Prerequisites and installation
Get the installer
Access the Anjuna Resource Center to download Anjuna Seaglass for AMD SEV-SNP on Bare Metal.
You can use the “API” button to copy a wget command
to download Anjuna Seaglass for AMD SEV-SNP on Bare Metal to your local environment from the command line,
without the need to access the Anjuna Resource Center UI again.
Host setup
Before using the Anjuna Seaglass for AMD SEV-SNP on Bare Metal tool suite, you must enable AMD SEV-SNP within your BIOS settings. Please ensure that your BIOS has been updated to the latest version. As BIOS settings can vary based on vendor, check the vendor documentation for your BIOS for full details on making these changes.
The following shows how SEV-SNP would be enabled for the standard AMD BIOS:
CBS -> CPU Common ->
SEV-ES ASID space Limit Control -> Manual
SEV-ES ASID space limit -> 100
SNP Memory Coverage -> Enabled
SMEE -> Enabled
-> NBIO common ->
SEV-SNP -> Enabled
Verifying SEV-SNP is enabled
The following commands can be used to check that SEV-SNP has been enabled correctly:
$ sudo dmesg | grep -i -e rmp -e sevThe output should include lines similar to the following:
SEV-SNP: RMP table physical range [0x0000000043c00000 - 0x00000000741fffff] ccp 0000:06:00.5: sev enabled ccp 0000:06:00.5: SEV-SNP API:1.55 build:40 ccp 0000:06:00.5: SEV API:1.55 build:40 kvm_amd: SEV enabled (ASIDs 100 - 1006) kvm_amd: SEV-ES enabled (ASIDs 1 - 99) kvm_amd: SEV-SNP enabled (ASIDs 1 - 99)
You can also verify the setup of your host by checking the following kernel module parameters:
$ cat /sys/module/kvm_amd/parameters/sev
Y
$ cat /sys/module/kvm_amd/parameters/sev_es
Y
$ cat /sys/module/kvm_amd/parameters/sev_snp
YInstallation
Install the tools
Use the following commands to perform a local install of Anjuna Seaglass for AMD SEV-SNP on Bare Metal:
$ sudo mkdir -p /opt/anjuna/metal
$ sudo tar -C /opt/anjuna/metal -xf anjuna-metal.release*.tar.gzSet up environment variables
To access the tools, source the env.sh file:
$ source /opt/anjuna/metal/env.shYou can add the line above to your ~/.bash_profile to automatically set these environment
variables every time you log in.
Verify prerequisites
Anjuna Seaglass for AMD SEV-SNP on Bare Metal ships two role-specific scripts that verify a host meets the prerequisites for its role:
-
/opt/anjuna/metal/disk-init.shfor hosts that build Anjuna Confidential Container disk images. -
/opt/anjuna/metal/instance-init.shfor hosts that run Anjuna Confidential Containers on AMD SEV-SNP hardware.
If a single host both builds disk images and runs Anjuna Confidential Containers, run both scripts.
Each script prints the command needed to satisfy any unmet prerequisite. Apply them as suggested.
Disk-build host
$ /opt/anjuna/metal/disk-init.shThe script verifies:
-
That
docker.io,jq,pv,parted,e2fsprogs, anddosfstoolsare installed. -
That the current user belongs to the
dockergroup.
Instance-run host
$ /opt/anjuna/metal/instance-init.shThe script verifies:
-
That
libvirt-daemon-system,libvirt-clients,qemu-system-x86, andaclare installed. -
That the current user belongs to the
libvirtgroup. -
That
libvirtdis running and enabled at boot. -
That
/dev/sevis present and that its group and mode arekvm:0660, persisted by audevrule. -
That libvirt’s default network is started and set to autostart.
-
That
/etc/libvirt/qemu.conflists/dev/sevand/dev/kvmincgroup_device_acl. -
That
/var/lib/anjunaexists withroot:libvirtownership and POSIX ACLs that grant thelibvirtgroup write access and thelibvirt-qemuuser read access.
If either script reports unmet checks, apply the printed commands and re-run. When the script adds your user to a new group, log out and back in for the change to take effect.