QEMU: Checking for hardware virtualization                                 : PASS
  QEMU: Checking if device /dev/kvm exists                                   : PASS
  QEMU: Checking if device /dev/kvm is accessible                            : PASS
  QEMU: Checking if device /dev/vhost-net exists                             : PASS
  QEMU: Checking if device /dev/net/tun exists                               : PASS
  QEMU: Checking for cgroup 'cpu' controller support                         : PASS
  QEMU: Checking for cgroup 'cpuacct' controller support                     : PASS
  QEMU: Checking for cgroup 'cpuset' controller support                      : PASS
  QEMU: Checking for cgroup 'memory' controller support                      : PASS
  QEMU: Checking for cgroup 'devices' controller support                     : WARN (Enable 'devices' in kernel Kconfig file or mount/enable cgroup controller in your system)
  QEMU: Checking for cgroup 'blkio' controller support                       : PASS
  QEMU: Checking for device assignment IOMMU support                         : PASS
  QEMU: Checking if IOMMU is enabled by kernel                               : PASS
  QEMU: Checking for secure guest support                                    : WARN (AMD Secure Encrypted Virtualization appears to be disabled in firmware.)
   LXC: Checking for Linux >= 2.6.26                                         : PASS
   LXC: Checking for namespace ipc                                           : PASS
   LXC: Checking for namespace mnt                                           : PASS
   LXC: Checking for namespace pid                                           : PASS
   LXC: Checking for namespace uts                                           : PASS
   LXC: Checking for namespace net                                           : PASS
   LXC: Checking for namespace user                                          : PASS
   LXC: Checking for cgroup 'cpu' controller support                         : PASS
   LXC: Checking for cgroup 'cpuacct' controller support                     : PASS
   LXC: Checking for cgroup 'cpuset' controller support                      : PASS
   LXC: Checking for cgroup 'memory' controller support                      : PASS
   LXC: Checking for cgroup 'devices' controller support                     : FAIL (Enable 'devices' in kernel Kconfig file or mount/enable cgroup controller in your system)
   LXC: Checking for cgroup 'freezer' controller support                     : FAIL (Enable 'freezer' in kernel Kconfig file or mount/enable cgroup controller in your system)
   LXC: Checking for cgroup 'blkio' controller support                       : PASS
   LXC: Checking if device /sys/fs/fuse/connections exists                   : PASS
    CH: Checking for hardware virtualization                                 : PASS
    CH: Checking if device /dev/kvm exists                                   : PASS
    CH: Checking if device /dev/kvm is accessible                            : PASS

Thanks for the information!

And sorry for the delay.

I was just giving up on this. Thanks to your link, now I’m doubting maybe this is a Manjaro thing. I’m going to try Fedora and Arch to see if it works!

cowphrase · September 24, 2022, 6:19am

Mmm, “disabled in firmware” doesn’t look good". From some searching sounds like Epyc only?.

Mu7en · September 24, 2022, 6:45am

Yeah I saw that too, and you are probably right. But the cpuinfo suggests my CPU does support SEV, so I’m still gonna try it. I’m also contacting MSI to see if they have any insight, maybe they will build a special version of BIOS for SEV support.

Thank you for your time

cowphrase · September 24, 2022, 6:57am

@wendell You don’t happen to have a quick answer on this do you? Does SEV (Secure Encrypted Virtualization) work on Threadripper?

wendell · September 24, 2022, 4:13pm

I saw something somewhere that said it should but it hasn’t worked for me on Asus or ASRock platforms either.

system · June 25, 2023, 10:14am

This topic was automatically closed 273 days after the last reply. New replies are no longer allowed.