From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 125A38E548 for ; Fri, 11 Nov 2022 15:49:18 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id E0C2351E0 for ; Fri, 11 Nov 2022 15:48:47 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 11 Nov 2022 15:48:45 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 9A5D044AA1 for ; Fri, 11 Nov 2022 15:48:39 +0100 (CET) Message-ID: <8c385d1f-9e87-58ad-8ca4-8ec4bd92e729@proxmox.com> Date: Fri, 11 Nov 2022 15:48:37 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.0 Content-Language: en-US To: Proxmox VE development discussion , Markus Frank References: <20221111142716.235955-1-m.frank@proxmox.com> <20221111142716.235955-3-m.frank@proxmox.com> From: Matthias Heiserer In-Reply-To: <20221111142716.235955-3-m.frank@proxmox.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.191 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_SHORT 0.001 Use of a URL Shortener for very short URL NICE_REPLY_A -0.001 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [amd.com, phoronix.com, qemu.org, archive.org, suse.com] Subject: Re: [pve-devel] [PATCH docs v2 2/2] added Memory Encryption documentation X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Nov 2022 14:49:18 -0000 Inline, I have some suggestions regarding wording and spelling On 11.11.2022 15:27, Markus Frank wrote: > added AMD SEV documentation for "[PATCH qemu-server] QEMU AMD SEV > enable" > > Signed-off-by: Markus Frank > --- > qm.adoc | 113 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 113 insertions(+) > > diff --git a/qm.adoc b/qm.adoc > index e7d0c07..5ba43a2 100644 > --- a/qm.adoc > +++ b/qm.adoc > @@ -598,6 +598,119 @@ systems. > When allocating RAM to your VMs, a good rule of thumb is always to leave 1GB > of RAM available to the host. > > +[[qm_memory_encryption]] > +Memory Encryption > +~~~~~~~~~~~~~~~~~ > + > +[[qm_memory_encryption_sev]] > +AMD SEV > +^^^^^^^ > + > +Memory Encryption per VM using AES-128 Encryption and the AMD Secure Processor. > +See https://developer.amd.com/sev/[AMD SEV] > + > +*Host-Requirements:* > + > +* AMD EPYC/Ryzen PRO CPU > +* configured SEV BIOS settings on Host Machine > +* add "kvm_amd.sev=1" to kernel parameters if not enabled by default > +* add "mem_encrypt=on" to kernel parameters if you want encrypt memory on the "to encrypt" or "encrypted" > +host (SME) > +see https://www.kernel.org/doc/Documentation/x86/amd-memory-encryption.txt > +* maybe increase SWIOTLB see https://github.com/AMDESE/AMDSEV#faq-4 > + > +To check if SEV is enabled on Host-Machine search for `sev` in dmesg I think "on the host" would be the best wording > +and print out the sev kernel parameter of kvm_amd: > + > +---- > +# dmesg | grep -i sev > +[...] ccp 0000:45:00.1: sev enabled > +[...] ccp 0000:45:00.1: SEV API: > +[...] SEV supported: ASIDs > +[...] SEV-ES supported: ASIDs > +# cat /sys/module/kvm_amd/parameters/sev > +Y > +---- > + > +*Guest-VM-Requirements:* Also here, we spell guest/host without hyphen. Maybe just drop the VM, i.e. "Guest Requirements" > + > +* edk2-OVMF > +* advisable to use Q35 > +* The guest operating system inside the VM must contain SEV-support > +* if there are problems while booting (stops at blank/splash screen or "Guest has not > +initialized the display (yet)") try to add virtio-rng and/or set "freeze: 1" > +so that you wait a few seconds before you click on *Resume* to boot. There's inconsistent capitalization > + > +*Limitations:* > + > +* Because the memory is encrypted the memory usage on host is always wrong > +* Operations that involve saving or restoring memory like snapshots > +& live migration do not work yet or are attackable > +https://github.com/PSPReverse/amd-sev-migration-attack > +* KVM is unsupported when running as an SEV guest > +* PCI passthrough is not supported > + > +Example Configuration: > + > +---- > +# qm set -memory_encryption type=sev,cbitpos=47,policy=0x0001,reduced-phys-bits=1 > +---- > + > +*SEV Parameters* I'd use the same format as e.g. in "10.13.3. Options". Regarding the following sentences: Consistently end them with a dot or without, don't mix. > + > +*type* defines the encryption technology ("type=" is not necessary): > +currently-supported: *sev* > +and in the future: sev-snp, mktme > + > +*reduced-phys-bios*, *cbitpos* and *policy* correspond to the variables with the > +same name in qemu. > + > +*reduced-phys-bios* and *cbitpos* are system specific and can be read out > +with QMP. If not set, qm starts a dummy-vm to read QMP > +for these variables out and saves them to config. > + > +*policy* can be calculated with > +https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf[AMD SEV API Specification Chapter 3] > + > +To use SEV-ES (CPU register encryption) the *policy* should be set > +somewhere between 0x4 and 0x7 or 0xC and 0xF, etc. > +(Bit-2 has to be set 1 (LSB 0 bit numbering)) > + > +*Check if SEV is working on the Guest* > + > +Method 1 - dmesg: > + > +Output should look like this. > + > +---- > +# dmesg | grep -i sev > +AMD Memory Encryption Features active: SEV > +---- > + > +Method 2 - MSR 0xc0010131 (MSR_AMD64_SEV): > + > +Output should be 1. > + > +---- > +# apt install msr-tools > +# modprobe msr > +# rdmsr -a 0xc0010131 > +1 > +---- > + > +Links: > + > +* https://github.com/AMDESE/AMDSEV > +* https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html > +* https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf > +* https://documentation.suse.com/sles/15-SP1/html/SLES-amd-sev/index.html In case you haven't done so, you could make a snapshot of these pages with archive.org or similarly, so there's a backup if they ever get removed. > + > +// Commented because cannot be tested without new EPYC-CPU > +// AMD SEV-SNP > +// ^^^^^^^^^^^ > +// * SEV-SNP needs EPYC 7003 "Milan" processors. > +// * SEV-SNP should in Kernel 5.19: > +// https://www.phoronix.com/scan.php?page=news_item&px=AMD-SEV-SNP-Arrives-Linux-5.19 > > [[qm_network_device]] > Network Device