From: Markus Frank <m.frank@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH pve-docs] amd-sev: add SEV-SNP infos and improve documentation
Date: Fri, 4 Apr 2025 13:44:56 +0200 [thread overview]
Message-ID: <20250404114456.304222-1-m.frank@proxmox.com> (raw)
add SEV-SNP limitations, example configuration and hyperlinks for more
information
Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
qm.adoc | 51 +++++++++++++++++++++++++++++++++++++++------------
1 file changed, 39 insertions(+), 12 deletions(-)
diff --git a/qm.adoc b/qm.adoc
index 2617a7c..3aa0406 100644
--- a/qm.adoc
+++ b/qm.adoc
@@ -745,13 +745,19 @@ SEV (Secure Encrypted Virtualization) enables memory encryption per VM using
AES-128 encryption and the AMD Secure Processor.
SEV-ES (Secure Encrypted Virtualization-Encrypted State) in addition encrypts
-all CPU register contents when a VM stops running, to prevent leakage of
-information to the hypervisor. This feature is very experimental.
+all CPU register contents, to prevent leakage of information to the hypervisor.
+
+SEV-SNP (Secure Encrypted Virtualisation-Secure Nested Paging) also attempts to
+prevent software-based integrity attacks. See the
+https://www.amd.com/content/dam/amd/en/documents/epyc-business-docs/white-papers/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf[
+AMD SEV SNP white paper] for more information.
*Host Requirements:*
* AMD EPYC CPU
-* SEV-ES is only supported on AMD EPYC 7xx2 and newer
+* SEV-ES is only supported on AMD EPYC 7002 series and newer EPYC CPUs
+* SEV-SNP is only supported on AMD EPYC 7003 series and newer EPYC CPUs
+* SEV-SNP requires host kernel version 6.11 or higher.
* configure AMD memory encryption in the BIOS settings of the host machine
* add "kvm_amd.sev=1" to kernel parameters if not enabled by default
* add "mem_encrypt=on" to kernel parameters if you want to encrypt memory on the
@@ -780,21 +786,22 @@ Y
*Limitations:*
* Because the memory is encrypted the memory usage on host is always wrong.
-* Operations that involve saving or restoring memory like snapshots
-& live migration do not work yet or are attackable.
-https://github.com/PSPReverse/amd-sev-migration-attack
+* Operations that involve saving or restoring memory like snapshots & live
+migration do not work yet or are
+https://github.com/PSPReverse/amd-sev-migration-attack[attackable].
* PCI passthrough is not supported.
-* SEV-ES is very experimental.
-* QEMU & AMD-SEV documentation is very limited.
+* SEV-ES & SEV-SNP are very experimental.
+* EFI disks are not supported with SEV-SNP.
+* With SEV-SNP, the `reboot` command inside a VM simply shuts down the VM.
-Example Configuration:
+*Example Configuration (SEV):*
----
-# qm set <vmid> -amd_sev type=std,no-debug=1,no-key-sharing=1,kernel-hashes=1
+# qm set <vmid> -amd-sev type=std,no-debug=1,no-key-sharing=1,kernel-hashes=1
----
The *type* defines the encryption technology ("type=" is not necessary).
-Available options are std & es.
+Available options are std, es & snp.
The QEMU *policy* parameter gets calculated with the *no-debug* and
*no-key-sharing* parameters. These parameters correspond to policy-bit 0 and 1.
@@ -807,7 +814,7 @@ The *kernel-hashes* option is off per default for backward compatibility with
older OVMF images and guests that do not measure the kernel/initrd.
See https://lists.gnu.org/archive/html/qemu-devel/2021-11/msg02598.html
-*Check if SEV is working on the guest*
+*Check if SEV is working in the VM*
Method 1 - dmesg:
@@ -829,6 +836,24 @@ Output should be 1.
1
----
+*Example Configuration (SEV-SNP):*
+
+----
+# qm set <vmid> -amd-sev type=snp,allow-smt=1,no-debug=1,kernel-hashes=1
+----
+
+The `allow-smt` policy-bit is set by default. If you disable it by setting
+`allow-smt` to `0`, SMT must be disabled on the host in order for the VM to run.
+
+*Check if SEV-SNP is working in the VM*
+
+----
+# dmesg | grep -i snp
+Memory Encryption Features active: AMD SEV SEV-ES SEV-SNP
+SEV: Using SNP CPUID table, 29 entries present.
+SEV: SNP guest platform device initialized.
+----
+
Links:
* https://developer.amd.com/sev/
@@ -836,6 +861,8 @@ Links:
* https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html
* https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf
* https://documentation.suse.com/sles/15-SP1/html/SLES-amd-sev/index.html
+* https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56860.pdf[
+SEV Secure Nested Paging Firmware ABI Specification]
[[qm_network_device]]
Network Device
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next reply other threads:[~2025-04-04 11:45 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-04 11:44 Markus Frank [this message]
2025-04-07 13:41 ` [pve-devel] applied: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250404114456.304222-1-m.frank@proxmox.com \
--to=m.frank@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal