From: Markus Frank <m.frank@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH docs v2 2/2] added Memory Encryption documentation
Date: Fri, 11 Nov 2022 15:27:16 +0100 [thread overview]
Message-ID: <20221111142716.235955-3-m.frank@proxmox.com> (raw)
In-Reply-To: <20221111142716.235955-1-m.frank@proxmox.com>
added AMD SEV documentation for "[PATCH qemu-server] QEMU AMD SEV
enable"
Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
qm.adoc | 113 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 113 insertions(+)
diff --git a/qm.adoc b/qm.adoc
index e7d0c07..5ba43a2 100644
--- a/qm.adoc
+++ b/qm.adoc
@@ -598,6 +598,119 @@ systems.
When allocating RAM to your VMs, a good rule of thumb is always to leave 1GB
of RAM available to the host.
+[[qm_memory_encryption]]
+Memory Encryption
+~~~~~~~~~~~~~~~~~
+
+[[qm_memory_encryption_sev]]
+AMD SEV
+^^^^^^^
+
+Memory Encryption per VM using AES-128 Encryption and the AMD Secure Processor.
+See https://developer.amd.com/sev/[AMD SEV]
+
+*Host-Requirements:*
+
+* AMD EPYC/Ryzen PRO CPU
+* configured SEV BIOS settings on Host Machine
+* add "kvm_amd.sev=1" to kernel parameters if not enabled by default
+* add "mem_encrypt=on" to kernel parameters if you want encrypt memory on the
+host (SME)
+see https://www.kernel.org/doc/Documentation/x86/amd-memory-encryption.txt
+* maybe increase SWIOTLB see https://github.com/AMDESE/AMDSEV#faq-4
+
+To check if SEV is enabled on Host-Machine search for `sev` in dmesg
+and print out the sev kernel parameter of kvm_amd:
+
+----
+# dmesg | grep -i sev
+[...] ccp 0000:45:00.1: sev enabled
+[...] ccp 0000:45:00.1: SEV API: <buildversion>
+[...] SEV supported: <number> ASIDs
+[...] SEV-ES supported: <number> ASIDs
+# cat /sys/module/kvm_amd/parameters/sev
+Y
+----
+
+*Guest-VM-Requirements:*
+
+* edk2-OVMF
+* advisable to use Q35
+* The guest operating system inside the VM must contain SEV-support
+* if there are problems while booting (stops at blank/splash screen or "Guest has not
+initialized the display (yet)") try to add virtio-rng and/or set "freeze: 1"
+so that you wait a few seconds before you click on *Resume* to boot.
+
+*Limitations:*
+
+* Because the memory is encrypted the memory usage on host is always wrong
+* Operations that involve saving or restoring memory like snapshots
+& live migration do not work yet or are attackable
+https://github.com/PSPReverse/amd-sev-migration-attack
+* KVM is unsupported when running as an SEV guest
+* PCI passthrough is not supported
+
+Example Configuration:
+
+----
+# qm set <vmid> -memory_encryption type=sev,cbitpos=47,policy=0x0001,reduced-phys-bits=1
+----
+
+*SEV Parameters*
+
+*type* defines the encryption technology ("type=" is not necessary):
+currently-supported: *sev*
+and in the future: sev-snp, mktme
+
+*reduced-phys-bios*, *cbitpos* and *policy* correspond to the variables with the
+same name in qemu.
+
+*reduced-phys-bios* and *cbitpos* are system specific and can be read out
+with QMP. If not set, qm starts a dummy-vm to read QMP
+for these variables out and saves them to config.
+
+*policy* can be calculated with
+https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf[AMD SEV API Specification Chapter 3]
+
+To use SEV-ES (CPU register encryption) the *policy* should be set
+somewhere between 0x4 and 0x7 or 0xC and 0xF, etc.
+(Bit-2 has to be set 1 (LSB 0 bit numbering))
+
+*Check if SEV is working on the Guest*
+
+Method 1 - dmesg:
+
+Output should look like this.
+
+----
+# dmesg | grep -i sev
+AMD Memory Encryption Features active: SEV
+----
+
+Method 2 - MSR 0xc0010131 (MSR_AMD64_SEV):
+
+Output should be 1.
+
+----
+# apt install msr-tools
+# modprobe msr
+# rdmsr -a 0xc0010131
+1
+----
+
+Links:
+
+* https://github.com/AMDESE/AMDSEV
+* https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html
+* https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf
+* https://documentation.suse.com/sles/15-SP1/html/SLES-amd-sev/index.html
+
+// Commented because cannot be tested without new EPYC-CPU
+// AMD SEV-SNP
+// ^^^^^^^^^^^
+// * SEV-SNP needs EPYC 7003 "Milan" processors.
+// * SEV-SNP should in Kernel 5.19:
+// https://www.phoronix.com/scan.php?page=news_item&px=AMD-SEV-SNP-Arrives-Linux-5.19
[[qm_network_device]]
Network Device
--
2.30.2
next prev parent reply other threads:[~2022-11-11 14:27 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-11 14:27 [pve-devel] [PATCH qemu-server/docs v2 0/2] AMD SEV Markus Frank
2022-11-11 14:27 ` [pve-devel] [PATCH qemu-server v2 1/2] QEMU AMD SEV enable Markus Frank
2022-11-14 13:06 ` Fiona Ebner
2022-11-17 10:50 ` Markus Frank
2022-11-17 11:27 ` Fiona Ebner
2022-11-11 14:27 ` Markus Frank [this message]
2022-11-11 14:48 ` [pve-devel] [PATCH docs v2 2/2] added Memory Encryption documentation Matthias Heiserer
2022-11-14 13:07 ` Fiona Ebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221111142716.235955-3-m.frank@proxmox.com \
--to=m.frank@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal