wikiFailed to load amd/sev.fw
Since the introduction of the first AMD EPYC server processor generation, the safety feature Secure Encrypted Virtualization (SEV) is also available. SEV enables to encrypt the working memory of virtual machines. SEV Firmware is also required so that the feature can be used. If this is not available, you will receive the error message firmware: failed to load amd/sev.fw (-2) during the booting process. This article explains AMD SEV and how the firmware blob under Linux is reloaded.
dmesg Log if firmware is missing
You receive the following dmesg log entries under Debian 11:
[ 10.875347] ccp 0000:48:00.1: enabling device (0000 -> 0002) [ 10.875583] ccp 0000:48:00.1: no command queues available [ 10.875710] ccp 0000:48:00.1: sev enabled [ 10.875712] ccp 0000:48:00.1: psp enabled [ 10.889505] ccp 0000:48:00.1: firmware: failed to load amd/amd_sev_fam19h_model01h.sbin (-2) [ 12.638036] ccp 0000:48:00.1: SEV: failed to INIT error 0x13
Under Debian 10:
[ 13.178990] ccp 0000:48:00.1: enabling device (0000 -> 0002) [ 13.179652] ccp 0000:48:00.1: no command queues available [ 13.179653] ccp 0000:48:00.1: ccp initialization failed [ 13.179978] ccp 0000:48:00.1: psp enabled [ 13.179978] ccp 0000:48:00.1: enabled [ 13.189167] ccp 0000:48:00.1: firmware: failed to load amd/sev.fw (-2) [ 13.189665] ccp 0000:48:00.1: Direct firmware load for amd/sev.fw failed with error -2 [ 13.198782] ccp 0000:48:00.1: SEV: failed to INIT error 0x13
What is AMD SEV
With the function Secure Encrypted Virtualization (SEV), the memory content of a virtual machine can be encrypted with a unique key for the virtual guest machine. The storage controller contains a performant "Encrytion-Engine", that can be programmed with several keys for the use of different VMs in the system. The programming and management of these keys and the secure data transfer between the host hypervisor and the guest VM's memory are controlled by the SEV firmware running on the "AMD Secure Processor".[1]
The firmware is not available for all Linux distributors, for example Debian, and must be reloaded manually for licensing reasons. [2]
Requirements
1. The firmware file must be stored in the directory /lib/firmware/amd. If the "amd" folder is not available, it must be created manually.
2. Depending on which CPU generation is installed, the different firmware blobs must be reloaded. You can obtain these directly from AMD.
| Firmware blob name | CPU generation | download |
|---|---|---|
| amd_sev_fam17h_model0xh.sbin | EPYC 7xx1 | Download |
| amd_sev_fam17h_model3xh.sbin | EPYC 7xx2 | Download |
| amd_sev_fam19h_model0xh.sbin | EPYC 7xx3 | Download |
3. The used kernel version decides if the blob must be renamed in the above mentioned description or linked per symlink. The current kernel version can be displayed with "uname -a".
| Kernel version | process | command |
|---|---|---|
| 4.16 - 4.19 | create Symlink | ln amd_sev_fam1Xh_modelYxh_version.sbin sev.fw |
| 4.20 and rename new | firmware-file | mv *.sbin amd_sev_fam1Xh_modelYxh.sbin |
4. The firmware is loaded the next time you start. This can be verified in the dmes log.
Example
The following testing system was used in the example:
| description | components |
|---|---|
| base | 2HE AMD Single-CPU RA1208-SMEP Server |
| mainboard | Supermicro H12SSL-CT |
| CPU | AMD EPYC 7343 |
| woking memory | 32 GB (4x 8GB) ECC Reg ATP DDR4 3200 RAM |
| SSD | 240 GB SATA III Samsung SSD 3D-NAND TLC 2,5" (PM893) |
Process for Debian 10
The folder "amd" in the "/lib/firmware" in the directory is missing and must be created:
root@debian:~# mkdir /lib/firmware/amd root@debian:~# cd /lib/firmware/amd
Since this is a 3rd generation AMD CPU, the file "amd_sev_fam19h_model0xh.sbin" is required:
wget https://developer.amd.com/wp-content/resources/amd_sev_fam19h_model0xh_1.33.03.zip
unpack .zip:
root@debian:/lib/firmware/amd# unzip amd_sev_fam19h_model0xh_1.33.03.zip Archive: amd_sev_fam19h_model0xh_1.33.03.zip inflating: amd_sev_fam19h_model0xh_1.33.03.esbin inflating: amd_sev_fam19h_model0xh_1.33.03.sbin inflating: Milan Release Notes.txt
The kernel version is 4.19. A symlink must therefore be created:
root@debian:/lib/firmware/amd# ln amd_sev_fam19h_model0xh_1.33.03.sbin sev.fw
The firmware will be loaded during the next reboot. This can be verified in the dmesg log:
[ 13.191384] ccp 0000:48:00.1: firmware: direct-loading firmware amd/sev.fw [ 13.223108] ccp 0000:48:00.1: SEV firmware update successful
Process for Debian 11
The folder "amd" in the directory "/lib/firmware" is missing and must be created:
root@debian:~# mkdir /lib/firmware/amd root@debian:~# cd /lib/firmware/amd
Since this is a 3rd generation AMD CPU, the file "amd_sev_fam19h_model0xh.sbin" is required:
wget https://developer.amd.com/wp-content/resources/amd_sev_fam19h_model0xh_1.33.03.zip
unpack .zip:
root@debian:/lib/firmware/amd# unzip amd_sev_fam19h_model0xh_1.33.03.zip Archive: amd_sev_fam19h_model0xh_1.33.03.zip inflating: amd_sev_fam19h_model0xh_1.33.03.esbin inflating: amd_sev_fam19h_model0xh_1.33.03.sbin inflating: Milan Release Notes.txt
The kernel version is 5.10. The file must be renamed:
root@debian:/lib/firmware/amd# mv amd_sev_fam19h_model0xh_1.33.03.sbin amd_sev_fam19h_model0xh.sbin
The firmware is loaded during the next reboot. This can be verified in the dmesg log:
[ 11.115577] ccp 0000:48:00.1: firmware: direct-loading firmware amd/amd_sev_fam19h_model01h.sbin
References
Author: Florian Sebald
 |
Translator: Alina Ranzinger Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.
|
