Skip to content

Trying out the SEV flavor of libkrun

Jump to bottom
Sergio Lopez edited this page Sep 10, 2021 · 16 revisions

Trying out the SEV flavor of libkrun

If you have an SEV-capable machine (that is, on that's equipped with a CPU from the AMD Naples, Rome or Milan series), you can give the SEV flavor a try by following this instructions.

Installing the components

Building and installing libkrunfw-SEV

This library bundles a custom Linux kernel, a minimal FW (based on qboot) and a small initramfs.

git clone https://github.com/containers/libkrunfw
cd libkrunfw
git checkout amdsev
make -j8
make install

Building and installing libkrun-SEV

This will build the SEV flavor of the libkrun library itself and the examples included with it.

git clone https://github.com/containers/libkrun
cd libkrun
make SEV=1
make install
cd examples
make SEV=1

Building and installing the example attestation server (Optional)

This builds a simple example of an attestation server. This attestation server, in addition of verifying the contents of the guest, will be the one generating and sending the pre-encrypted LUKS passphrase and kernel command line (which includes the workload entry point, that is, the first binary to be executed inside the guest).

The attestation server can be build and run on the same machine where libkrun-SEV is going to be used to run SEV guests, or on a different one, doing the attestation over the network (HTTP). The only requirement, if you intend to use a different machine, is that this one must also have a copy of the libkrunfw library. You can either build it, following the same instructions as for the SEV machine, or just copy it to a directory that will be search for libraries (i.e., /usr/local/lib64, or any other directory as long it's specified in the LD_LIBRARY_PATH environment variable).

git clone https://github.com/slp/sev-attestation-server
cd sev-attestation-server
cargo build --release

Running the examples

Obtaining a disk image encrypted with LUKS or LUKS2

The steps required to build a disk image encrypted with LUKS or LUKS2 is outside the scope of this documents, [this repository] contains a couple of disk images you can use for testing purposes.

Using the disk-nginx-tls.raw image (LUKS1 with passphrase "mysecretpassphrase")

This image is based on the NGINX container image:

curl -OL https://github.com/slp/sev-disk-images/raw/main/disk-nginx-tls.raw.gz
gunzip disk-nginx-tls.raw.gz

Using the disk-fedora.raw image (LUKS2 with AEAD)

This image is based on the Fedora 34 OCI image:

curl -OL https://github.com/slp/sev-disk-images/raw/main/disk-fedora.raw.gz
gunzip disk-fedora.raw.gz

Running the example without remote attestation

Execute the sev-noattest binary passing the disk image as first argument, the LUKS passphrase as the second, and lastly the workload entry point (the first binary to be executed in the VM):

cd libkrun/examples
./sev-noattest disk-nginx-tls.raw mysecretpassphrase /bin/sh

Running the remote attestation example

Starting the remote attestation server

You need to start the remote attestation server, indicating at least the LUKS passphrase and the workload entry point (the first binary to be executed inside the guest) as command line arguments. You can also specify the port to listen for connections (8080 by default):

./target/release/attestation-server -p mysecretpassphrase -e /bin/sh

Running the "sev-attest" example

Execute the sev-attest binary passing the disk image as first argument, and the base URL of the attestation server as the second:

cd libkrun/examples
./sev-attest disk-nginx-tls.raw http://127.0.0.1:8080
Clone this wiki locally