Re: Error starting any Debian installation (on an AMD SEV enabled KVM)

To: debian-user@lists.debian.org
Subject: Re: Error starting any Debian installation (on an AMD SEV enabled KVM)
From: Office onFocus <office@onfocus.at>
Date: Tue, 17 Aug 2021 11:36:27 +0200
Message-id: <[🔎] 35A8559E-B7A7-437D-8BEF-19EAA7EA86C1@onfocus.at>
In-reply-to: <[🔎] YRJ2RqU2T2BuV3he@helium.itcfollmann.com>
References: <FD766A77-3B80-4664-AB10-19008046B82D@onfocus.at> <[🔎] YRJ2RqU2T2BuV3he@helium.itcfollmann.com>

Yes, unfortunately, this is necessary to use SEV. Please take a look at these instructions.

https://libvirt.org/kbase/launch_security_sev.html
https://developer.amd.com/sev/

The settings memtune, uefi, iommu are required to use launchSecurity = sev

The use for secured KVM using AMD Secure Encrypted Virtualization (SEV) is unfortunately not mentioned in your link.

I showed you how to create a KVM and boot it to an Ubuntu or Centos image. It works that way but not with Debian. The question that arises is what is different about the other images than Debian Images. If you want I can of course also test other OS.

with --location http://deb.debian.org/debian/dists/buster/main/installer-amd64/ I cannot boot with sev on 
— this only works without launchSecurity sev

virsh destroy buster-amd64 ; virsh undefine buster-amd64 --nvram
virt-install --virt-type kvm --name buster-amd64 \
--boot uefi \
--location http://deb.debian.org/debian/dists/buster/main/installer-amd64/ \
--network network=ovs-test,model=virtio,driver.iommu=on  \
--os-variant debian10 \
--graphics vnc,keymap=de,password='testing passwd'  \
--video=cirrus  \
--disk size=20 --memory 4096 \
--memtune hard_limit=4563402 \
--launchSecurity sev

Best, Daniel

> There is no need to PM me. I am subscribed to the mailinglist.
> 
> 
> On Tue, Aug 10, 2021 at 02:06:04PM +0200, Office onFocus wrote:
>> these are my iso files:
>> 
> [...]
> 
>> wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-10.10.0-amd64-netinst.iso
>> wget https://get.debian.org/cdimage/weekly-builds/amd64/iso-cd/debian-testing-amd64-netinst.iso
>> 
> Those should do.
> 
> [...]
> 
> 
>> 
>> ####################################################
>> ## Testing DEBIAN
>> 
>> This Debian 10 test is NOT successful. You can boot the ISO and select any OS
>> from the GRUB menu. For example "Debian Installer". 
>> 
>> 	Debian GNU/Linux Live (kernel 4.19.0-17-amd64)
>> 	Debian Live with Localisation Support
>> 	Graphical Debian Installer
>> 	*Debian Installer
>> 	Debian Installer with Speech Synthesis
>> 
>> The kernel should be loaded, but the KVM reboots and you are back in the GRUB menu :( 
>> 
>> 
>> 
>> The KVM creation is identical to Ubuntu except for the iso file and the os-variant parameter,
>> but the setting of the os-variant parameter has no effect. 
>> 
>> ---------------------------------------------------
>> root@server:/var/lib/libvirt/images# virsh destroy sev-test; virsh undefine sev-test --nvram
>> s  \
>> --launchSecurity sev
>> 
>> 
>> Domain 'sev-test' destroyed
>> 
>> Domain 'sev-test' has been undefined
>> 
>> root@server:/var/lib/libvirt/images# rm /var/lib/libvirt/images/sev-test* /var/lib/libvirt/qemu/nvram/sev-test_VARS.fd
>> rm: cannot remove '/var/lib/libvirt/qemu/nvram/sev-test_VARS.fd': No such file or directory
>> root@server:/var/lib/libvirt/images# qemu-img create -f qcow2 /var/lib/libvirt/images/sev-test.qcow2 20G
>> Formatting '/var/lib/libvirt/images/sev-test.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=21474836480 lazy_refcounts=off refcount_bits=16
>> root@server:/var/lib/libvirt/images#
>> root@server:/var/lib/libvirt/images# virt-install \
>>> --name sev-test \
>>> --memory 4096 \
>>> --memtune hard_limit=4563402 \
>>> --boot uefi \
>>> --disk /var/lib/libvirt/images/debian-live-10.10.0-amd64-standard.iso,device=cdrom \
>>> --disk /var/lib/libvirt/images/sev-test.qcow2,device=disk,bus=scsi \
>>> --os-type linux \
>>> --os-variant debian10 \
>>> --import \
>>> --controller type=scsi,model=virtio-scsi,driver.iommu=on \
>>> --controller type=virtio-serial,driver.iommu=on \
>>> --memballoon driver.iommu=on \
>>> --graphics vnc,keymap=de,password='test passwd'  \
>>> --network network=ovs-test,model=virtio,driver.iommu=on  \
>>> --video=cirrus  \
>>> --launchSecurity sev
>> WARNING  Graphics requested but DISPLAY is not set. Not running virt-viewer.
>> WARNING  No console to launch for the guest, defaulting to --wait -1
>> 
>> Starting install...
>> 
>> Domain is still running. Installation may be in progress.
>> Waiting for the installation to complete.
>> ---------------------------------------------------
>> 
> 
> Is there a reason why you do it this way and you use all these
> options? Or is this just something you found on google?
> 
> Please try a much simpler approach for testing debian:
> 
> virt-install --virt-type kvm --name buster-amd64 \
> --location http://deb.debian.org/debian/dists/buster/main/installer-amd64/ \
> --os-variant debian10 \
> --disk size=20 --memory 4096
> 
> This is btw. from the debian wiki (https://wiki.debian.org/KVM)
> 
> -H
> 
> 
> -- 
> Henning Follmann           | hfollmann@itcfollmann.com
>

Reply to:

References:
- Re: Error starting any Debian installation (on an AMD SEV enabled KVM)
  - From: Henning Follmann <hfollmann@itcfollmann.com>

Prev by Date: Re: deprecated options in openssh
Next by Date: Re: Issues with Bullseye
Previous by thread: Re: Error starting any Debian installation (on an AMD SEV enabled KVM)
Next by thread: Debian 11 Xfce - Applications -> Settings -> Network Connections missing
Index(es):
- Date
- Thread