Update template for SEV-SNP launch

dfinity · Feb 24, 2025 · ab8527a · ab8527a
1 parent 4baf9ed
commit ab8527a
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 4 deletions.
diff --git a/ic-os/components/hostos-scripts/guestos/guestos.xml.template b/ic-os/components/hostos-scripts/guestos/guestos.xml.template
@@ -14,11 +14,23 @@
     <partition>/machine</partition>
   </resource>
   <os>
-    <type arch='x86_64' machine='pc-q35-5.0'>hvm</type>
-    <loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE_4M.fd</loader>
-    <nvram>/var/lib/libvirt/qemu/nvram/guestos_VARS.fd</nvram>
-    <boot dev='hd'/>
+    <type arch='x86_64' machine='pc-q35-6.2'>hvm</type>
+    <loader readonly='yes'>/usr/share/ovmf/OVMF.fd</loader>
+    <kernel>/tmp/sev-boot-components/vmlinuz</kernel>
+    <initrd>/tmp/sev-boot-components/initrd.img</initrd>
+    <cmdline>BOOT_IMAGE=/vmlinuz root=/dev/vda5 console=ttyS0 dfinity.system=A dfinity.boot_state=stable security=selinux selinux=1 enforcing=1 root_hash=XXXTODOXXX</cmdline>
   </os>
+  <launchSecurity type='sev-snp'>
+    <kernelHashes/>
+    <cbitpos>51</cbitpos>
+    <reducedPhysBits>1</reducedPhysBits>
+    <policy>30000</policy>
+  </launchSecurity>
+  <memoryBacking>
+    <source type="memfd"/>
+    <access mode="shared"/>
+    <allocation mode="ondemand"/>
+  </memoryBacking>
   <features>
     <acpi/>
     <apic/>

diff --git a/ic-os/components/hostos-scripts/guestos/kvm-cpu.xml b/ic-os/components/hostos-scripts/guestos/kvm-cpu.xml
@@ -3,3 +3,7 @@
   <topology sockets='2' cores='16' threads='2'/>
   <feature policy="require" name="topoext"/>
 </cpu>
+<commandline xmlns="http://libvirt.org/schemas/domain/qemu/1.0">
+    <arg value='-cpu'/>
+    <arg value='EPYC-v4,topoext=on,l3-cache=off'/>
+</commandline>
diff --git a/ic-os/components/hostos-scripts/guestos/start-guestos.sh b/ic-os/components/hostos-scripts/guestos/start-guestos.sh
@@ -40,6 +40,17 @@ write_tty1_log() {
     logger -t "${SCRIPT}" "${message}"
 }
 
+function setup_sev_mounts() {
+    if [ "$(mount | grep 'sev-boot-components')" ]; then
+        write_log "SEV boot components are already ready."
+    else
+        write_log "Setting up SEV boot components."
+        mkdir -p /tmp/sev-boot-components/
+        losetup -P /dev/loop99 /dev/mapper/hostlvm-guestos
+        mount /dev/loop99p4 /tmp/sev-boot-components/
+    fi
+}
+
 function define_guestos() {
     if [ "$(virsh list --all | grep 'guestos')" ]; then
         write_log "GuestOS virtual machine is already defined."
@@ -119,6 +130,7 @@ function start_guestos() {
 
 function main() {
     # Establish run order
+    setup_sev_mounts
     define_guestos
     start_guestos
 }