Created
March 17, 2023 15:08
-
-
Save surajssd/35e86ff2a07527a62d63577259c74471 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
========================================================================== | |
0. Building a qcow image, instructions at this link | |
========================================================================== | |
https://github.com/AMDESE/AMDSEV | |
========================================================================== | |
1. Building the host and guest kernels, instructions at this link, please | |
build the 5.19-rc6 kernel | |
========================================================================== | |
https://github.com/AMDESE/AMDSEV/tree/sev-snp-devel | |
- After the build please grab the guest vmlinuz, initrd and cat /proc/cmdline | |
this is requred in step 4 | |
========================================================================== | |
2. Ovmf Build | |
========================================================================== | |
git clone https://github.com/confidential-containers-demo/edk2.git | |
cd edk2 | |
git checkout snp-kernel-hashes-v3 | |
git submodule update --init --recursive | |
make -C BaseTools | |
. ./edksetup.sh --reconfig | |
touch OvmfPkg/AmdSev/Grub/grub.efi | |
build --cmd-len=64436 -t "GCC5" -a X64 -p OvmfPkg/AmdSev/AmdSevX64.dsc | |
# Create the ovmf code and NVRAM files | |
d=Build/AmdSev/DEBUG_GCC5/FV; dd if=$d/OVMF.fd of=$d/OVMF_CODE.fd skip=540672 bs=1; dd if=$d/OVMF.fd of=$d/OVMF_VARS.fd count=540672 bs=1 | |
========================================================================== | |
3. Qemu Build | |
========================================================================== | |
git clone https://github.com/confidential-containers-demo/qemu.git | |
git checkout snp-kernel-hashes-v3 | |
./configure --target-list=x86_64-softmmu | |
make -j $(getconf _NPROCESSORS_ONLN) | |
cp build/qemu-system-x86_64 ./some target dir i.e. /usr/local/share/qemu/bin/qemu-system-x86_64 | |
========================================================================== | |
4. Running the guest. | |
========================================================================== | |
- for kernel, initrd, append - substitute with your environment values | |
ovmfpath=/..../edk2/Build/AmdSev/DEBUG_GCC5/FV | |
/usr/local/share/qemu/bin/qemu-system-x86_64-mjs --enable-kvm \ | |
-cpu EPYC-Milan-v2 \ | |
-machine pc-q35-7.1 \ | |
-smp 4 \ | |
-m 4000M \ | |
-nographic \ | |
-no-reboot \ | |
-kernel /home/amd/qemu-boot-param/snp-bins/vmlinuz-5.19.0-rc6-snp-guest-d9bd54fea4d2 \ | |
-initrd /home/amd/qemu-boot-param/snp-bins/initrd.img-5.19.0-rc6-snp-guest-d9bd54fea4d2 \ | |
-append "BOOT_IMAGE=/boot/vmlinuz-5.19.0-rc6-snp-guest-d9bd54fea4d2 root=UUID=49efb7f5-9b04-4654-96a1-a10792477241 console=ttyS0" \ | |
-machine memory-encryption=sev0,vmport=off \ | |
-object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,kernel-hashes=on \ | |
-drive if=pflash,format=raw,unit=0,file=${ovmfpath}/OVMF_CODE.fd,readonly=on \ | |
-drive if=pflash,format=raw,unit=1,file=${ovmfpath}/OVMF_VARS.fd \ | |
-drive file=../${drive},if=none,id=disk0,format=qcow2 \ | |
-device virtio-scsi-pci,id=scsi0,disable-legacy=on,iommu_platform=on \ | |
-netdev user,hostfwd=tcp::10025-:22,id=vmnic -device e1000,netdev=vmnic,romfile= \ | |
-device scsi-hd,drive=disk0 \ | |
-monitor pty \ | |
-qmp tcp:localhost:4445,server,nowait 2>&1 | tee boot.out | |
========================================================================== | |
5. Getting and verifying the launch measure [Larry] | |
========================================================================== | |
- snp-ar tool - instructions to install, and after reboot it stops working | |
- ./larry_snp_measure.sh - command details |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment