Major What were you trying to do that didn't work?
snphost ok
What is the impact of this issue to you?
[ FAIL ] - Comparing TCB values: The TCB versions did NOT match
Please provide the package NVR for which the bug is seen:
edk2-20241117-3.el9
kernel-5.14.0-590.el9.x86_64
qemu-kvm-9.1.0-21.el9
How reproducible is this bug?:
100%
Steps to reproduce
- enable snp on Milan
- snphost ok
Expected results
All check pass
Actual results
[ PASS ] - AMD CPU [ PASS ] - Microcode support [ PASS ] - Secure Memory Encryption (SME) [ PASS ] - SME: Enabled in MSR [ PASS ] - Secure Encrypted Virtualization (SEV) [ PASS ] - Encrypted State (SEV-ES) [ PASS ] - SEV-ES INIT: Enabled [ PASS ] - SEV INIT: SEV is INIT, but not currently running a guest [ PASS ] - Secure Nested Paging (SEV-SNP) [ PASS ] - VM Permission Levels [ PASS ] - Number of VMPLs: 4 [ PASS ] - SNP: Enabled in MSR [ PASS ] - SEV Firmware Version: Sev firmware version: 1.55 [ PASS ] - SNP INIT: SNP is INIT [ PASS ] - Physical address bit reduction: 5 [ PASS ] - C-bit location: 51 [ PASS ] - Number of encrypted guests supported simultaneously: 509 [ PASS ] - Minimum ASID value for SEV-enabled, SEV-ES disabled guest: 100 [ PASS ] - Reading /dev/sev: /dev/sev readable [ PASS ] - Writing /dev/sev: /dev/sev writable [ PASS ] - Page flush MSR: ENABLED [ PASS ] - KVM supported: API version: 12 [ PASS ] - SEV enabled in KVM: enabled [ PASS ] - SEV-ES enabled in KVM: enabled [ PASS ] - SEV-SNP enabled in KVM: enabled [ PASS ] - Memlock resource limit: Soft: 8388608 | Hard: 8388608 [ PASS ] - RMP table addresses: Addresses: 635437056 - 1450180607 [ PASS ] - RMP INIT: RMP is INIT [ FAIL ] - Comparing TCB values: The TCB versions did NOT match Platform TCB version: TCB Version: Microcode: 213 SNP: 24 TEE: 0 Boot Loader: 4 Reported TCB version: TCB Version: Microcode: 213 SNP: 23 TEE: 0 Boot Loader: 4
Additional info:
1.snphost ok on Genoa work well
2.dmesg output shows SEV FW 1.55.29, which corresponds to TCB[SNP] = 24.
refer to https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html
SEV FW
1.55.29 (hex 1.37.1D)
TCB[SNP] = 0x18
uCode
Milan : 0x0A0011DB
Milan-X : 0x0A001244
Delivered in : MilanPI
1.0.0.F2
(Release: 2024-12-13)
[root@dell-per7525-12 sev-tool]# dmesg | grep microcode [ 1.307905] microcode: Current revision: 0x0a0011d5 [ 1.308058] microcode: Updated early from: 0x0a0011d3 [root@dell-per7525-12 sev-tool]# dmesg | grep -i sev [ 0.000000] SEV-SNP: RMP table physical range [0x0000000025c00000 - 0x00000000564fffff] [ 0.006005] SEV-SNP: Reserving start/end of RMP table on a 2MB boundary [0x0000000056400000] [ 3.610250] ccp 0000:26:00.1: sev enabled [ 3.700180] ccp 0000:26:00.1: SEV firmware updated from 1.55.17 to 1.55.29 [ 6.524342] ccp 0000:26:00.1: SEV API:1.55 build:29 [ 6.534868] ccp 0000:26:00.1: SEV-SNP API:1.55 build:29 [ 10.363439] kvm_amd: SEV enabled (ASIDs 100 - 509) [ 10.363441] kvm_amd: SEV-ES enabled (ASIDs 1 - 99) [ 10.363442] kvm_amd: SEV-SNP enabled (ASIDs 1 - 99) [root@dell-per7525-12 sev-tool]# ./sevtool --platform_status api_major: 1 api_minor: 55 platform_state: 1 owner: 1 config: 1 build: 29 guest_count: 0
