SEV-SNP support just landed in QEMU. Here is the first round of patches
to incorporate support into libvirt.

TODOs (aka problems of future me):

- Teach tools/virt-qemu-sev-validate how to deal with SEV-SNP
- Try to find a SEV-SNP machine a test these patches in real worl
- Write a kbase article on attestation with SEV-SNP

Michal Prívozník (12):
  qemu_monitor_json: Report error in error paths in SEV related code
  conf: Move some members of virDomainSEVDef into virDomainSEVCommonDef
  conf: Separate SEV formatting into a function
  Drop needless typecast to virDomainLaunchSecurity
  src: Convert some _virDomainSecDef::sectype checks to switch()
  qemu_monitor: Allow querying SEV-SNP state in 'query-sev'
  qemu: Report snp-policy in virDomainGetLaunchSecurityInfo()
  qemu_capabilities: Introduce QEMU_CAPS_SEV_SNP_GUEST
  conf: Introduce SEV-SNP support
  qemu: Build cmd line for SEV-SNP
  qemu: Allow setting launch security for SEV-SNP
  qemu_firmware: Pick the right firmware for SEV-SNP guests

 docs/formatdomain.rst                         | 108 ++++++++++++
 include/libvirt/libvirt-domain.h              |  10 ++
 src/conf/domain_conf.c                        | 156 ++++++++++++++----
 src/conf/domain_conf.h                        |  28 +++-
 src/conf/domain_validate.c                    |  44 +++++
 src/conf/schemas/domaincommon.rng             |  73 ++++++--
 src/conf/virconftypes.h                       |   4 +
 src/qemu/qemu_capabilities.c                  |   4 +
 src/qemu/qemu_capabilities.h                  |   3 +
 src/qemu/qemu_cgroup.c                        |  19 ++-
 src/qemu/qemu_command.c                       |  56 ++++++-
 src/qemu/qemu_driver.c                        |  60 +++++--
 src/qemu/qemu_firmware.c                      |  20 ++-
 src/qemu/qemu_monitor.c                       |   7 +-
 src/qemu/qemu_monitor.h                       |  41 ++++-
 src/qemu/qemu_monitor_json.c                  |  67 ++++++--
 src/qemu/qemu_monitor_json.h                  |   8 +-
 src/qemu/qemu_namespace.c                     |   3 +-
 src/qemu/qemu_process.c                       |  34 ++--
 src/qemu/qemu_validate.c                      |  13 +-
 src/security/security_dac.c                   |  34 +++-
 .../caps_9.1.0_x86_64.xml                     |   1 +
 .../firmware/60-edk2-ovmf-x64-amdsev.json     |   1 +
 tests/qemumonitorjsontest.c                   |  65 +++++++-
 ...launch-security-sev-snp.x86_64-latest.args |  35 ++++
 .../launch-security-sev-snp.x86_64-latest.xml |   1 +
 .../launch-security-sev-snp.xml               |  47 ++++++
 tests/qemuxmlconftest.c                       |   2 +
 28 files changed, 817 insertions(+), 127 deletions(-)
 create mode 100644 tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.args
 create mode 120000 tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml
 create mode 100644 tests/qemuxmlconfdata/launch-security-sev-snp.xml

-- 
2.44.2

On 6/20/24 6:22 AM, Michal Privoznik wrote:
> SEV-SNP support just landed in QEMU. Here is the first round of patches
> to incorporate support into libvirt.
> 
> TODOs (aka problems of future me):
> 
> - Teach tools/virt-qemu-sev-validate how to deal with SEV-SNP
> - Try to find a SEV-SNP machine a test these patches in real worl
> - Write a kbase article on attestation with SEV-SNP

None of the CPU models that we currently have in libvirt allow you to 
run an SNP guest. That was the impetus behind my versioned CPU model 
series:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/2GLISAQLU3ZTX7KSD732LM3CXU74JFEH/#2OZAJNGSVVNDQ4EZBITMOD2QJBX5NHWG

I've been meaning to push that series forward again, but hadn't gotten 
to it yet.

Also, what about reporting domain capabilities for sev-snp support? It 
will require checking whether the host CPU supports SNP similarly to how 
we check the max sev guests, etc.


> 
> Michal Prívozník (12):
>    qemu_monitor_json: Report error in error paths in SEV related code
>    conf: Move some members of virDomainSEVDef into virDomainSEVCommonDef
>    conf: Separate SEV formatting into a function
>    Drop needless typecast to virDomainLaunchSecurity
>    src: Convert some _virDomainSecDef::sectype checks to switch()
>    qemu_monitor: Allow querying SEV-SNP state in 'query-sev'
>    qemu: Report snp-policy in virDomainGetLaunchSecurityInfo()
>    qemu_capabilities: Introduce QEMU_CAPS_SEV_SNP_GUEST
>    conf: Introduce SEV-SNP support
>    qemu: Build cmd line for SEV-SNP
>    qemu: Allow setting launch security for SEV-SNP
>    qemu_firmware: Pick the right firmware for SEV-SNP guests
> 
>   docs/formatdomain.rst                         | 108 ++++++++++++
>   include/libvirt/libvirt-domain.h              |  10 ++
>   src/conf/domain_conf.c                        | 156 ++++++++++++++----
>   src/conf/domain_conf.h                        |  28 +++-
>   src/conf/domain_validate.c                    |  44 +++++
>   src/conf/schemas/domaincommon.rng             |  73 ++++++--
>   src/conf/virconftypes.h                       |   4 +
>   src/qemu/qemu_capabilities.c                  |   4 +
>   src/qemu/qemu_capabilities.h                  |   3 +
>   src/qemu/qemu_cgroup.c                        |  19 ++-
>   src/qemu/qemu_command.c                       |  56 ++++++-
>   src/qemu/qemu_driver.c                        |  60 +++++--
>   src/qemu/qemu_firmware.c                      |  20 ++-
>   src/qemu/qemu_monitor.c                       |   7 +-
>   src/qemu/qemu_monitor.h                       |  41 ++++-
>   src/qemu/qemu_monitor_json.c                  |  67 ++++++--
>   src/qemu/qemu_monitor_json.h                  |   8 +-
>   src/qemu/qemu_namespace.c                     |   3 +-
>   src/qemu/qemu_process.c                       |  34 ++--
>   src/qemu/qemu_validate.c                      |  13 +-
>   src/security/security_dac.c                   |  34 +++-
>   .../caps_9.1.0_x86_64.xml                     |   1 +
>   .../firmware/60-edk2-ovmf-x64-amdsev.json     |   1 +
>   tests/qemumonitorjsontest.c                   |  65 +++++++-
>   ...launch-security-sev-snp.x86_64-latest.args |  35 ++++
>   .../launch-security-sev-snp.x86_64-latest.xml |   1 +
>   .../launch-security-sev-snp.xml               |  47 ++++++
>   tests/qemuxmlconftest.c                       |   2 +
>   28 files changed, 817 insertions(+), 127 deletions(-)
>   create mode 100644 tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.args
>   create mode 120000 tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml
>   create mode 100644 tests/qemuxmlconfdata/launch-security-sev-snp.xml
> 

Hi Jonathon,

Do you have any news/updates around SNP compatibility in Libvirt? I'm working on a project around SNP enabled cloud systems, and would be great to have SNP via Libvirt. 
Wondering do you know of any roadmap, or any info on when that might be supported? Coming up blank on my own research on it, and see this seems to be the most recent mention of it on the mailing list.

Thanks a mil, 

Chris

On Wed, Jan 22, 2025 at 10:18:41AM -0000, truedoom@gmail.com wrote:
> Hi Jonathon,
> 
> Do you have any news/updates around SNP compatibility in Libvirt?

It was done 6 months ago

  https://libvirt.org/news.html#v10-5-0-2024-07-01

 "* New features:

    Introduce SEV-SNP support"

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

On 6/20/24 17:19, Jonathon Jongsma wrote:
> On 6/20/24 6:22 AM, Michal Privoznik wrote:
>> SEV-SNP support just landed in QEMU. Here is the first round of patches
>> to incorporate support into libvirt.
>>
>> TODOs (aka problems of future me):
>>
>> - Teach tools/virt-qemu-sev-validate how to deal with SEV-SNP
>> - Try to find a SEV-SNP machine a test these patches in real worl
>> - Write a kbase article on attestation with SEV-SNP
> 
> None of the CPU models that we currently have in libvirt allow you to
> run an SNP guest. That was the impetus behind my versioned CPU model
> series:
> https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/2GLISAQLU3ZTX7KSD732LM3CXU74JFEH/#2OZAJNGSVVNDQ4EZBITMOD2QJBX5NHWG
> 
> I've been meaning to push that series forward again, but hadn't gotten
> to it yet.

I'm not that familiar with all gotchas, but should the following just work?

  <cpu mode='host-passthrough' migratable='off'/>

AFAIK, migration with SEV-SNP is not implemented yet.

> 
> Also, what about reporting domain capabilities for sev-snp support? It
> will require checking whether the host CPU supports SNP similarly to how
> we check the max sev guests, etc.

Good point! Let me post patch(es) for that.

Michal

On Fri, Jun 21, 2024 at 12:06:01PM +0200, Michal Prívozník wrote:
> On 6/20/24 17:19, Jonathon Jongsma wrote:
> > On 6/20/24 6:22 AM, Michal Privoznik wrote:
> >> SEV-SNP support just landed in QEMU. Here is the first round of patches
> >> to incorporate support into libvirt.
> >>
> >> TODOs (aka problems of future me):
> >>
> >> - Teach tools/virt-qemu-sev-validate how to deal with SEV-SNP
> >> - Try to find a SEV-SNP machine a test these patches in real worl
> >> - Write a kbase article on attestation with SEV-SNP
> > 
> > None of the CPU models that we currently have in libvirt allow you to
> > run an SNP guest. That was the impetus behind my versioned CPU model
> > series:
> > https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/2GLISAQLU3ZTX7KSD732LM3CXU74JFEH/#2OZAJNGSVVNDQ4EZBITMOD2QJBX5NHWG
> > 
> > I've been meaning to push that series forward again, but hadn't gotten
> > to it yet.
> 
> I'm not that familiar with all gotchas, but should the following just work?
> 
>   <cpu mode='host-passthrough' migratable='off'/>
> 
> AFAIK, migration with SEV-SNP is not implemented yet.

It seems it is not that easy. Users are reporting seeing this error:

  SEV-SNP: CPUID validation failed for function 0x8000001d, index: 0x3, provided: eax:0x00000163, ebx: 0x03c0003f, ecx: 0x00003fff, edx: 0x00000006, expected: eax:0x00000163, ebx: 0x03c0003f, ecx: 0x00003fff, edx: 0x00000002

0x8000001d is the cache info reporting CPUID function, and index 3 is
the l3 cache info.

EPYC-v4, EPYC-Rome-v3, EPYC-Milan-v2 and EPYC-Genoa all have special
cache settings defined in QEMU which disables the 'complex_indexing'
bit which is 0x4 in edx.

I suggested cache passthrough

 <cpu mode='host-passthrough' migratable='off'>   <cache mode='passthrough'/></cpu>

but it was reported this doesn't work, suggesting the host still has
the 'complex_indexing' bit.

IOW, as it exists now, libvirt appears incapable of running SNP
guests except on Genoa, where we don't need a newer CPU version :-(

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

On Tue, Aug 06, 2024 at 11:46:13AM +0100, Daniel P. Berrangé wrote:
> On Fri, Jun 21, 2024 at 12:06:01PM +0200, Michal Prívozník wrote:
> > On 6/20/24 17:19, Jonathon Jongsma wrote:
> > > On 6/20/24 6:22 AM, Michal Privoznik wrote:
> > >> SEV-SNP support just landed in QEMU. Here is the first round of patches
> > >> to incorporate support into libvirt.
> > >>
> > >> TODOs (aka problems of future me):
> > >>
> > >> - Teach tools/virt-qemu-sev-validate how to deal with SEV-SNP
> > >> - Try to find a SEV-SNP machine a test these patches in real worl
> > >> - Write a kbase article on attestation with SEV-SNP
> > > 
> > > None of the CPU models that we currently have in libvirt allow you to
> > > run an SNP guest. That was the impetus behind my versioned CPU model
> > > series:
> > > https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/2GLISAQLU3ZTX7KSD732LM3CXU74JFEH/#2OZAJNGSVVNDQ4EZBITMOD2QJBX5NHWG
> > > 
> > > I've been meaning to push that series forward again, but hadn't gotten
> > > to it yet.
> > 
> > I'm not that familiar with all gotchas, but should the following just work?
> > 
> >   <cpu mode='host-passthrough' migratable='off'/>
> > 
> > AFAIK, migration with SEV-SNP is not implemented yet.
> 
> It seems it is not that easy. Users are reporting seeing this error:
> 
>   SEV-SNP: CPUID validation failed for function 0x8000001d, index: 0x3, provided: eax:0x00000163, ebx: 0x03c0003f, ecx: 0x00003fff, edx: 0x00000006, expected: eax:0x00000163, ebx: 0x03c0003f, ecx: 0x00003fff, edx: 0x00000002
> 
> 0x8000001d is the cache info reporting CPUID function, and index 3 is
> the l3 cache info.
> 
> EPYC-v4, EPYC-Rome-v3, EPYC-Milan-v2 and EPYC-Genoa all have special
> cache settings defined in QEMU which disables the 'complex_indexing'
> bit which is 0x4 in edx.
> 
> I suggested cache passthrough
> 
>  <cpu mode='host-passthrough' migratable='off'>   <cache mode='passthrough'/></cpu>
> 
> but it was reported this doesn't work, suggesting the host still has
> the 'complex_indexing' bit.
> 
> IOW, as it exists now, libvirt appears incapable of running SNP
> guests except on Genoa, where we don't need a newer CPU version :-(

It turns out this is machine type dependent. Host passthrough avoids
the cache issue if using the forthcoming >= 9.1 machine type versions,
so that's OK, modulo some further bugs on the QEMU side wrt host
passthrough & CPUID filtering.


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

On Thu, Jun 20, 2024 at 01:22:37PM +0200, Michal Privoznik wrote:
> SEV-SNP support just landed in QEMU. Here is the first round of patches
> to incorporate support into libvirt.
> 
> TODOs (aka problems of future me):
> 
> - Teach tools/virt-qemu-sev-validate how to deal with SEV-SNP

There's nothing especially tod here. SEV/SEV-ES have attestation
initiated from the host, but with SNP attestation is initiated
from within the guest. 

> - Try to find a SEV-SNP machine a test these patches in real worl
> - Write a kbase article on attestation with SEV-SNP

We should just point people to this I think:

  https://github.com/virtee/snpguest


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|