AMD SME/SEV on Ubuntu 20
Enable SME on your ubuntu server and spawn an SEV virtual machine
Enable SME on your ubuntu server and spawn an SEV virtual machine
Last updated May 7th, 2020
Enable AMD SME on your Ubuntu 20.04 server, and spawn a KVM/QEMU virtual machine secured with SEV
Enabling SME just requires adding mem_encrypt=on
on the kernel's boot cmdline. To be able to use SEV in KVM, we need to add kvm_amd.sev=1
as well.
To do this, we need to add it to GRUB_CMDLINE_LINUX_DEFAULT
.
The usual way to do this is by editing /etc/default/grub
, however, on Ubuntu cloud images, we need to edit this file instead : /etc/default/grub.d/50-cloudimg-settings.cfg
Here's what it looks like on a freshly installed Ubuntu 20.04, after editing the file :
ubuntu@nsXXX:~# grep mem_encry /etc/default/grub.d/50-cloudimg-settings.cfg
GRUB_CMDLINE_LINUX_DEFAULT="modprobe.blacklist=btrfs mem_encrypt=on kvm_amd.sev=1"
ubuntu@nsXXX:~#
Now, we need to update our grub configuration to make our change effective :
sudo update-grub
Let's reboot the server to apply our cmdline changes :
sudo reboot
Once the server is back up, we should see mem_encrypt=on
and kvm_amd.sev=1
in /proc/cmdline
:
ubuntu@nsXXX:~# cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-5.4.0-26-generic root=UUID=41b1b860-c5d2-4b43-a7e5-cb45c2f44e08 ro vga=normal nomodeset modprobe.blacklist=btrfs mem_encrypt=on kvm_amd.sev=1
You should also see the following messages in dmesg :
ubuntu@nsXXX:~# dmesg | grep SME
[ 1.247928] AMD Secure Memory Encryption (SME) active
ubuntu@nsXXX:~# dmesg | grep "SEV supported"
[ 7.637219] SVM: SEV supported
You can also check /sys/module/kvm_amd/parameters/sev
to verify that SEV is available :
ubuntu@nsXXX:~# cat /sys/module/kvm_amd/parameters/sev
1
Install packages :
sudo apt update
sudo apt install libvirt-daemon-system virtinst qemu-utils cloud-image-utils
Let's download the image for our VM. We'll use an Ubuntu 20.04 cloud image :
wget https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img
Let's ensure that the image is in the correct format for QEMU/KVM, and put it in the proper folder :
sudo qemu-img convert focal-server-cloudimg-amd64.img /var/lib/libvirt/images/sev-guest.img
Since we're using a cloud image, we also need to prepare a small ISO that will configure the ubuntu
user's password :
cat >cloud-config <<EOF
#cloud-config
password: CHANGEME.aiZ4aetiesig
chpasswd: { expire: False }
ssh_pwauth: False
EOF
sudo cloud-localds /var/lib/libvirt/images/sev-guest-cloud-config.iso cloud-config
sudo virt-install \
--name sev-guest \
--memory 4096 \
--memtune hard_limit=4563402 \
--boot uefi \
--disk /var/lib/libvirt/images/sev-guest.img,device=disk,bus=scsi \
--disk /var/lib/libvirt/images/sev-guest-cloud-config.iso,device=cdrom \
--os-type linux \
--os-variant ubuntu20.04 \
--import \
--controller type=scsi,model=virtio-scsi,driver.iommu=on \
--controller type=virtio-serial,driver.iommu=on \
--network network=default,model=virtio,driver.iommu=on \
--memballoon driver.iommu=on \
--graphics none \
--launchSecurity sev
Note : at the time of writing, there is an issue in apparmor/libvirt that wil make the above command fail with the following message :
ERROR internal error: process exited while connecting to monitor: 2020-04-28T15:04:14.348979Z qemu-system-x86_64: sev_guest_init: Failed to open /dev/sev 'Permission denied'
To fix it, we'll edit /etc/apparmor.d/abstractions/libvirt-qemu
to authorize rw
access to /dev/sev
. Here's what it should look like once edited :
[...]
/dev/net/tun rw,
/dev/kvm rw,
/dev/ptmx rw,
/dev/sev rw,
@{PROC}/*/status r,
[...]
Once we've succesfully spawned the VM, we can login using the credentials defined in cloud-config
earlier, and check that SEV is indeed enabled :
ubuntu@ubuntu:~$ dmesg | grep SEV
[ 0.158239] AMD Secure Encrypted Virtualization (SEV) active
Join our community of users on https://community.ovh.com/en/.
Please feel free to give any suggestions in order to improve this documentation.
Whether your feedback is about images, content, or structure, please share it, so that we can improve it together.
Your support requests will not be processed via this form. To do this, please use the "Create a ticket" form.
Thank you. Your feedback has been received.
Access your community space. Ask questions, search for information, post content, and interact with other OVHcloud Community members.
Discuss with the OVHcloud community