snp-latest: no kernel hashes table

[MOZGIII]

The OVMF image that is produced by OvmfPkg/AmdSev/AmdSevX64.dsc fails to boot with VerifyBlob: Verifier called but no hashes table discoverd in MEMFD. It seems like there should be a placeholder hash table in the OVMF image somewhere that QEMU would fill in with hashes when SNP and kernel-hashes=on is selected.

Any hint as to what I'm doing wrong?

This is on snp-latest branch.

---

CC: @tonycdot, @dmitrylavrenov

[tlendacky]

Adding @dubek for input.

[dubek]

The snp-latest branch of OVMF (this repo) indeed includes the support for kernel hashes for SNP. But it must work hand-in-hand with the relevant QEMU branch to use it. I see that AMD's QEMU snp-latest branch has this support ( https://github.com/AMDESE/qemu/tree/snp-latest ) -- are you using this branch of QEMU?

To further allow debugging this, please share the full command-line of QEMU.

Also, if you can, add -trace 'kvm_sev_*' to the QEMU command-line and share the trace output of QEMU as it starts the guest.

[MOZGIII]

I am using snp-latest QEMU branch as well, yes!

Here are the arguments:

/cvm/result/host/qemu/bin/qemu-system-x86_64
-name VM
-uuid 33726BCA-4717-41C7-A333-14A292B98322
-enable-kvm
-machine q35
-m 2048M,slots=5,maxmem=30G
-smp cpus=4,maxcpus=32
-cpu EPYC-v4
-machine confidential-guest-support=sev0,memory-encryption=sev0,vmport=off
-object memory-backend-memfd-private,id=ram1,size=2048M,share=true
-object sev-snp-guest,id=sev0,policy=0x130135,cbitpos=51,reduced-phys-bits=1,discard=none,kernel-hashes=on
-machine memory-backend=ram1,kvm-type=protected
-netdev user,id=net0
-device virtio-net-pci,mac=AE:2C:22:77:E5:70,disable-legacy=on,iommu_platform=true,netdev=net0,romfile=
-drive if=pflash,format=raw,unit=0,file=/cvm/state/OVMF.fd,readonly=on
-kernel /cvm/result/guest/bzImage
-append console=ttyS0 earlyprintk=serial
-initrd /cvm/result/guest/initrd
-action panic=shutdown
-nodefaults
-nographic
-serial stdio
-chardev pty,id=mon0,mux=off,logfile=/cvm/logs/monitor.log
-mon chardev=mon0,mode=readline
-D /cvm/logs/qemu.log

• QEMU is from the snp-latest branch:

  $ /cvm/result/host/qemu/bin/qemu-system-x86_64 --version
  QEMU emulator version 7.2.0
  Copyright (c) 2003-2022 Fabrice Bellard and the QEMU Project developers

• Host kernel is from the snp-host-latest branch

[MOZGIII]

Trace:

qemu.log (looks like there's no hashes page written, as there's only one normal page)

The terminal output (qemu + serial):

out.txt

UPD: re-upload the logs from after a clean rebuild; old ones: out.txt qemu.log (no changes though)

[MOZGIII]

Here is OVMF binary: https://drive.google.com/file/d/16bcXXzLdULlYmKm-3WPGfVKz0vO8mt2J/view?usp=sharing
I did the hex search and the GUIDs for the kernel hash table are nowhere to be found in there. This might be expected, but I don't understand the OVMF source enough to tell how it works just yet.

build-log.txt (building with nix, so some additional output surrounding the OVMF build is present, feel free to disregard it)

[MOZGIII]

Sorry, never mind, this seems like a build issue on my end!