cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Server Processors

kokimitani
Journeyman III
‎07-14-2022 06:19 AM

SEV-SNP Launching a guest VM with identity block failed (INVALID_PARAM at SNP_LAUNCH_FINISH)

Hello, 
 
We followed the steps on https://github.com/AMDESE/AMDSEV/tree/sev-snp-devel , and launch a guest VM with specifying the identity block using the sev-host-identity, but it returns the error "Invalid parameter (INVALID_PARAM)" during SNP_LAUNCH_FINISH.
 
 

 

qemu-system-x86_64: sev_snp_launch_finish: SNP_LAUNCH_FINISH ret=-5 fw_error=22 'Invalid parameter'

 

 
In the SEV Secure Nested Paging Firmware ABI Specification, the status code INVALID_PARAM for SNP_LAUNCH_FINISH means "MBZ fields are not zero.", but it seems that all the MBZ fields is zero.
 
(Question)
Do you know why this "Invalid parameter (INVALID_PARAM)" error happens, and how we can launch a guest VM with specifying the identity block?
 
 
====================================================
(Reference)
 
We have created identity block by using the sev-host-identity in https://github.com/AMDESE/sev-guest .
 

 

ubuntu@ubuntu:~/sev-guest$ ./sev-host-identity -b -d bf18a1fcc9218b74788dc46b88dd56cb3cc3e407a8175deb46d281fe6bcb6332bc5686ea941f84df9e2b4ffc134c4eef -a auth_info.64 -i id_block.64 -p 0xb0000 key.pem

ubuntu@ubuntu:~/sev-guest$ xxd id_block
00000000: bf18 a1fc c921 8b74 788d c46b 88dd 56cb  .....!.tx..k..V.
00000010: 3cc3 e407 a817 5deb 46d2 81fe 6bcb 6332  <.....].F...k.c2
00000020: bc56 86ea 941f 84df 9e2b 4ffc 134c 4eef  .V.......+O..LN.
00000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000050: 0100 0000 0000 0000 0000 0b00 0000 0000  ................

 

 
For creating the above identity block, we have used the values of the measurement and the policy from the attestation report obtained by launching the same guest VM without  specifying the identity block.
 
Attestation report :
 

 

ubuntu@ubuntu:~/sev-guest$ sudo ./sev-guest-parse-report report.bin
Version: 2
Guest SVN: 0
Policy: 0xb0000
 - Debugging Allowed:       Yes
 - Migration Agent Allowed: No
 - SMT Allowed:             Yes
 - Min. ABI Major:          0
 - Min. ABI Minor:          0
Family ID:
    00000000000000000000000000000000
Image ID:
    00000000000000000000000000000000
VMPL: 0
Signature Algorithm: 1 (Invalid)
Platform Version: 0200000000000667
 - Boot Loader SVN:   2
 - TEE SVN:           0
 - SNP firmware SVN:  6
 - Microcode SVN:    67
Platform Info: 0x1
 - SMT Enabled: Yes
Author Key Enabled: Yes
Report Data:
    0000000000000000000000000000000000000000000000000000000000000000
    0000000000000000000000000000000000000000000000000000000000000000
Measurement:
    bf18a1fcc9218b74788dc46b88dd56cb3cc3e407a8175deb
    46d281fe6bcb6332bc5686ea941f84df9e2b4ffc134c4eef
:

 

0 Likes
1 Reply
kokimitani
Journeyman III
‎09-01-2022 06:50 PM

This issue has been resolved by the information from Jesse Larrew in github AMDESE/sev-guest community. Thank you very much!

https://github.com/AMDESE/sev-guest/issues/19

0 Likes