I'm currently looking at getting libvirt working with AMD's SEV-SNP encrypted virtualization technology. I have access to a test machine with an AMD EPYC 7713 processor which I can use to launch SNP guests with qemu, but only when I specify one of the following versioned -cpu values:  - EPYC-v4  - EPYC-Milan-v2  - EPYC-Rome-v3 From what I understand, the unversioned CPU models in qemu are supposed to resolve to a specific versioned CPU model depending on the machine type. But I'm not exactly sure how machine type influences it.

I've got some libvirt patches to launch an SEV-SNP guest working now except for the CPU model specification. As far as I can tell, I can currently only specify the un-versioned model in libvirt. Is there any way to request a particular versioned CPU from qemu? I feel like I'm missing something here.

I should perhaps also mention that I'm running a development version of qemu from Cole's copr repo[1], which could still have some related bugs [1] https://copr.fedorainfracloud.org/coprs/g/virtmaint-sig/sev-snp-coconut/ Thanks, Jonathon

On Sat, Oct 28, 2023 at 09:49:32AM -0500, Jonathon Jongsma wrote: > > I'm currently looking at getting libvirt working with AMD's SEV-SNP > encrypted virtualization technology. I have access to a test machine with an > AMD EPYC 7713 processor which I can use to launch SNP guests with qemu, but > only when I specify one of the following versioned -cpu values: > - EPYC-v4 > - EPYC-Milan-v2 > - EPYC-Rome-v3 > > From what I understand, the unversioned CPU models in qemu are supposed to > resolve to a specific versioned CPU model depending on the machine type. But > I'm not exactly sure how machine type influences it. There's two aspects - what QEMU is supposed todo and what libvirt was intended todo, and only the QEMU part really got done. On the QEMU side, when the user specifies an unversioned CPU model, QEMU shouuld expand that to a versioned model, based on a definition tied to the machine type. This ensures that if the machine type doesn't change, the CPU model expansion will be guest ABI-stable. Most non-libvirt users of QEMU use a non-versioned machine type though so they have no ABI stability guarantee for the machine type or the CPU model. Initially all CPUs were mapped to v1, and it was thought that newer machine types might map to newer CPU versions. Life it not that simple though, because choice of CPU version affects runability on any given host :-( IOW, if QEMU added a new machine type that changed the mapping to a -v2 CPU model, existing users of the unversioned machine type 'q35' might suddenly find themselves unable to run the guest. eg consider -v2 adds feature 'foo' which depends on a microcode update, and the user does not have the microcode present. Thus, in practice I think it is unlikely QEMU will ever do much with the machine <-> CPU version mappings. At the libvirt level though, we can do better. Since we record our expansions in the XML, we don't have to rely on the machine type mapping for ABI sability of the CPU models Libvirt could expand a non-versioned CPU model to any version it desires, as long as it records that expansion in the XML. This could mean libvirt can dynamically expand the non-versioned CPU, taking account of what the host microcode supports. Libvirt should also allow users to request a versioned CPU model directly of course.

> I've got some libvirt patches to launch an SEV-SNP guest working now except > for the CPU model specification. As far as I can tell, I can currently only > specify the un-versioned model in libvirt. Is there any way to request a > particular versioned CPU from qemu? I feel like I'm missing something here. This is another example of where libvirt could do a better job at expansion. We ought to "do the right thing" and expand to a version that is compatible with SNP (somehow). While we should of course have a way for users to request a specific version, we should not expect users to care about versions - we must "do the right thing" with SNP (and TDX in future). With regards, Daniel

I'm currently looking at getting libvirt working with AMD's SEV-SNP encrypted virtualization technology. I have access to a test machine with an AMD EPYC 7713 processor which I can use to launch SNP guests with qemu, but only when I specify one of the following versioned -cpu values:  - EPYC-v4  - EPYC-Milan-v2  - EPYC-Rome-v3 From what I understand, the unversioned CPU models in qemu are supposed to resolve to a specific versioned CPU model depending on the machine type. But I'm not exactly sure how machine type influences it. I've got some libvirt patches to launch an SEV-SNP guest working now except for the CPU model specification. As far as I can tell, I can currently only specify the un-versioned model in libvirt. Is there any way to request a particular versioned CPU from qemu? I feel like I'm missing something here. I should perhaps also mention that I'm running a development version of qemu from Cole's copr repo[1], which could still have some related bugs [1] https://copr.fedorainfracloud.org/coprs/g/virtmaint-sig/sev-snp-coconut/

On 11/3/23 15:19, Jim Fehlig wrote: > Hi Jonathon, > > I too on occasion poke at SEV-SNP support in libvirt. I've now pushed > the dusty, hacky branch to my public fork > > https://gitlab.com/jfehlig/libvirt/-/tree/sev-snp?ref_type=heads > > Looking at the git log, it seems I fiddle with it every 2 months or > so. It's been that long since I last worked on the task, so I'm due to > give it some cycles next week :-). > > On 10/28/23 08:49, Jonathon Jongsma wrote: >> >> I'm currently looking at getting libvirt working with AMD's SEV-SNP >> encrypted virtualization technology. I have access to a test machine >> with an AMD EPYC 7713 processor which I can use to launch SNP guests >> with qemu, but only when I specify one of the following versioned >> -cpu values: >>   - EPYC-v4 >>   - EPYC-Milan-v2 >>   - EPYC-Rome-v3 >> >>  From what I understand, the unversioned CPU models in qemu are >> supposed to resolve to a specific versioned CPU model depending on >> the machine type. But I'm not exactly sure how machine type >> influences it. >> >> I've got some libvirt patches to launch an SEV-SNP guest working now >> except for the CPU model specification. As far as I can tell, I can >> currently only specify the un-versioned model in libvirt. Is there >> any way to request a particular versioned CPU from qemu? I feel like >> I'm missing something here. >> >> I should perhaps also mention that I'm running a development version >> of qemu from Cole's copr repo[1], which could still have some related >> bugs >> >> [1] >> https://copr.fedorainfracloud.org/coprs/g/virtmaint-sig/sev-snp-coconut/ > > Do you know the corresponding git branches the host packages are built > from? One of the biggest challenges I face is keeping track of the > latest repos/branches to use for all the snp and tdx work. I _think_ > this is still the oracle for the snp patches > > https://github.com/AMDESE/AMDSEV/blob/snp-latest/stable-commits Yes, seems to be the case. I noticed the head commit in the qemu branch is commit bbc1bfb6bfb3cde4c22755cedd5b71e651ca35e8 Author: Cole Robinson <crobinso(a)redhat.com&gt; Date:   Fri Oct 13 13:53:26 2023 -0400     *sev: fix query-sev-capabilities as called by libvirt

> The last time I tried starting a SNP guest using libvirt with my > hacks, qemu crashed when libvirt probed sev_get_capabilities. Which fixed this issue :-). With the latest kernel, qemu, and ovmf referenced in stable-commits, qemu fails when attempting to start a SNP guest via libvirt with latest patches in my git branch # virsh start snp-test error: Failed to start domain 'snp-test' error: internal error: QEMU unexpectedly closed the monitor (vm='snp-test'): 2023-11-07T00:01:06.888232Z qemu-system-x86_64: warning: creating ROM device with private memory. 2023-11-07T00:01:06.888516Z qemu-system-x86_64: warning: kvm_create_gmemfd: created memfd: 36, size: 37c000, flags: 0 2023-11-07T00:01:06.891968Z qemu-system-x86_64: warning: kvm_create_gmemfd: created memfd: 38, size: 20000, flags: 0 2023-11-07T00:01:06.892215Z qemu-system-x86_64: warning: creating ROM device with private memory. 2023-11-07T00:01:06.892256Z qemu-system-x86_64: warning: kvm_create_gmemfd: created memfd: 40, size: 84000, flags: 0 2023-11-07T00:01:06.892949Z qemu-system-x86_64: warning: kvm_create_gmemfd: created memfd: 42, size: 20000, flags: 0 2023-11-07T00:01:06.928511Z qemu-system-x86_64: kvm_set_user_memory_region: KVM_SET_USER_MEMORY_REGION2 failed, slot=65536, start=0x0, size=0x80000000, flags=0x0, gmem_fd=0, gmem_offset=0x0: Invalid argument (22) kvm_set_phys_mem: error registering slot: Invalid argument The memory backend is not being configured properly. From the qemu log file -machine pc-q35-7.1,usb=off,dump-guest-core=off,memory-backend=pc.ram,kvm-type=protected,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,hpet=off,acpi=on \ -object '{"qom-type":"memory-backend-file","id":"pc.ram","mem-path":"/var/lib/libvirt/qemu/ram/1-tw-snp-test/pc.ram","share":false,"x-use-canonical-path-for-ramblock-id":false,"size":8589934592}' \ I'll continue poking on Wednesday. I've dedicated Tuesday to working on hardware in our lab. Regards, Jim