[pve-devel] [PATCH qemu-server/docs/manager v13 0/5] AMD SEV

[pve-devel] [PATCH qemu-server/docs/manager v13 0/5] AMD SEV

[Markus Frank]

changes v13:
* renamed amd_sev to amd-sev
* removed already applied patches
* add systemd service file for query-machine-capabilities
* removed now unused $efidisk0 parameter from the get_amd_sev_object 
 function

changes v12:
* new pve-guest-common patch
* improved error handling in C
* small perl style changes

changes v11:
* removed systemd service and added run_command in qemu-server instead
* moved SEV related code to CPUConfig
* instead of the no-debug and no-key-sharing checkboxes there are no 
 "allow debug/key-sharing" checkboxes in the WebUI with true beeing 
 the default.
* add check_non_migratable_resources function in qemu-server


apply/compile order:
* pve-guest-common: AbstractConfig: add abstract method to check for
 resources preventing a snapshot -> already applied
* qemu-server: add C program to get hardware capabilities from CPUID
 -> already applied
1. qemu-server: query-machine-capabilities: add systemd service file
 -> new to v13
2. qemu-server: config: add AMD SEV support
3. qemu-server: migration: add check_non_migratable_resources function
4. pve-docs: add AMD SEV documentation
5. pve-manager: ui: add AMD SEV configuration to Options


qemu-server:

Markus Frank (3):
  query-machine-capabilities: add systemd service file
  config: add AMD SEV support
  migration: add check_non_migratable_resources function

 PVE/API2/Qemu.pm                              |  5 +-
 PVE/QemuConfig.pm                             |  5 ++
 PVE/QemuMigrate.pm                            |  2 +-
 PVE/QemuServer.pm                             | 36 +++++++-
 PVE/QemuServer/CPUConfig.pm                   | 87 ++++++++++++++++++-
 query-machine-capabilities/Makefile           |  2 +
 .../query-machine-capabilities.service        | 13 +++
 7 files changed, 145 insertions(+), 5 deletions(-)
 create mode 100644 query-machine-capabilities/query-machine-capabilities.service


docs:

Markus Frank (1):
  add AMD SEV documentation

 qm.adoc | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 103 insertions(+)



manager:

Markus Frank (1):
  ui: add AMD SEV configuration to Options

 www/manager6/Makefile        |   1 +
 www/manager6/qemu/Options.js |  11 ++++
 www/manager6/qemu/SevEdit.js | 121 +++++++++++++++++++++++++++++++++++
 3 files changed, 133 insertions(+)
 create mode 100644 www/manager6/qemu/SevEdit.js

-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server v13 1/5] query-machine-capabilities: add systemd service file

[Markus Frank]

Add a systemd service that runs the query-machine-capabilities binary
at boot time to ensure that the machine capabilities are stored in the
host-hw-capabilities.json file.

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
 query-machine-capabilities/Makefile                 |  2 ++
 .../query-machine-capabilities.service              | 13 +++++++++++++
 2 files changed, 15 insertions(+)
 create mode 100644 query-machine-capabilities/query-machine-capabilities.service

diff --git a/query-machine-capabilities/Makefile b/query-machine-capabilities/Makefile
index 469c69ff..42372370 100644
--- a/query-machine-capabilities/Makefile
+++ b/query-machine-capabilities/Makefile
@@ -1,6 +1,7 @@
 DESTDIR=
 PREFIX=/usr
 BINDIR=${PREFIX}/libexec/qemu-server
+SERVICEDIR=/lib/systemd/system
 
 CC ?= gcc
 CFLAGS += -O2 -fanalyzer -Werror -Wall -Wextra -Wpedantic -Wtype-limits -Wl,-z,relro -std=gnu11
@@ -12,6 +13,7 @@ query-machine-capabilities: query-machine-capabilities.c
 install: query-machine-capabilities
 	install -d ${DESTDIR}/${BINDIR}
 	install -m 0755 query-machine-capabilities ${DESTDIR}${BINDIR}
+	install -m 0644 query-machine-capabilities.service ${DESTDIR}${SERVICEDIR}
 
 .PHONY: clean
 clean:
diff --git a/query-machine-capabilities/query-machine-capabilities.service b/query-machine-capabilities/query-machine-capabilities.service
new file mode 100644
index 00000000..d9830a9d
--- /dev/null
+++ b/query-machine-capabilities/query-machine-capabilities.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=PVE Query Machine Capabilities
+RequiresMountsFor=/run
+Before=pve-ha-lrm.service
+Before=pve-guests.service
+
+[Service]
+ExecStart=/usr/libexec/qemu-server/query-machine-capabilities
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server v13 2/5] config: add AMD SEV support

[Markus Frank]

This patch is for enabling AMD SEV (Secure Encrypted Virtualization)
support in QEMU.

VM-Config-Examples:
amd_sev: type=std,no-debug=1,no-key-sharing=1
amd_sev: es,no-debug=1,kernel-hashes=1

kernel-hashes, reduced-phys-bits & cbitpos correspond to the variables
with the same name in QEMU.

kernel-hashes=1 adds kernel hashes to enable measured linux kernel
launch since it is per default off for backward compatibility.

reduced-phys-bios and cbitpos are system specific and are read out by
the query-machine-capabilities c program and saved to the
/run/qemu-server/host-hw-capabilities.json file. This file is parsed
and than used by qemu-server to correctly start a AMD SEV VM.

type=std stands for standard sev to differentiate it from sev-es (es)
or sev-snp (snp) when support is upstream.

QEMU's sev-guest policy gets calculated with the parameters no-debug
& no-key-sharing. These parameters correspond to policy-bits 0 & 1.
If type is 'es' than policy-bit 2 gets set to 1 to activate SEV-ES.
Policy bit 3 (nosend) is always set to 1, because migration features
for sev are not upstream yet and are attackable.

SEV-ES is highly experimental since it could not be tested.

see coherent doc patch

Signed-off-by: Markus Frank <m.frank@proxmox.com>
Reviewed-by: Fiona Ebner <f.ebner@proxmox.com>
---
 PVE/QemuServer.pm           | 13 +++++-
 PVE/QemuServer/CPUConfig.pm | 87 ++++++++++++++++++++++++++++++++++++-
 2 files changed, 98 insertions(+), 2 deletions(-)

diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 8da1b4d2..a3446c3d 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -54,7 +54,7 @@ use PVE::QemuConfig;
 use PVE::QemuServer::Helpers qw(config_aware_timeout min_version windows_version);
 use PVE::QemuServer::Cloudinit;
 use PVE::QemuServer::CGroup;
-use PVE::QemuServer::CPUConfig qw(print_cpu_device get_cpu_options get_cpu_bitness is_native_arch);
+use PVE::QemuServer::CPUConfig qw(print_cpu_device get_cpu_options get_cpu_bitness is_native_arch get_amd_sev_object);
 use PVE::QemuServer::Drive qw(is_valid_drivename drive_is_cloudinit drive_is_cdrom drive_is_read_only parse_drive print_drive);
 use PVE::QemuServer::Machine;
 use PVE::QemuServer::Memory qw(get_current_memory);
@@ -359,6 +359,12 @@ my $confdesc = {
 	description => "Memory properties.",
 	format => $PVE::QemuServer::Memory::memory_fmt
     },
+    'amd-sev' => {
+	description => "Secure Encrypted Virtualization (SEV) features by AMD CPUs",
+	optional => 1,
+	format => 'pve-qemu-sev-fmt',
+	type => 'string',
+    },
     balloon => {
 	optional => 1,
 	type => 'integer',
@@ -4167,6 +4173,11 @@ sub config_to_command {
 	}
     }
 
+    if ($conf->{'amd-sev'}) {
+	push @$devices, '-object', get_amd_sev_object($conf->{'amd-sev'}, $conf->{bios});
+	push @$machineFlags, 'confidential-guest-support=sev0';
+    }
+
     push @$cmd, @$devices;
     push @$cmd, '-rtc', join(',', @$rtcFlags) if scalar(@$rtcFlags);
     push @$cmd, '-machine', join(',', @$machineFlags) if scalar(@$machineFlags);
diff --git a/PVE/QemuServer/CPUConfig.pm b/PVE/QemuServer/CPUConfig.pm
index 33f7524f..e65d8c26 100644
--- a/PVE/QemuServer/CPUConfig.pm
+++ b/PVE/QemuServer/CPUConfig.pm
@@ -3,9 +3,11 @@ package PVE::QemuServer::CPUConfig;
 use strict;
 use warnings;
 
+use JSON;
+
 use PVE::JSONSchema;
 use PVE::Cluster qw(cfs_register_file cfs_read_file);
-use PVE::Tools qw(get_host_arch);
+use PVE::Tools qw(run_command get_host_arch);
 use PVE::QemuServer::Helpers qw(min_version);
 
 use base qw(PVE::SectionConfig Exporter);
@@ -15,6 +17,7 @@ print_cpu_device
 get_cpu_options
 get_cpu_bitness
 is_native_arch
+get_amd_sev_object
 );
 
 # under certain race-conditions, this module might be loaded before pve-cluster
@@ -225,6 +228,37 @@ my $cpu_fmt = {
     },
 };
 
+my $sev_fmt = {
+    type => {
+	description => "Enable standard SEV with type='std' or enable"
+	    ." experimental SEV-ES with the 'es' option.",
+	type => 'string',
+	default_key => 1,
+	format_description => "sev-type",
+	enum => ['std', 'es'],
+	maxLength => 3,
+    },
+    'no-debug' => {
+	description => "Sets policy bit 0 to 1 to disallow debugging of guest",
+	type => 'boolean',
+	default => 0,
+	optional => 1,
+    },
+    'no-key-sharing' => {
+	description => "Sets policy bit 1 to 1 to disallow key sharing with other guests",
+	type => 'boolean',
+	default => 0,
+	optional => 1,
+    },
+    "kernel-hashes" => {
+	description => "Add kernel hashes to guest firmware for measured linux kernel launch",
+	type => 'boolean',
+	default => 0,
+	optional => 1,
+    },
+};
+PVE::JSONSchema::register_format('pve-qemu-sev-fmt', $sev_fmt);
+
 PVE::JSONSchema::register_format('pve-phys-bits', \&parse_phys_bits);
 sub parse_phys_bits {
     my ($str, $noerr) = @_;
@@ -773,6 +807,57 @@ sub get_cpu_bitness {
     die "unsupported architecture '$arch'\n";
 }
 
+sub get_hw_capabilities {
+    # Get reduced-phys-bits & cbitpos from host-hw-capabilities.json
+    # TODO: Find better location than /run/qemu-server/
+    my $filename = '/run/qemu-server/host-hw-capabilities.json';
+    if (! -e $filename) {
+	die "$filename does not exist. Please check the status of query-machine-capabilities: "
+	    ."systemctl status query-machine-capabilities\n";
+    }
+    my $json_text = PVE::Tools::file_get_contents($filename);
+    ($json_text) = $json_text =~ /(.*)/; # untaint json text
+    my $hw_capabilities = eval { decode_json($json_text) };
+    if (my $err = $@) {
+	die $err;
+    }
+    return $hw_capabilities;
+}
+
+sub get_amd_sev_object {
+    my ($amd_sev, $bios) = @_;
+
+    my $amd_sev_conf = PVE::JSONSchema::parse_property_string($sev_fmt, $amd_sev);
+    my $sev_hw_caps = get_hw_capabilities()->{'amd-sev'};
+
+    if (!$sev_hw_caps->{'sev-support'}) {
+	die "Your CPU does not support AMD SEV.\n";
+    }
+    if ($amd_sev_conf->{type} eq 'es' && !$sev_hw_caps->{'sev-support-es'}) {
+	die "Your CPU does not support AMD SEV-ES.\n";
+    }
+    if (!$bios || $bios ne 'ovmf') {
+	die "To use AMD SEV, you need to change the BIOS to OVMF.\n";
+    }
+
+    my $sev_mem_object = 'sev-guest,id=sev0';
+    $sev_mem_object .= ',cbitpos='.$sev_hw_caps->{cbitpos};
+    $sev_mem_object .= ',reduced-phys-bits='.$sev_hw_caps->{'reduced-phys-bits'};
+
+    # guest policy bit calculation as described here:
+    # https://documentation.suse.com/sles/15-SP5/html/SLES-amd-sev/article-amd-sev.html#table-guestpolicy
+    my $policy = 0b0000;
+    $policy += 0b0001 if $amd_sev_conf->{'no-debug'};
+    $policy += 0b0010 if $amd_sev_conf->{'no-key-sharing'};
+    $policy += 0b0100 if $amd_sev_conf->{type} eq 'es';
+    # disable migration with bit 3 nosend to prevent amd-sev-migration-attack
+    $policy += 0b1000;
+
+    $sev_mem_object .= ',policy='.sprintf("%#x", $policy);
+    $sev_mem_object .= ',kernel-hashes=on' if ($amd_sev_conf->{'kernel-hashes'});
+    return $sev_mem_object;
+}
+
 __PACKAGE__->register();
 __PACKAGE__->init();
 
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server v13 3/5] migration: add check_non_migratable_resources function

[Markus Frank]

The function checks for resources that cannot be migrated, snapshoted,
or suspended.

To run this function while the snapshot lock is active, the
pve-guest-common patch 'AbstractConfig: add abstract method to check for
resources preventing a snapshot.' is required.

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
 PVE/API2/Qemu.pm   |  5 ++++-
 PVE/QemuConfig.pm  |  5 +++++
 PVE/QemuMigrate.pm |  2 +-
 PVE/QemuServer.pm  | 23 ++++++++++++++++++++++-
 4 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index c50c42be..ece98a30 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -4550,7 +4550,7 @@ __PACKAGE__->register_method({
 	$res->{running} = PVE::QemuServer::check_running($vmid) ? 1:0;
 
 	my ($local_resources, $mapped_resources, $missing_mappings_by_node) =
-	    PVE::QemuServer::check_local_resources($vmconf, 1);
+	    PVE::QemuServer::check_local_resources($vmconf, $res->{running}, 1);
 	delete $missing_mappings_by_node->{$localnode};
 
 	my $vga = PVE::QemuServer::parse_vga($vmconf->{vga});
@@ -5238,6 +5238,9 @@ __PACKAGE__->register_method({
 	die "unable to use snapshot name 'pending' (reserved name)\n"
 	    if lc($snapname) eq 'pending';
 
+	my $vmconf = PVE::QemuConfig->load_config($vmid);
+	PVE::QemuServer::check_non_migratable_resources($vmconf, $param->{vmstate}, 0);
+
 	my $realcmd = sub {
 	    PVE::Cluster::log_msg('info', $authuser, "snapshot VM $vmid: $snapname");
 	    PVE::QemuConfig->snapshot_create($vmid, $snapname, $param->{vmstate},
diff --git a/PVE/QemuConfig.pm b/PVE/QemuConfig.pm
index 8e8a7828..ffdf9f03 100644
--- a/PVE/QemuConfig.pm
+++ b/PVE/QemuConfig.pm
@@ -199,6 +199,11 @@ sub get_backup_volumes {
     return $return_volumes;
 }
 
+sub __snapshot_assert_no_blockers {
+    my ($class, $vmconf, $save_vmstate) = @_;
+    PVE::QemuServer::check_non_migratable_resources($vmconf, $save_vmstate, 0);
+}
+
 sub __snapshot_save_vmstate {
     my ($class, $vmid, $conf, $snapname, $storecfg, $statestorage, $suspend) = @_;
 
diff --git a/PVE/QemuMigrate.pm b/PVE/QemuMigrate.pm
index 6591f3f7..09e97268 100644
--- a/PVE/QemuMigrate.pm
+++ b/PVE/QemuMigrate.pm
@@ -233,7 +233,7 @@ sub prepare {
 	$self->{vm_was_paused} = 1 if PVE::QemuServer::vm_is_paused($vmid, 0);
     }
 
-    my ($loc_res, $mapped_res, $missing_mappings_by_node) = PVE::QemuServer::check_local_resources($conf, 1);
+    my ($loc_res, $mapped_res, $missing_mappings_by_node) = PVE::QemuServer::check_local_resources($conf, $running, 1);
     my $blocking_resources = [];
     for my $res ($loc_res->@*) {
 	if (!grep($res, $mapped_res->@*)) {
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index a3446c3d..fe42122a 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -2571,13 +2571,32 @@ sub config_list {
     return $res;
 }
 
+sub check_non_migratable_resources {
+    my ($conf, $state, $noerr) = @_;
+
+    my @blockers = ();
+    if ($state && $conf->{"amd-sev"}) {
+	push @blockers, "amd-sev";
+    }
+
+    if (scalar(@blockers) && !$noerr) {
+	die "Cannot live-migrate, snapshot (with RAM), or hibernate a VM with:"
+	    ." @blockers\n";
+    }
+
+    return @blockers;
+}
+
 # test if VM uses local resources (to prevent migration)
 sub check_local_resources {
-    my ($conf, $noerr) = @_;
+    my ($conf, $state, $noerr) = @_;
 
     my @loc_res = ();
     my $mapped_res = [];
 
+    my @non_migratable_resources = check_non_migratable_resources($conf, $state, $noerr);
+    push(@loc_res, @non_migratable_resources);
+
     my $nodelist = PVE::Cluster::get_nodelist();
     my $pci_map = PVE::Mapping::PCI::config();
     my $usb_map = PVE::Mapping::USB::config();
@@ -6455,6 +6474,8 @@ sub vm_suspend {
 	die "cannot suspend to disk during backup\n"
 	    if $is_backing_up && $includestate;
 
+	check_non_migratable_resources($conf, $includestate, 0);
+
 	if ($includestate) {
 	    $conf->{lock} = 'suspending';
 	    my $date = strftime("%Y-%m-%d", localtime(time()));
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH docs v13 4/5] add AMD SEV documentation

[Markus Frank]

add documentation for the "[PATCH qemu-server] config: QEMU AMD SEV
enable" patch.

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
 qm.adoc | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 103 insertions(+)

diff --git a/qm.adoc b/qm.adoc
index b550888..83bb20b 100644
--- a/qm.adoc
+++ b/qm.adoc
@@ -715,6 +715,109 @@ systems.
 When allocating RAM to your VMs, a good rule of thumb is always to leave 1GB
 of RAM available to the host.
 
+[[qm_memory_encryption]]
+Memory Encryption
+~~~~~~~~~~~~~~~~~
+
+[[qm_memory_encryption_sev]]
+AMD SEV
+^^^^^^^
+
+SEV (Secure Encrypted Virtualization) enables memory encryption per VM using
+AES-128 encryption and the AMD Secure Processor.
+
+SEV-ES (Secure Encrypted Virtualization-Encrypted State) in addition encrypts
+all CPU register contents when a VM stops running, to prevent leakage of
+information to the hypervisor. This feature is very experimental.
+
+*Host Requirements:*
+
+* AMD EPYC CPU
+* SEV-ES is only supported on AMD EPYC 7xx2 and newer
+* configure AMD memory encryption in the BIOS settings of the host machine
+* add "kvm_amd.sev=1" to kernel parameters if not enabled by default
+* add "mem_encrypt=on" to kernel parameters if you want to encrypt memory on the
+host (SME) see https://www.kernel.org/doc/Documentation/x86/amd-memory-encryption.txt
+* maybe increase SWIOTLB see https://github.com/AMDESE/AMDSEV#faq-4
+
+To check if SEV is enabled on the host search for `sev` in dmesg and print out
+the SEV kernel parameter of kvm_amd:
+
+----
+# dmesg | grep -i sev
+[...] ccp 0000:45:00.1: sev enabled
+[...] ccp 0000:45:00.1: SEV API: <buildversion>
+[...] SEV supported: <number> ASIDs
+[...] SEV-ES supported: <number> ASIDs
+# cat /sys/module/kvm_amd/parameters/sev
+Y
+----
+
+*Guest Requirements:*
+
+* edk2-OVMF
+* advisable to use Q35
+* The guest operating system must contain SEV-support.
+
+*Limitations:*
+
+* Because the memory is encrypted the memory usage on host is always wrong.
+* Operations that involve saving or restoring memory like snapshots
+& live migration do not work yet or are attackable.
+https://github.com/PSPReverse/amd-sev-migration-attack
+* PCI passthrough is not supported.
+* SEV-ES is very experimental.
+* QEMU & AMD-SEV documentation is very limited.
+
+Example Configuration:
+
+----
+# qm set <vmid> -amd_sev type=std,no-debug=1,no-key-sharing=1,kernel-hashes=1
+----
+
+The *type* defines the encryption technology ("type=" is not necessary).
+Available options are std & es.
+
+The QEMU *policy* parameter gets calculated with the *no-debug* and
+*no-key-sharing* parameters. These parameters correspond to policy-bit 0 and 1.
+If *type* is *es* the policy-bit 2 is set to 1 so that SEV-ES is enabled.
+Policy-bit 3 (nosend) is always set to 1 to prevent migration-attacks. For more
+information on how to calculate the policy see:
+https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf[AMD SEV API Specification Chapter 3]
+
+The *kernel-hashes* is per default off for backward compatibility with older
+OVMF images and guests that do not measure the kernel/initrd.
+See https://lists.gnu.org/archive/html/qemu-devel/2021-11/msg02598.html
+
+*Check if SEV is working on the guest*
+
+Method 1 - dmesg:
+
+Output should look like this.
+
+----
+# dmesg | grep -i sev
+AMD Memory Encryption Features active: SEV
+----
+
+Method 2 - MSR 0xc0010131 (MSR_AMD64_SEV):
+
+Output should be 1.
+
+----
+# apt install msr-tools
+# modprobe msr
+# rdmsr -a 0xc0010131
+1
+----
+
+Links:
+
+* https://developer.amd.com/sev/
+* https://github.com/AMDESE/AMDSEV
+* https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html
+* https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf
+* https://documentation.suse.com/sles/15-SP1/html/SLES-amd-sev/index.html
 
 [[qm_network_device]]
 Network Device
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager v13 5/5] ui: add AMD SEV configuration to Options

[Markus Frank]

By adding a new input panel with an AMD SEV technology selection combo
box and checkboxes for the optional parameters in an advanced section,
the user can configure the amd_sev option via the WebUI's Options tab.

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
 www/manager6/Makefile        |   1 +
 www/manager6/qemu/Options.js |  11 ++++
 www/manager6/qemu/SevEdit.js | 121 +++++++++++++++++++++++++++++++++++
 3 files changed, 133 insertions(+)
 create mode 100644 www/manager6/qemu/SevEdit.js

diff --git a/www/manager6/Makefile b/www/manager6/Makefile
index d623dfb9..cb6ee47f 100644
--- a/www/manager6/Makefile
+++ b/www/manager6/Makefile
@@ -264,6 +264,7 @@ JSSRC= 							\
 	qemu/SSHKey.js					\
 	qemu/ScsiHwEdit.js				\
 	qemu/SerialEdit.js				\
+	qemu/SevEdit.js					\
 	qemu/Smbios1Edit.js				\
 	qemu/SystemEdit.js				\
 	qemu/USBEdit.js					\
diff --git a/www/manager6/qemu/Options.js b/www/manager6/qemu/Options.js
index 7b112400..cbe9e52b 100644
--- a/www/manager6/qemu/Options.js
+++ b/www/manager6/qemu/Options.js
@@ -338,6 +338,17 @@ Ext.define('PVE.qemu.Options', {
 		    },
 		} : undefined,
 	    },
+	    'amd-sev': {
+		header: gettext('AMD SEV'),
+		editor: caps.vms['VM.Config.HWType'] ? 'PVE.qemu.SevEdit' : undefined,
+		defaultValue: Proxmox.Utils.defaultText + ' (' + Proxmox.Utils.disabledText + ')',
+		renderer: function(value, metaData, record, ri, ci, store, pending) {
+		    let amd_sev = PVE.Parser.parsePropertyString(value, "type");
+		    if (amd_sev.type === 'std') return 'AMD SEV (' + value + ')';
+		    if (amd_sev.type === 'es') return 'AMD SEV-ES (' + value + ')';
+		    return value;
+		},
+	    },
 	    hookscript: {
 		header: gettext('Hookscript'),
 	    },
diff --git a/www/manager6/qemu/SevEdit.js b/www/manager6/qemu/SevEdit.js
new file mode 100644
index 00000000..a3c2cdac
--- /dev/null
+++ b/www/manager6/qemu/SevEdit.js
@@ -0,0 +1,121 @@
+Ext.define('PVE.qemu.SevInputPanel', {
+    extend: 'Proxmox.panel.InputPanel',
+    xtype: 'pveSevInputPanel',
+    onlineHelp: 'qm_memory_encryption',
+
+    viewModel: {
+	data: {
+	    type: '__default__',
+	},
+	formulas: {
+	    sevEnabled: get => get('type') !== '__default__',
+	},
+    },
+
+    onGetValues: function(values) {
+	if (values.delete === 'type') {
+	    values.delete = 'amd-sev';
+	    return values;
+	}
+	if (!values.debug) {
+	    values["no-debug"] = 1;
+	}
+	if (!values["key-sharing"]) {
+	    values["no-key-sharing"] = 1;
+	}
+	delete values.debug;
+	delete values["key-sharing"];
+	let ret = {};
+	ret['amd-sev'] = PVE.Parser.printPropertyString(values, 'type');
+	return ret;
+    },
+
+
+    setValues: function(values) {
+	if (PVE.Parser.parseBoolean(values["no-debug"])) {
+	    values.debug = 0;
+	}
+	if (PVE.Parser.parseBoolean(values["no-key-sharing"])) {
+	    values["key-sharing"] = 0;
+	}
+	this.callParent(arguments);
+    },
+
+    items: {
+	xtype: 'proxmoxKVComboBox',
+	fieldLabel: gettext('AMD Secure Encrypted Virtualization (SEV)'),
+	labelWidth: 150,
+	name: 'type',
+	value: '__default__',
+	comboItems: [
+	    ['__default__', Proxmox.Utils.defaultText + ' (' + Proxmox.Utils.disabledText + ')'],
+	    ['std', 'AMD SEV'],
+	    ['es', 'AMD SEV-ES (highly experimental)'],
+	],
+	bind: {
+	    value: '{type}',
+	},
+    },
+
+    advancedItems: [
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Allow Debugging'),
+	    labelWidth: 150,
+	    name: 'debug',
+	    value: 1,
+	    bind: {
+		hidden: '{!sevEnabled}',
+		disabled: '{!sevEnabled}',
+	    },
+	},
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Allow Key-Sharing'),
+	    labelWidth: 150,
+	    name: 'key-sharing',
+	    value: 1,
+	    bind: {
+		hidden: '{!sevEnabled}',
+		disabled: '{!sevEnabled}',
+	    },
+	},
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Enable Kernel Hashes'),
+	    labelWidth: 150,
+	    name: 'kernel-hashes',
+	    deleteDefaultValue: false,
+	    bind: {
+		hidden: '{!sevEnabled}',
+		disabled: '{!sevEnabled}',
+	    },
+	},
+    ],
+});
+
+Ext.define('PVE.qemu.SevEdit', {
+    extend: 'Proxmox.window.Edit',
+
+    subject: gettext('SEV'),
+
+    items: {
+	xtype: 'pveSevInputPanel',
+    },
+
+    width: 400,
+
+    initComponent: function() {
+	let me = this;
+
+	me.callParent();
+
+	me.load({
+	    success: function(response) {
+		let conf = response.result.data;
+		let amd_sev = conf['amd-sev'] || '__default__';
+		me.setValues(PVE.Parser.parsePropertyString(amd_sev, 'type'));
+	    },
+	});
+    },
+});
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH docs v13 4/5] add AMD SEV documentation

[Shannon Sterz]

On Mon Nov 18, 2024 at 12:16 PM CET, Markus Frank wrote:
> add documentation for the "[PATCH qemu-server] config: QEMU AMD SEV
> enable" patch.
>
> Signed-off-by: Markus Frank <m.frank@proxmox.com>
> ---
>  qm.adoc | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 103 insertions(+)
>
> diff --git a/qm.adoc b/qm.adoc
> index b550888..83bb20b 100644
> --- a/qm.adoc
> +++ b/qm.adoc
> @@ -715,6 +715,109 @@ systems.
>  When allocating RAM to your VMs, a good rule of thumb is always to leave 1GB
>  of RAM available to the host.
>
> +[[qm_memory_encryption]]
> +Memory Encryption
> +~~~~~~~~~~~~~~~~~
> +
> +[[qm_memory_encryption_sev]]
> +AMD SEV
> +^^^^^^^
> +
> +SEV (Secure Encrypted Virtualization) enables memory encryption per VM using
> +AES-128 encryption and the AMD Secure Processor.
> +
> +SEV-ES (Secure Encrypted Virtualization-Encrypted State) in addition encrypts
> +all CPU register contents when a VM stops running, to prevent leakage of
> +information to the hypervisor. This feature is very experimental.
> +
> +*Host Requirements:*
> +
> +* AMD EPYC CPU
> +* SEV-ES is only supported on AMD EPYC 7xx2 and newer
> +* configure AMD memory encryption in the BIOS settings of the host machine
> +* add "kvm_amd.sev=1" to kernel parameters if not enabled by default
> +* add "mem_encrypt=on" to kernel parameters if you want to encrypt memory on the
> +host (SME) see https://www.kernel.org/doc/Documentation/x86/amd-memory-encryption.txt
> +* maybe increase SWIOTLB see https://github.com/AMDESE/AMDSEV#faq-4
> +
> +To check if SEV is enabled on the host search for `sev` in dmesg and print out
> +the SEV kernel parameter of kvm_amd:
> +
> +----
> +# dmesg | grep -i sev
> +[...] ccp 0000:45:00.1: sev enabled
> +[...] ccp 0000:45:00.1: SEV API: <buildversion>
> +[...] SEV supported: <number> ASIDs
> +[...] SEV-ES supported: <number> ASIDs
> +# cat /sys/module/kvm_amd/parameters/sev
> +Y
> +----
> +
> +*Guest Requirements:*
> +
> +* edk2-OVMF
> +* advisable to use Q35
> +* The guest operating system must contain SEV-support.
> +
> +*Limitations:*
> +
> +* Because the memory is encrypted the memory usage on host is always wrong.
> +* Operations that involve saving or restoring memory like snapshots
> +& live migration do not work yet or are attackable.
> +https://github.com/PSPReverse/amd-sev-migration-attack
> +* PCI passthrough is not supported.
> +* SEV-ES is very experimental.
> +* QEMU & AMD-SEV documentation is very limited.
> +
> +Example Configuration:
> +
> +----
> +# qm set <vmid> -amd_sev type=std,no-debug=1,no-key-sharing=1,kernel-hashes=1
> +----
> +
> +The *type* defines the encryption technology ("type=" is not necessary).
> +Available options are std & es.
> +
> +The QEMU *policy* parameter gets calculated with the *no-debug* and
> +*no-key-sharing* parameters. These parameters correspond to policy-bit 0 and 1.
> +If *type* is *es* the policy-bit 2 is set to 1 so that SEV-ES is enabled.
> +Policy-bit 3 (nosend) is always set to 1 to prevent migration-attacks. For more
> +information on how to calculate the policy see:
> +https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf[AMD SEV API Specification Chapter 3]
> +
> +The *kernel-hashes* is per default off for backward compatibility with older

tiny nit: I think "The *kernel-hases* options is off per default..."
would sound more natural

> +OVMF images and guests that do not measure the kernel/initrd.
> +See https://lists.gnu.org/archive/html/qemu-devel/2021-11/msg02598.html
> +
> +*Check if SEV is working on the guest*
> +
> +Method 1 - dmesg:
> +
> +Output should look like this.
> +
> +----
> +# dmesg | grep -i sev
> +AMD Memory Encryption Features active: SEV
> +----
> +
> +Method 2 - MSR 0xc0010131 (MSR_AMD64_SEV):
> +
> +Output should be 1.
> +
> +----
> +# apt install msr-tools
> +# modprobe msr
> +# rdmsr -a 0xc0010131
> +1
> +----
> +
> +Links:
> +
> +* https://developer.amd.com/sev/
> +* https://github.com/AMDESE/AMDSEV
> +* https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html
> +* https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf
> +* https://documentation.suse.com/sles/15-SP1/html/SLES-amd-sev/index.html
>
>  [[qm_network_device]]
>  Network Device



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH manager v13 5/5] ui: add AMD SEV configuration to Options

[Shannon Sterz]

On Mon Nov 18, 2024 at 12:17 PM CET, Markus Frank wrote:
> By adding a new input panel with an AMD SEV technology selection combo
> box and checkboxes for the optional parameters in an advanced section,
> the user can configure the amd_sev option via the WebUI's Options tab.
>
> Signed-off-by: Markus Frank <m.frank@proxmox.com>
> ---
>  www/manager6/Makefile        |   1 +
>  www/manager6/qemu/Options.js |  11 ++++
>  www/manager6/qemu/SevEdit.js | 121 +++++++++++++++++++++++++++++++++++
>  3 files changed, 133 insertions(+)
>  create mode 100644 www/manager6/qemu/SevEdit.js
>
> diff --git a/www/manager6/Makefile b/www/manager6/Makefile
> index d623dfb9..cb6ee47f 100644
> --- a/www/manager6/Makefile
> +++ b/www/manager6/Makefile
> @@ -264,6 +264,7 @@ JSSRC= 							\
>  	qemu/SSHKey.js					\
>  	qemu/ScsiHwEdit.js				\
>  	qemu/SerialEdit.js				\
> +	qemu/SevEdit.js					\
>  	qemu/Smbios1Edit.js				\
>  	qemu/SystemEdit.js				\
>  	qemu/USBEdit.js					\
> diff --git a/www/manager6/qemu/Options.js b/www/manager6/qemu/Options.js
> index 7b112400..cbe9e52b 100644
> --- a/www/manager6/qemu/Options.js
> +++ b/www/manager6/qemu/Options.js
> @@ -338,6 +338,17 @@ Ext.define('PVE.qemu.Options', {
>  		    },
>  		} : undefined,
>  	    },
> +	    'amd-sev': {
> +		header: gettext('AMD SEV'),
> +		editor: caps.vms['VM.Config.HWType'] ? 'PVE.qemu.SevEdit' : undefined,
> +		defaultValue: Proxmox.Utils.defaultText + ' (' + Proxmox.Utils.disabledText + ')',
> +		renderer: function(value, metaData, record, ri, ci, store, pending) {
> +		    let amd_sev = PVE.Parser.parsePropertyString(value, "type");
> +		    if (amd_sev.type === 'std') return 'AMD SEV (' + value + ')';
> +		    if (amd_sev.type === 'es') return 'AMD SEV-ES (' + value + ')';
> +		    return value;
> +		},
> +	    },
>  	    hookscript: {
>  		header: gettext('Hookscript'),
>  	    },
> diff --git a/www/manager6/qemu/SevEdit.js b/www/manager6/qemu/SevEdit.js
> new file mode 100644
> index 00000000..a3c2cdac
> --- /dev/null
> +++ b/www/manager6/qemu/SevEdit.js
> @@ -0,0 +1,121 @@
> +Ext.define('PVE.qemu.SevInputPanel', {
> +    extend: 'Proxmox.panel.InputPanel',
> +    xtype: 'pveSevInputPanel',
> +    onlineHelp: 'qm_memory_encryption',
> +
> +    viewModel: {
> +	data: {
> +	    type: '__default__',
> +	},
> +	formulas: {
> +	    sevEnabled: get => get('type') !== '__default__',
> +	},
> +    },
> +
> +    onGetValues: function(values) {
> +	if (values.delete === 'type') {
> +	    values.delete = 'amd-sev';
> +	    return values;
> +	}
> +	if (!values.debug) {
> +	    values["no-debug"] = 1;
> +	}
> +	if (!values["key-sharing"]) {
> +	    values["no-key-sharing"] = 1;
> +	}
> +	delete values.debug;
> +	delete values["key-sharing"];
> +	let ret = {};
> +	ret['amd-sev'] = PVE.Parser.printPropertyString(values, 'type');
> +	return ret;
> +    },
> +
> +
> +    setValues: function(values) {
> +	if (PVE.Parser.parseBoolean(values["no-debug"])) {
> +	    values.debug = 0;
> +	}
> +	if (PVE.Parser.parseBoolean(values["no-key-sharing"])) {
> +	    values["key-sharing"] = 0;
> +	}
> +	this.callParent(arguments);
> +    },
> +
> +    items: {
> +	xtype: 'proxmoxKVComboBox',
> +	fieldLabel: gettext('AMD Secure Encrypted Virtualization (SEV)'),
> +	labelWidth: 150,
> +	name: 'type',
> +	value: '__default__',
> +	comboItems: [
> +	    ['__default__', Proxmox.Utils.defaultText + ' (' + Proxmox.Utils.disabledText + ')'],
> +	    ['std', 'AMD SEV'],
> +	    ['es', 'AMD SEV-ES (highly experimental)'],
> +	],
> +	bind: {
> +	    value: '{type}',
> +	},
> +    },
> +
> +    advancedItems: [
> +	{
> +	    xtype: 'proxmoxcheckbox',
> +	    fieldLabel: gettext('Allow Debugging'),
> +	    labelWidth: 150,
> +	    name: 'debug',
> +	    value: 1,
> +	    bind: {
> +		hidden: '{!sevEnabled}',
> +		disabled: '{!sevEnabled}',
> +	    },
> +	},
> +	{
> +	    xtype: 'proxmoxcheckbox',
> +	    fieldLabel: gettext('Allow Key-Sharing'),
> +	    labelWidth: 150,
> +	    name: 'key-sharing',
> +	    value: 1,
> +	    bind: {
> +		hidden: '{!sevEnabled}',
> +		disabled: '{!sevEnabled}',
> +	    },
> +	},
> +	{
> +	    xtype: 'proxmoxcheckbox',
> +	    fieldLabel: gettext('Enable Kernel Hashes'),
> +	    labelWidth: 150,
> +	    name: 'kernel-hashes',
> +	    deleteDefaultValue: false,
> +	    bind: {
> +		hidden: '{!sevEnabled}',
> +		disabled: '{!sevEnabled}',
> +	    },
> +	},
> +    ],
> +});
> +
> +Ext.define('PVE.qemu.SevEdit', {
> +    extend: 'Proxmox.window.Edit',
> +
> +    subject: gettext('SEV'),

tiny nit: i think this falls into the same category as TFA and if we
don't translate that, we probably shouldn't translate SEV here either. i
also couldn't find any translations of this term on the internet, but
that's probably due to this feature being much more niche than TFA

> +
> +    items: {
> +	xtype: 'pveSevInputPanel',
> +    },
> +
> +    width: 400,
> +
> +    initComponent: function() {
> +	let me = this;
> +
> +	me.callParent();
> +
> +	me.load({
> +	    success: function(response) {
> +		let conf = response.result.data;
> +		let amd_sev = conf['amd-sev'] || '__default__';
> +		me.setValues(PVE.Parser.parsePropertyString(amd_sev, 'type'));
> +	    },
> +	});
> +    },
> +});

With the two tiny nits, consider this:

Reviewed-by: Shannon Sterz <s.sterz@proxmox.com>



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied-series: [PATCH qemu-server/docs/manager v13 0/5] AMD SEV

[Thomas Lamprecht]

Am 18.11.24 um 12:16 schrieb Markus Frank:
> changes v13:
> * renamed amd_sev to amd-sev
> * removed already applied patches
> * add systemd service file for query-machine-capabilities
> * removed now unused $efidisk0 parameter from the get_amd_sev_object 
>  function
> 
> changes v12:
> * new pve-guest-common patch
> * improved error handling in C
> * small perl style changes
> 
> changes v11:
> * removed systemd service and added run_command in qemu-server instead
> * moved SEV related code to CPUConfig
> * instead of the no-debug and no-key-sharing checkboxes there are no 
>  "allow debug/key-sharing" checkboxes in the WebUI with true beeing 
>  the default.
> * add check_non_migratable_resources function in qemu-server
> 
> 
> apply/compile order:
> * pve-guest-common: AbstractConfig: add abstract method to check for
>  resources preventing a snapshot -> already applied
> * qemu-server: add C program to get hardware capabilities from CPUID
>  -> already applied
> 1. qemu-server: query-machine-capabilities: add systemd service file
>  -> new to v13
> 2. qemu-server: config: add AMD SEV support
> 3. qemu-server: migration: add check_non_migratable_resources function
> 4. pve-docs: add AMD SEV documentation
> 5. pve-manager: ui: add AMD SEV configuration to Options
> 
> 
> qemu-server:
> 
> Markus Frank (3):
>   query-machine-capabilities: add systemd service file
>   config: add AMD SEV support
>   migration: add check_non_migratable_resources function
> 
>  PVE/API2/Qemu.pm                              |  5 +-
>  PVE/QemuConfig.pm                             |  5 ++
>  PVE/QemuMigrate.pm                            |  2 +-
>  PVE/QemuServer.pm                             | 36 +++++++-
>  PVE/QemuServer/CPUConfig.pm                   | 87 ++++++++++++++++++-
>  query-machine-capabilities/Makefile           |  2 +
>  .../query-machine-capabilities.service        | 13 +++
>  7 files changed, 145 insertions(+), 5 deletions(-)
>  create mode 100644 query-machine-capabilities/query-machine-capabilities.service
> 
> 
> docs:
> 
> Markus Frank (1):
>   add AMD SEV documentation
> 
>  qm.adoc | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 103 insertions(+)
> 
> 
> 
> manager:
> 
> Markus Frank (1):
>   ui: add AMD SEV configuration to Options
> 
>  www/manager6/Makefile        |   1 +
>  www/manager6/qemu/Options.js |  11 ++++
>  www/manager6/qemu/SevEdit.js | 121 +++++++++++++++++++++++++++++++++++
>  3 files changed, 133 insertions(+)
>  create mode 100644 www/manager6/qemu/SevEdit.js
> 


applied series, with some minor nits from Shannon and me fixed directly or as
follow-up, thanks!


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel