This repo is now superseded by https://github.com/sev-step/sev-step
This is a fork of the official AMDSEV repo which also applies the kernel patch required for the sev step
framework. You can find the patch in sev-step.patch
The intention of this repo is to provide a convenient way to setup an environment for the sev-step framework
We require three components: Qemu, OVMF and the Linux Kernel.
./build.sh
builds all components.
As compiling the Linux kernel takes some time, we provide precompiled
binaries in the release section of this repo. In this case
issue ./build.sh ovmf
and ./build.sh qemu
to only build the remaining
components.
-
Issue
sudo cp kvm.conf /etc/modprobe.d/
to ensure the KVM module loads with the corrects params. -
Install the "snp-host" kernel on the host system with
sudo dpkg -i ./linux/linux-*snp-host*.deb
and boot into this kernel. -
Verify that the following BIOS settings are enabled. The setting may vary based on the vendor BIOS. The menu option below are from AMD BIOS.
CBS -> CPU Common -> SEV-ES ASID space Limit Control -> Manual SEV-ES ASID space limit -> 100 SNP Memory Coverage -> Enabled SMEE -> Enabled -> NBIO common -> SEV-SNP -> Enabled
- Download an Ubuntu image
- Create a virtual disk with
qemu-img create -f qcow2 disk.qcow2 20G
- Install OS in VM by starting it with
./launch-qemu.sh -hda <path to disk file> -cdrom <path to ubuntu iso> -vnc :1
. Then connect via VNC to port5901
(passing host:d to -vnc in qemu opens the server on host:5900+d, don't ask why) and follow the installation instructions - Start the VM again without the
-cdrom
arg and install the OpenSSH server. You can access port22
on the VM vialocalhost:2222
on the host sytem. - Copy the "snp-guest" packages from the
linux/
folder into the VM viascp -P222 linux/linux*-snp-guest*.deb
and install them (inside the VM) withdpkg -i inux*-snp-guest*.deb
. Make sure the VM defaults to booting this kernel. - You can now start the VM with SNP activated via
./launch-qemu.sh -hda <path to disk file> -sev-snp
. Connect via ssh and issuedmesg | grep "AMD Memory Encryption Features active"
. It should showSEV SEV-ES SEV-SNP
.
Head over to https://github.com/UzL-ITS/sev-step to install the user space part of the attack framework.