[pve-devel] [PATCH pve-docs v2] added Memory Encryption documentation

[pve-devel] [PATCH pve-docs v2] added Memory Encryption documentation

[Markus Frank]

added AMD SEV documentation for "[PATCH qemu-server] QEMU AMD SEV
enable"

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
v2:
* added check if sev is enabled
* added more limitations
* added suse doc link

 qm.adoc | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 89 insertions(+)

diff --git a/qm.adoc b/qm.adoc
index e666d7d..d60753e 100644
--- a/qm.adoc
+++ b/qm.adoc
@@ -583,6 +583,95 @@ systems.
 When allocating RAM to your VMs, a good rule of thumb is always to leave 1GB
 of RAM available to the host.
 
+[[qm_memory_encryption]]
+Memory Encryption
+~~~~~~~~~~~~~~~~~
+
+[[qm_memory_encryption_sev]]
+AMD SEV
+^^^^^^^
+
+Memory Encryption using AES-128 Encryption and the AMD Secure Processor.
+See https://developer.amd.com/sev/[AMD SEV]
+
+Requirements:
+
+* AMD EPYC/Ryzen PRO CPU
+* configured SEV BIOS Settings on Host Machine
+* add Kernel Parameters: "mem_encrypt=on kvm_amd.sev=1"
+
+Example Configuration:
+
+----
+# qm set <vmid> -memory_encryption type=sev,cbitpos=47,policy=0x0005,reduced-phys-bits=1
+----
+
+*SEV Parameters*
+
+"type" defines the encryption technology ("type=" is not necessary): sev, sev-snp, mktme
+
+"reduced-phys-bios", "cbitpos" and "policy" correspond to the variables with the
+same name in qemu.
+
+"reduced-phys-bios" and "cbitpos" are system specific and can be read out
+with QMP. If not set, qm starts a dummy-vm to read QMP
+for these variables out and saves them to config.
+
+"policy" can be calculated with
+https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf[AMD SEV API Specification Chapter 3]
+
+To use SEV-ES (CPU register encryption) the "policy" should be set
+somewhere between 0x4 and 0x7 or 0xC and 0xF, etc.
+(Bit-2 has to be set 1 (LSB 0 bit numbering))
+
+*Check if SEV is working*
+
+Method 1 - dmesg:
+
+Output should look like this.
+
+----
+# dmesg | grep -i sev
+AMD Memory Encryption Features active: SEV
+----
+
+Method 2 - MSR 0xc0010131 (MSR_AMD64_SEV):
+
+Output should be 1.
+
+----
+# apt install msr-tools
+# modprobe msr
+# rdmsr -a 0xc0010131
+1
+----
+
+Limitations:
+
+* Because the memory is encrypted the memory usage on host is always wrong
+and around 82% usage
+* Operations that involve saving or restoring memory like snapshots
+& live migration do not work yet
+* edk2-OVMF required
+* The guest operating system inside a VM must contain SEV-support
+* Recommendable: VirtIO RNG for more entropy (VMs sometimes will not
+boot without)
+
+Links:
+
+* https://github.com/AMDESE/AMDSEV
+* https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html
+* https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf
+* https://documentation.suse.com/sles/15-SP1/html/SLES-amd-sev/index.html
+
+// Commented because not supported by kernel yet
+//AMD SEV-SNP
+//^^^^^^^^^^^
+
+//* SEV-SNP support is not in the Linux Kernel yet and needs EPYC 7003 "Milan"
+//processors.
+//* SEV-SNP should be in Kernel 5.19: https://www.phoronix.com/scan.php?page=news_item&px=AMD-SEV-SNP-Arrives-Linux-5.19
+//* patched Kernel: https://github.com/AMDESE/linux/tree/sev-snp-5.18-rc3
 
 [[qm_network_device]]
 Network Device
-- 
2.30.2

Re: [pve-devel] [PATCH pve-docs v2] added Memory Encryption documentation

[Daniel Tschlatscher]

A few suggestions I would have found helpful when first reading this
documentation, inline:

On 6/10/22 12:53, Markus Frank wrote:
> added AMD SEV documentation for "[PATCH qemu-server] QEMU AMD SEV
> enable"
> 
> Signed-off-by: Markus Frank <m.frank@proxmox.com>
> ---
> v2:
> * added check if sev is enabled
> * added more limitations
> * added suse doc link
> 
>  qm.adoc | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 89 insertions(+)
> 
> diff --git a/qm.adoc b/qm.adoc
> index e666d7d..d60753e 100644
> --- a/qm.adoc
> +++ b/qm.adoc
> @@ -583,6 +583,95 @@ systems.
>  When allocating RAM to your VMs, a good rule of thumb is always to leave 1GB
>  of RAM available to the host.
>  
> +[[qm_memory_encryption]]
> +Memory Encryption
> +~~~~~~~~~~~~~~~~~
> +
> +[[qm_memory_encryption_sev]]
> +AMD SEV
> +^^^^^^^
> +
> +Memory Encryption using AES-128 Encryption and the AMD Secure Processor.> +See https://developer.amd.com/sev/[AMD SEV]
> +
> +Requirements:
> +
> +* AMD EPYC/Ryzen PRO CPU
> +* configured SEV BIOS Settings on Host Machine
Nit: spell 'settings' lowercase
> +* add Kernel Parameters: "mem_encrypt=on kvm_amd.sev=1"
This should include that using edk2-OVMF is a requirement (see below)
> +
> +Example Configuration:
> +
> +----
> +# qm set <vmid> -memory_encryption type=sev,cbitpos=47,policy=0x0005,reduced-phys-bits=1
> +----
> +
> +*SEV Parameters*
> +
> +"type" defines the encryption technology ("type=" is not necessary): sev, sev-snp, mktme
> +
> +"reduced-phys-bios", "cbitpos" and "policy" correspond to the variables with the
> +same name in qemu.
> +
> +"reduced-phys-bios" and "cbitpos" are system specific and can be read out
> +with QMP. If not set, qm starts a dummy-vm to read QMP
> +for these variables out and saves them to config.
> +
> +"policy" can be calculated with
> +https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf[AMD SEV API Specification Chapter 3]
> +
> +To use SEV-ES (CPU register encryption) the "policy" should be set
> +somewhere between 0x4 and 0x7 or 0xC and 0xF, etc.
> +(Bit-2 has to be set 1 (LSB 0 bit numbering))
> +
> +*Check if SEV is working*
> +
> +Method 1 - dmesg:
> +
> +Output should look like this.
> +
> +----
> +# dmesg | grep -i sev
> +AMD Memory Encryption Features active: SEV
> +----
> +
> +Method 2 - MSR 0xc0010131 (MSR_AMD64_SEV):
> +
> +Output should be 1.
> +
> +----
> +# apt install msr-tools
> +# modprobe msr
> +# rdmsr -a 0xc0010131
> +1
> +----
This part should mention that Method 1 is to be executed on the host and
Method 2 is executed on the SEV-enabled guest.
> +
> +Limitations:
> +
> +* Because the memory is encrypted the memory usage on host is always wrong
> +and around 82% usage
This seems to depend on multiple factors, but the value of 82% does not
always apply and could therefore be confusing.
In my testing the value ranged from around 46% to nearly 95%. However,
the usage percentage seems to always stay the same for a certain
configuration.
> +* Operations that involve saving or restoring memory like snapshots
> +& live migration do not work yet
> +* edk2-OVMF required
I think this bullet point would be better placed under requirements, as
it's much easier to overlook it here.
> +* The guest operating system inside a VM must contain SEV-support
This one could be moved to requirements as well. Additionally, it would
be nice to add a link to a list of distributions with SEV support, if
you know of one.
> +* Recommendable: VirtIO RNG for more entropy (VMs sometimes will not
> +boot without)
> +
> +Links:
> +
> +* https://github.com/AMDESE/AMDSEV
> +* https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html
> +* https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf
> +* https://documentation.suse.com/sles/15-SP1/html/SLES-amd-sev/index.html
> +
> +// Commented because not supported by kernel yet
> +//AMD SEV-SNP
> +//^^^^^^^^^^^
> +
> +//* SEV-SNP support is not in the Linux Kernel yet and needs EPYC 7003 "Milan"
> +//processors.
> +//* SEV-SNP should be in Kernel 5.19: https://www.phoronix.com/scan.php?page=news_item&px=AMD-SEV-SNP-Arrives-Linux-5.19
> +//* patched Kernel: https://github.com/AMDESE/linux/tree/sev-snp-5.18-rc3
>  
>  [[qm_network_device]]
>  Network Device