Re: [pve-devel] [PATCH pve-docs] added Memory Encryption documentation

Re: [pve-devel] [PATCH pve-docs] added Memory Encryption documentation

[Dietmar Maurer]

Live migration works?

> +Limitations:
> +
> +* Memory usage on host is always wrong and around 82% Usage
> +* Snapshots do not work
> +* edk2-OVMF required
> +* Recommendable: VirtIO RNG for more entropy (VMs sometimes will not

Re: [pve-devel] [PATCH pve-docs] added Memory Encryption documentation

[Markus Frank]

Not really. All i could find are these patches:
https://marc.info/?l=kvm&m=156278967226011&w=2
https://lore.kernel.org/all/20190809185434.GH2840@work-vm/T/#m902085a219bdad35007dd7fffa0ed0765fd2322a

In the documentation of qemu snapshots&live migration is still a TODO:
https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html

Current Limitations Section in the suse documentation:
https://documentation.suse.com/sles/15-SP3/html/SLES-amd-sev/article-amd-sev.html

Also interesting "Migration Attack" when using these patches:
https://github.com/PSPReverse/amd-sev-migration-attack

On 6/10/22 06:37, Dietmar Maurer wrote:
> Live migration works?
> 
>> +Limitations:
>> +
>> +* Memory usage on host is always wrong and around 82% Usage
>> +* Snapshots do not work
>> +* edk2-OVMF required
>> +* Recommendable: VirtIO RNG for more entropy (VMs sometimes will not

[pve-devel] [PATCH pve-docs] added Memory Encryption documentation

[Markus Frank]

added AMD SEV documentation for "[PATCH qemu-server] QEMU AMD SEV
enable"

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
 qm.adoc | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/qm.adoc b/qm.adoc
index e666d7d..027d0a1 100644
--- a/qm.adoc
+++ b/qm.adoc
@@ -583,6 +583,65 @@ systems.
 When allocating RAM to your VMs, a good rule of thumb is always to leave 1GB
 of RAM available to the host.
 
+[[qm_memory_encryption]]
+Memory Encryption
+~~~~~~~~~~~~~~~~~
+
+AMD SEV
+^^^^^^^
+
+Memory Encryption using AES-128 Encryption and the AMD Secure Processor.
+See https://developer.amd.com/sev/[AMD SEV]
+
+Requirements:
+
+* AMD EPYC/Ryzen PRO CPU
+* configured SEV BIOS Settings on Host Machine
+* add Kernel Parameters: "mem_encrypt=on kvm_amd.sev=1"
+
+Example Configuration:
+
+----
+# qm set <vmid> -memory_encryption type=sev,cbitpos=47,policy=0x0005,reduced-phys-bits=1
+----
+
+"type" defines the encryption technology ("type=" is not necessary): sev, sev-snp, mktme
+
+"reduced-phys-bios", "cbitpos" and "policy" correspond to the variables with the
+same name in qemu.
+
+"reduced-phys-bios" and "cbitpos" are system specific and can be read out
+with QMP. If not set, qm starts a dummy-vm to read QMP
+for these variables out and saves them to config.
+
+"policy" can be calculated with
+https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf[AMD SEV API Specification Chapter 3]
+
+To use SEV-ES (CPU register encryption) the "policy" should be set
+somewhere between 0x4 and 0x7 or 0xC and 0xF, etc.
+(Bit-2 has to be set 1 (LSB 0 bit numbering))
+
+Limitations:
+
+* Memory usage on host is always wrong and around 82% Usage
+* Snapshots do not work
+* edk2-OVMF required
+* Recommendable: VirtIO RNG for more entropy (VMs sometimes will not
+boot without)
+
+Links:
+
+* https://github.com/AMDESE/AMDSEV
+* https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html
+* https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf
+
+AMD SEV-SNP
+^^^^^^^^^^^
+
+* SEV-SNP support is not in the Linux Kernel yet and needs EPYC 7003 "Milan"
+processors.
+* SEV-SNP should be in Kernel 5.19: https://www.phoronix.com/scan.php?page=news_item&px=AMD-SEV-SNP-Arrives-Linux-5.19
+* patched Kernel: https://github.com/AMDESE/linux/tree/sev-snp-5.18-rc3
 
 [[qm_network_device]]
 Network Device
-- 
2.30.2