{"id":13467823,"url":"https://github.com/AMDESE/AMDSEV","last_synced_at":"2025-03-26T03:31:10.645Z","repository":{"id":26283812,"uuid":"99161197","full_name":"AMDESE/AMDSEV","owner":"AMDESE","description":"AMD Secure Encrypted Virtualization","archived":false,"fork":false,"pushed_at":"2025-03-21T18:54:00.000Z","size":2372,"stargazers_count":318,"open_issues_count":114,"forks_count":92,"subscribers_count":39,"default_branch":"master","last_synced_at":"2025-03-21T19:45:53.699Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AMDESE.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-08-02T21:10:52.000Z","updated_at":"2025-03-17T22:35:04.000Z","dependencies_parsed_at":"2023-10-11T01:34:13.877Z","dependency_job_id":"407012b1-1e68-4351-8a5d-1124685db2cc","html_url":"https://github.com/AMDESE/AMDSEV","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AMDESE%2FAMDSEV","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AMDESE%2FAMDSEV/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AMDESE%2FAMDSEV/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AMDESE%2FAMDSEV/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AMDESE","download_url":"https://codeload.github.com/AMDESE/AMDSEV/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245584701,"owners_count":20639609,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T15:01:00.999Z","updated_at":"2025-03-26T03:31:10.268Z","avatar_url":"https://github.com/AMDESE.png","language":"Shell","funding_links":[],"categories":["Shell"],"sub_categories":[],"readme":"# Table of contents\n* [ Introduction ](#intro)\n* [ SLES-15 ](#sles-15)\n  * [ Prepare Host OS ](#sles-15-host)\n  * [ Prepare VM ](#sles-15-prep-vm)\n  * [ Launch SEV VM ](#sles-15-launch-vm)\n* [ RHEL-8 ](#rhel-8)\n  * [ Prepare Host OS ](#rhel-8-host)\n  * [ Prepare VM ](#rhel-8-prep-vm)\n  * [ Launch SEV VM ](#rhel-8-launch-vm)  \n* [ Fedora-28 ](#fc-28)\n  * [ Prepare Host OS ](#fc-28-host)\n  * [ Prepare VM ](#fc-28-prep-vm)\n  * [ Launch SEV VM ](#fc-28-launch-vm)\n* [ Fedora-29 ](#fc-29)\n  * [ Prepare Host OS ](#fc-29-host)\n  * [ Prepare VM ](#fc-29-prep-vm)\n  * [ Launch SEV VM ](#fc-29-launch-vm)\n* [ Ubuntu-18.04 ](#ubuntu18)\n  * [ Prepare Host OS ](#ubuntu18-host)\n  * [ Prepare VM ](#ubuntu18-prep-vm)\n  * [ Launch SEV VM ](#ubuntu18-launch-vm)\n* [ openSuse-Tumbleweed](#tumbleweed)\n  * [ Prepare Host OS ](#tumbleweed-host)\n  * [ Launch SEV VM ](#tumbleweed-launch-vm)\n* [ SEV Containers ](#kata)\n* [ Additional resources ](#resources)\n* [ FAQ ](#faq)\n  * [ How do I know if Hypervisor supports SEV ](#faq-1)\n  * [ How do I know if SEV is enabled in the guest](#faq-2)\n  * [ Can I use virt-manager to launch SEV guest](#faq-3)\n  * [ How to increase SWIOTLB limit](#faq-4)\n  * [ SWIOTLB allocation failure causing kernel panic](#faq-5)\n  * [ virtio-blk fails with out-of-dma-buffer error](#faq-6)\n  * [ SEV-INIT fails with error 0x13](#faq-7)\n  * [ SEV Firmware Updates](#faq-8)\n  \n\u003ca name=\"intro\"\u003e\u003c/a\u003e\n# Secure Encrypted Virtualization (SEV)\n\nSEV is an extension to the AMD-V architecture which supports running encrypted\nvirtual machine (VMs) under the control of KVM. Encrypted VMs have their pages\n(code and data) secured such that only the guest itself has access to the\nunencrypted version. Each encrypted VM is associated with a unique encryption\nkey; if its data is accessed by a different entity using a different key, the\nencrypted guests data will be incorrectly decrypted, leading to unintelligible\ndata. \n\nSEV support has been accepted in upstream projects. This repository provides\nscripts to build various components to enable SEV support until the distros\npick the newer version of components.\n\nTo enable SEV support we need the following versions.\n\n| Project       | Version                              |\n| ------------- |:------------------------------------:|\n| kernel        | \u003e= 4.16                              |\n| libvirt       | \u003e= 4.5                               |\n| qemu          | \u003e= 2.12                              |\n| ovmf          | \u003e= commit (75b7aa9528bd 2018-07-06 ) |\n\nTo enable SEV-ES support we need the following versions.\n\n| Project       | Version/Tag                          |\n| ------------- |:------------------------------------:|\n| kernel        | \u003e= 5.11                              |\n| libvirt       | \u003e= 4.5                               |\n| qemu          | \u003e= 6.00                              |\n| ovmf          | \u003e= edk2-stable202102                 |\n\n\u003e * Installing newer libvirt may conflict with existing setups hence script does\n\u003e   not install the newer version of libvirt. If you are interested in launching\n\u003e   SEV guest through the virsh commands then build and install libvirt 4.5 or\n\u003e   higher. Use LaunchSecurity tag https://libvirt.org/formatdomain.html#sev for\n\u003e   creating the SEV enabled guest.\n\u003e\n\u003e * SEV support is not available in SeaBIOS. Guest must use OVMF.\n\n\u003ca name=\"sles-15\"\u003e\u003c/a\u003e\n\n## SLES-15\n\nSUSE Linux Enterprise Server 15 GA includes SEV support; we do not need\nto compile the sources.\n\n\u003e SLES-15 does not contain the updated libvirt packages yet hence we will\nuse QEMU command line interface to launch VMs.\n\n\u003ca name=\"sles-15-host\"\u003e\u003c/a\u003e\n### Prepare Host OS\n\nSEV is not enabled by default, lets enable it through kernel command line:\n\nAppend the following in /etc/defaults/grub\n\n```\nGRUB_CMDLINE_LINUX_DEFAULT=\".... kvm_amd.sev=1\"\n```\n\nRegenerate grub.cfg and reboot the host\n\n```\n# grub2-mkconfig -o /boot/efi/EFI/sles/grub.cfg\n# reboot\n```\n\nInstall the qemu launch script. The launch script can be obtained from this project.\n\n```\n# git clone https://github.com/AMDESE/AMDSEV.git\n# cd AMDSEV/distros/sles-15\n# ./build.sh\n```\n\u003ca name=\"sles-15-prep-vm\"\u003e\u003c/a\u003e\n### Prepare VM image\n\nCreate empty virtual disk image\n\n```\n# qemu-img create -f qcow2 sles-15.qcow2 30G\n```\n\nCreate a new copy of OVMF_VARS.fd. The OVMF_VARS.fd is a \"template\" used\nto emulate persistent NVRAM storage. Each VM needs a private, writable\ncopy of VARS.fd.\n\n```\n#cp /usr/share/qemu/ovmf-x86_64-suse-4m-vars.bin OVMF_VARS.fd \n```\n\nDownload and install sles-15 guest\n\n```\n# launch-qemu.sh -hda sles-15.qcow2 -cdrom SLE-15-Installer-DVD-x86_64-GM-DVD1.iso -nosev\n```\nFollow the screen to complete the guest installation.\n\n\u003ca name=\"sles-15-launch-vm\"\u003e\u003c/a\u003e\n### Launch VM\n\nUse the following command to launch SEV guest\n\n```\n# launch-qemu.sh -hda sles-15.qcow2\n```\nNOTE: when guest is booting, CTRL-C is mapped to CTRL-], use CTRL-] to stop the guest\n\n## RHEL-8\n\nRedHat Enterprise Linux 8.0 GA includes SEV support; we do not need\nto compile the sources.\n\n\u003ca name=\"rhel-8-host\"\u003e\u003c/a\u003e\n### Prepare Host OS\n\nSEV is not enabled by default, lets enable it through kernel command line:\n\nAppend the following in /etc/defaults/grub\n\n```\nGRUB_CMDLINE_LINUX_DEFAULT=\".... kvm_amd.sev=1\"\n```\n\nRegenerate grub.cfg and reboot the host\n\n```\n# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg\n# reboot\n```\n\nInstall the qemu launch script. The launch script can be obtained from this project.\n\n```\n# git clone https://github.com/AMDESE/AMDSEV.git\n# cd AMDSEV/distros/rhel-8\n# ./build.sh\n```\n\u003ca name=\"rhel-8-prep-vm\"\u003e\u003c/a\u003e\n### Prepare VM image\n\nCreate empty virtual disk image\n\n```\n# qemu-img create -f qcow2 rhel-8.qcow2 30G\n```\n\nCreate a new copy of OVMF_VARS.fd. The OVMF_VARS.fd is a \"template\" used\nto emulate persistent NVRAM storage. Each VM needs a private, writable\ncopy of VARS.fd.\n\n```\n#cp /usr/share/OVMF/OVMF_VARS.fd OVMF_VARS.fd \n```\n\nDownload and install rhel-8 guest\n\n```\n# launch-qemu.sh -hda rhel-8.qcow2 -cdrom RHEL-8.0.0-20190404.2-x86_64-dvd1.iso\n```\nFollow the screen to complete the guest installation.\n\n\u003ca name=\"rhel-8-launch-vm\"\u003e\u003c/a\u003e\n### Launch VM\n\nUse the following command to launch SEV guest\n\n```\n# launch-qemu.sh -hda rhel-8.qcow2\n```\nNOTE: when guest is booting, CTRL-C is mapped to CTRL-], use CTRL-] to stop the guest\n\n\u003ca name=\"fc-28\"\u003e\u003c/a\u003e\n## Fedora-28\n\nFedora-28 includes newer kernel and ovmf packages but has older qemu. We will need to update the QEMU to launch SEV guest.\n\n\u003ca name=\"fc-28-host\"\u003e\u003c/a\u003e\n### Prepare Host OS\n\nSEV is not enabled by default, lets enable it through kernel command line:\n\nAppend the following in /etc/defaults/grub\n\n```\nGRUB_CMDLINE_LINUX_DEFAULT=\".... kvm_amd.sev=1\"\n```\n\nRegenerate grub.cfg and reboot the host\n\n```\n# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg\n# reboot\n```\n\nBuild and install newer qemu\n\n```\n# cd distros/fedora-28\n# ./build.sh\n```\n\n\u003ca name=\"fc-28-prep-vm\"\u003e\u003c/a\u003e\n### Prepare VM image\n\nCreate empty virtual disk image\n\n```\n# qemu-img create -f qcow2 fedora-28.qcow2 30G\n```\n\nCreate a new copy of OVMF_VARS.fd. The OVMF_VARS.fd is a \"template\" used\nto emulate persistent NVRAM storage. Each VM needs a private, writable\ncopy of VARS.fd.\n\n```\n# cp /usr/share/OVMF/OVMF_VARS.fd OVMF_VARS.fd\n```\n\nDownload and install fedora-28 guest\n\n```\n# launch-qemu.sh -hda fedora-28.qcow2 -cdrom  Fedora-Workstation-netinst-x86_64-28-1.1.iso\n```\nFollow the screen to complete the guest installation.\n\n\u003ca name=\"fc-28-launch-vm\"\u003e\u003c/a\u003e\n### Launch VM\n\nUse the following command to launch SEV guest\n\n```\n# launch-qemu.sh -hda fedora-28.qcow2\n```\n\nNOTE: when guest is booting, CTRL-C is mapped to CTRL-], use CTRL-] to stop the guest\n\n\u003ca name=\"fc-29\"\u003e\u003c/a\u003e\n## Fedora-29\n\nFedora-29 contains all the pre-requisite packages to launch an SEV guest. But the SEV feature is not enabled by default, this section documents how to enable the SEV feature.\n\n\u003ca name=\"fc-29-host\"\u003e\u003c/a\u003e\n### Prepare Host OS\n\n* Add new udev rule for the /dev/sev device\n  \n  ```\n  # cat /etc/udev/rules.d/71-sev.rules\n  KERNEL==\"sev\", MODE=\"0660\", GROUP=\"kvm\"\n  ```\n* Clean libvirt caches so that on restart libvirt re-generates the capabilities\n\n  ```\n  # rm -rf /var/cache/libvirt/qemu/capabilities/\n  ```\n  \n* The default FC-29 kernel (4.18) has SEV disabled in config files, but the kernel available through the FC-29 update\n  has SEV config set\n\n  Use the following command to upgrade the packages and also install the virtulization packages\n\n   ```\n   # yum groupinstall virtualization\n   # yum upgrade\n   ```\n\n* By default SEV is disabled, append the following in /etc/defaults/grub\n\n    ```\n     GRUB_CMDLINE_LINUX_DEFAULT=\".... kvm_amd.sev=1\"\n    ```\n\n    Regenerate grub.cfg and reboot the host\n\n    ```\n     # grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg\n     # reboot\n    ```\n\n* Install the qemu launch script\n\n     ```\n      # cd distros/fedora-29\n      # ./build.sh\n     ```\n     \n\u003ca name=\"fc-29-prep-vm\"\u003e\u003c/a\u003e\n### Prepare VM image\n\nCreate empty virtual disk image\n\n```\n# qemu-img create -f qcow2 fedora-29.qcow2 30G\n```\n\nCreate a new copy of OVMF_VARS.fd. The OVMF_VARS.fd is a \"template\" used\nto emulate persistent NVRAM storage. Each VM needs a private, writable\ncopy of VARS.fd.\n\n```\n# cp /usr/share/edk2/ovmf/OVMF_VARS.fd OVMF_VARS.fd\n```\n\nDownload and install fedora-29 guest\n\n```\n# launch-qemu.sh -hda fedora-29.qcow2 -cdrom  Fedora-Workstation-netinst-x86_64-29-1.1.iso\n```\nFollow the screen to complete the guest installation.\n\n\u003ca name=\"fc-29-launch-vm\"\u003e\u003c/a\u003e\n### Launch VM\n\nUse the following command to launch SEV guest\n\n```\n# launch-qemu.sh -hda fedora-29.qcow2\n```\n\nNOTE: when guest is booting, CTRL-C is mapped to CTRL-], use CTRL-] to stop the guest\n\n\u003ca name=\"ubuntu18\"\u003e\u003c/a\u003e\n## Ubuntu 18.04\n\nUbuntu 18.04 does not includes the newer version of components to be used as SEV\nhypervisor hence we will build and install newer kernel, qemu, ovmf.\n\n\u003ca name=\"ubuntu18-host\"\u003e\u003c/a\u003e\n### Prepare Host OS\n\n* Enable source repositories [See](https://askubuntu.com/questions/158871/how-do-i-enable-the-source-code-repositories)\n\n* Build and install newer components\n\n```\n# cd distros/ubuntu-18.04\n# ./build.sh\n```\n\n\u003ca name=\"ubuntu18-prep-vm\"\u003e\u003c/a\u003e\n### Prepare VM image\n\nCreate empty virtual disk image\n\n```\n# qemu-img create -f qcow2 ubuntu-18.04.qcow2 30G\n```\n\nCreate a new copy of OVMF_VARS.fd. The OVMF_VARS.fd is a \"template\" used\nto emulate persistent NVRAM storage. Each VM needs a private, writable\ncopy of VARS.fd.\n\n```\n# cp /usr/local/share/qemu/OVMF_VARS.fd OVMF_VARS.fd\n```\n\nInstall ubuntu-18.04 guest\n\n```\n# launch-qemu.sh -hda ubuntu-18.04.qcow2 -cdrom ubuntu-18.04-desktop-amd64.iso\n```\nFollow the screen to complete the guest installation.\n\n\u003ca name=\"ubuntu18-launch-vm\"\u003e\u003c/a\u003e\n### Launch VM\n\nUse the following command to launch SEV guest\n\n```\n# launch-qemu.sh -hda ubuntu-18.04.qcow2\n```\nNOTE: when guest is booting, CTRL-C is mapped to CTRL-], use CTRL-] to stop the guest\n\n\u003ca name=\"tumbleweed\"\u003e\u003c/a\u003e\n## openSUSE-Tumbleweed\n\nLatest version of openSUSE Tumbleweed distro contains all the pre-requisite packages to launch an SEV guest. But the SEV feature is not enabled by default, this section documents how to enable the SEV feature.\n\n\u003ca name=\"tumbleweed-host\"\u003e\u003c/a\u003e\n### Prepare Host OS\n\n* Add new udev rule for the /dev/sev device\n  \n  ```\n  # cat /etc/udev/rules.d/71-sev.rules\n  KERNEL==\"sev\", MODE=\"0660\", GROUP=\"kvm\"\n  ```\n* Clean libvirt caches so that on restart libvirt re-generates the capabilities\n\n  ```\n  # rm -rf /var/cache/libvirt/qemu/capabilities/\n  # systemctl restart libvirtd\n  ```\n* SEV feature is not enabled in kernel by default, lets enable it through kernel command line:\n\n  Append the following in /etc/defaults/grub\n  ```\n   GRUB_CMDLINE_LINUX_DEFAULT=\".... kvm_amd.sev=1\"\n  ```\n  Regenerate grub.cfg and reboot the host\n\n  ```\n  # grub2-mkconfig -o /boot/efi/EFI/opensuse/grub.cfg\n  # reboot\n  ```\n  \n\u003ca name=\"tumbleweed-launch-vm\"\u003e\u003c/a\u003e  \n### Launch SEV VM\n\nThe SEV support is available in the latest libvirt, follow the https://libvirt.org/kbase/launch_security_sev.html to use the libvirt to create and manage the SEV guest.\n\n\n\u003ca name=\"kata\"\u003e\u003c/a\u003e\n## SEV Containers\n\nContainer runtimes that use hardware virtualization to further isolate container workloads can also make use of SEV. As a proof-of-concept, the [kata](https://github.com/AMDESE/AMDSEV/tree/kata) branch contains an SEV-capable version of the Kata Containers runtime that will start all containers inside of SEV virtual machines.\n\nFor installation instructions on Ubuntu systems, see the [README](https://github.com/AMDESE/AMDSEV/blob/kata/README.md).\n\n\u003ca name=\"resources\"\u003e\u003c/a\u003e\n# Additional Resources\n\n[SME/SEV white paper](http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf)\n\n[SEV API Spec](https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf)\n\n[APM Section 15.34](http://support.amd.com/TechDocs/24593.pdf)\n\n[KVM forum slides](http://www.linux-kvm.org/images/7/74/02x08A-Thomas_Lendacky-AMDs_Virtualizatoin_Memory_Encryption_Technology.pdf)\n\n[KVM forum videos](https://www.youtube.com/watch?v=RcvQ1xN55Ew)\n\n[Linux kernel](https://elixir.bootlin.com/linux/latest/source/Documentation/virtual/kvm/amd-memory-encryption.rst)\n\n[Linux kernel](https://elixir.bootlin.com/linux/latest/source/Documentation/x86/amd-memory-encryption.txt)\n\n[Libvirt LaunchSecurity tag](https://libvirt.org/formatdomain.html#sev)\n\n[Libvirt SEV](https://libvirt.org/kbase/launch_security_sev.html)\n\n[Libvirt SEV domainCap](https://libvirt.org/formatdomaincaps.html#elementsSEV)\n\n[Qemu doc](https://git.qemu.org/?p=qemu.git;a=blob;f=docs/amd-memory-encryption.txt;h=f483795eaafed8409b1e96806ca743354338c9dc;hb=HEAD)\n\n\u003ca name=\"faq\"\u003e\u003c/a\u003e\n# FAQ\n\n\u003ca name=\"faq-1\"\u003e\u003c/a\u003e\n * \u003cb\u003eHow do I know if hypervisor supports SEV feature ?\u003c/b\u003e\n   \n   a) When using libvirt \u003e= 4.15 run the following command\n   \n   ```\n   # virsh domcapabilities\n   ```\n   If hypervisor supports SEV feature then \u003cb\u003esev\u003c/b\u003e tag will be present.\n   \n   \u003eSee [Libvirt DomainCapabilities feature](https://libvirt.org/formatdomaincaps.html#elementsSEV)\nfor additional information.\n \n   b) Use qemu QMP 'query-sev-capabilities' command to check the SEV support. If SEV is supported then command will return the full SEV capabilities (which includes host PDH, cert-chain, cbitpos and reduced-phys-bits).\n   \n     \u003e See [QMP doc](https://github.com/qemu/qemu/blob/master/docs/devel/writing-qmp-commands.txt) for details on how to interact with QMP shell.\n  \n\u003ca name=\"faq-2\"\u003e\u003c/a\u003e\n * \u003cb\u003eHow do I know if SEV is enabled in the guest ?\u003c/b\u003e\n \n   a) Check the kernel log buffer for the following message\n   ```\n   # dmesg | grep -i sev\n   AMD Secure Encrypted Virtualization (SEV) active\n   ```\n   \n   b) MSR 0xc0010131 (MSR_AMD64_SEV) can be used to determine if SEV is active\n   \n   ```\n   # rdmsr -a 0xc0010131\n   ```\n   \u003cpre\u003e\n   Bit[0]:   0 = SEV is not active\n             1 = SEV is active\n   \u003c/pre\u003e\n\n\u003ca name=\"faq-3\"\u003e\u003c/a\u003e\n * \u003cb\u003eCan I use virt-manager to launch SEV guest?\u003c/b\u003e\n\n    virt-manager uses libvirt to manage VMs, SEV support has been added in libvirt but virt-manager does use the newly introduced [LaunchSecurity](https://libvirt.org/formatdomain.html#sev) tags yet hence we will not able to launch SEV guest through the virt-manager.\n    \u003e If your system is using libvirt \u003e= 4.15 then you can manually edit the xml file to use [LaunchSecurity](https://libvirt.org/formatdomain.html#sev) to enable the SEV support in the guest.\n\n\u003ca name=\"faq-4\"\u003e\u003c/a\u003e\n * \u003cb\u003eHow to increase SWIOTLB limit ?\u003c/b\u003e\n \n When SEV is enabled, all the DMA operations inside the guest are performed on the shared memory. Linux kernel uses SWIOTLB  bounce buffer for DMA operations inside SEV guest. A guest panic will occur if kernel runs out of the SWIOTLB pool. Linux kernel default to 64MB SWIOTLB pool. It is recommended to increase the swiotlb pool size to 512MB. The swiotlb pool size can be increased in guest by appending the following in the grub.cfg file\n \n Append the following in /etc/defaults/grub\n\n```\nGRUB_CMDLINE_LINUX_DEFAULT=\".... swiotlb=262144\"\n```\n\nAnd regenerate the grub.cfg.\n\n\u003ca name=\"faq-5\"\u003e\u003c/a\u003e\n * \u003cb\u003eSWIOTLB allocation failure causing kernel panic \u003c/b\u003e\n\n SWIOTLB size, when not specifically specified, is automatically calculated based on the amount of guest memory, up to 1GB maximum. However, the guest may not have enough contiguous memory below 4GB to satisify the SWIOTLB allocation requirement, in which case the kernel will panic:\n\n \u003cpre\u003e\n [    0.004318] software IO TLB: SWIOTLB bounce buffer size adjusted to 965MB\n ...\n [    1.015953] Kernel panic - not syncing: Can not allocate SWIOTLB buffer earlier and can't now provide you with the DMA bounce buffer\n \u003c/pre\u003e\n\n In this situation, please specify the SWIOTLB size, as shown in [ How to increase SWIOTLB limit](#faq-4), to a value that allows the guest to boot.\n\n\u003ca name=\"faq-6\"\u003e\u003c/a\u003e\n * \u003cb\u003evirtio-blk device runs out-of-dma-buffer error \u003c/b\u003e\n \n To support the multiqueue mode, virtio-blk drivers inside the guest allocates large number of DMA buffer. SEV guest uses SWIOTLB for the DMA buffer allocation or mapping hence kernel runs of the SWIOTLB pool quickly and triggers the out-of-memory error. In those cases consider increasing the SWIOTLB pool size or use virtio-scsi device.\n \n \u003ca name=\"faq-7\"\u003e\u003c/a\u003e\n * \u003cb\u003eSEV_INIT fails with error 0x13 \u003c/b\u003e\n \n The error 0x13 is a defined as HWERROR_PLATFORM in the SEV specification. The error indicates that memory encryption support is not enabled in the host BIOS. Look for  the SMEE setting in your BIOS menu and explicitly enable it. You can verify that SMEE is enabled on your machine by running the below command\n ```\n $ sudo modprobe msr\n $ sudo rdmsr  0xc0010010\n 3f40000\n \n Verify that BIT23 is memory encryption (aka SMEE) is set.\n ```\n\n\u003ca name=\"faq-8\"\u003e\u003c/a\u003e\n * \u003cb\u003eSEV Firmware Updates\u003c/b\u003e\n\nSEV firmware is part of the AMD Secure Processor and is responsible for\nmuch of the life cycle management of an SEV guest. Updates to the firmware\ncan be made available outside the traditional BIOS update path.\n\nOn Linux, the AMD Secure Processor driver (ccp) is responsible for updating\nthe SEV firmware when the driver is loaded. The driver searches for the firmware\nusing the kernel's firmware loading interface. The kernel's firmware loading\ninterface will search for the firmware, by name, in a number of locations\n(see \u003ca href=\"https://github.com/torvalds/linux/blob/master/Documentation/driver-api/firmware/fw_search_path.rst\"\u003efw_search_path.rst\u003c/a\u003e),\nwith the traditional path being /lib/firmware.\n\nThe ccp driver searches for three different possible SEV firmware files under\nthe \"amd\" directory, using the first file that is found. The first file that\nis searched for is a firmware file with a CPU family and model specific name,\nthen a firmware file with a CPU family and model range name, and finally a\ngeneric name. The naming convention uses the following format:\n\n* Model specific: amd_sev_famXXh_modelYYh.sbin\n  - where XX is the hex representation of the CPU family\n  - where YY is the hex representation of the CPU model\n\n* Range specific: amd_sev_famXXh_modelYxh.sbin\n  - where XX is the hex representation of the CPU family\n  - where  Y is the hex representation of the first digit of the CPU model\n\n* Generic: sev.fw\n\nFor example, for an EPYC processor with a family of 0x19 and a model of 0x01,\nthe search order would be::\n\n1.  amd/amd_sev_fam19h_model01h.sbin\n1.  amd/amd_sev_fam19h_model0xh.sbin\n1.  amd/sev.fw\n\nThe level of firmware that is loaded can be viewed in the kernel log. For example, issuing\nthe command \"dmesg | grep ccp\":\n\u003cpre\u003e\n[   13.879283] ccp 0000:01:00.5: enabling device (0000 -\u003e 0002)\n[   13.887532] ccp 0000:01:00.5: sev enabled\n[   13.899646] ccp 0000:01:00.5: psp enabled\n[   14.560461] ccp 0000:01:00.5: SEV API:1.55 build:24\n[   14.644793] ccp 0000:01:00.5: SEV-SNP API:1.55 build:24\n\u003c/pre\u003e\n\nSince, on Linux, the firmware is updated on driver load of the ccp module, it is possible\nto update the firmware level after the system has booted. At this time, all guests would\nneed to be shutdown and the kvm_amd module unloaded before the ccp module could be unloaded\nand reloaded.\n\nSEV firmware can be obtained from the \u003ca href=\"https://www.amd.com/sev\"\u003eAMD Secure Encrypted Virtualization\nweb portal\u003c/a\u003e or through the \u003ca href=\"https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd\"\u003eLinux Firmware repository\u003c/a\u003e.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAMDESE%2FAMDSEV","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FAMDESE%2FAMDSEV","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAMDESE%2FAMDSEV/lists"}