From: Daniel Tschlatscher <d.tschlatscher@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [PATCH pve-docs v2] added Memory Encryption documentation
Date: Fri, 2 Sep 2022 13:50:42 +0200 [thread overview]
Message-ID: <ae692e42-d602-dcae-d42b-362d8a131f30@proxmox.com> (raw)
In-Reply-To: <20220610105351.75132-1-m.frank@proxmox.com>
A few suggestions I would have found helpful when first reading this
documentation, inline:
On 6/10/22 12:53, Markus Frank wrote:
> added AMD SEV documentation for "[PATCH qemu-server] QEMU AMD SEV
> enable"
>
> Signed-off-by: Markus Frank <m.frank@proxmox.com>
> ---
> v2:
> * added check if sev is enabled
> * added more limitations
> * added suse doc link
>
> qm.adoc | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 89 insertions(+)
>
> diff --git a/qm.adoc b/qm.adoc
> index e666d7d..d60753e 100644
> --- a/qm.adoc
> +++ b/qm.adoc
> @@ -583,6 +583,95 @@ systems.
> When allocating RAM to your VMs, a good rule of thumb is always to leave 1GB
> of RAM available to the host.
>
> +[[qm_memory_encryption]]
> +Memory Encryption
> +~~~~~~~~~~~~~~~~~
> +
> +[[qm_memory_encryption_sev]]
> +AMD SEV
> +^^^^^^^
> +
> +Memory Encryption using AES-128 Encryption and the AMD Secure Processor.> +See https://developer.amd.com/sev/[AMD SEV]
> +
> +Requirements:
> +
> +* AMD EPYC/Ryzen PRO CPU
> +* configured SEV BIOS Settings on Host Machine
Nit: spell 'settings' lowercase
> +* add Kernel Parameters: "mem_encrypt=on kvm_amd.sev=1"
This should include that using edk2-OVMF is a requirement (see below)
> +
> +Example Configuration:
> +
> +----
> +# qm set <vmid> -memory_encryption type=sev,cbitpos=47,policy=0x0005,reduced-phys-bits=1
> +----
> +
> +*SEV Parameters*
> +
> +"type" defines the encryption technology ("type=" is not necessary): sev, sev-snp, mktme
> +
> +"reduced-phys-bios", "cbitpos" and "policy" correspond to the variables with the
> +same name in qemu.
> +
> +"reduced-phys-bios" and "cbitpos" are system specific and can be read out
> +with QMP. If not set, qm starts a dummy-vm to read QMP
> +for these variables out and saves them to config.
> +
> +"policy" can be calculated with
> +https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf[AMD SEV API Specification Chapter 3]
> +
> +To use SEV-ES (CPU register encryption) the "policy" should be set
> +somewhere between 0x4 and 0x7 or 0xC and 0xF, etc.
> +(Bit-2 has to be set 1 (LSB 0 bit numbering))
> +
> +*Check if SEV is working*
> +
> +Method 1 - dmesg:
> +
> +Output should look like this.
> +
> +----
> +# dmesg | grep -i sev
> +AMD Memory Encryption Features active: SEV
> +----
> +
> +Method 2 - MSR 0xc0010131 (MSR_AMD64_SEV):
> +
> +Output should be 1.
> +
> +----
> +# apt install msr-tools
> +# modprobe msr
> +# rdmsr -a 0xc0010131
> +1
> +----
This part should mention that Method 1 is to be executed on the host and
Method 2 is executed on the SEV-enabled guest.
> +
> +Limitations:
> +
> +* Because the memory is encrypted the memory usage on host is always wrong
> +and around 82% usage
This seems to depend on multiple factors, but the value of 82% does not
always apply and could therefore be confusing.
In my testing the value ranged from around 46% to nearly 95%. However,
the usage percentage seems to always stay the same for a certain
configuration.
> +* Operations that involve saving or restoring memory like snapshots
> +& live migration do not work yet
> +* edk2-OVMF required
I think this bullet point would be better placed under requirements, as
it's much easier to overlook it here.
> +* The guest operating system inside a VM must contain SEV-support
This one could be moved to requirements as well. Additionally, it would
be nice to add a link to a list of distributions with SEV support, if
you know of one.
> +* Recommendable: VirtIO RNG for more entropy (VMs sometimes will not
> +boot without)
> +
> +Links:
> +
> +* https://github.com/AMDESE/AMDSEV
> +* https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html
> +* https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf
> +* https://documentation.suse.com/sles/15-SP1/html/SLES-amd-sev/index.html
> +
> +// Commented because not supported by kernel yet
> +//AMD SEV-SNP
> +//^^^^^^^^^^^
> +
> +//* SEV-SNP support is not in the Linux Kernel yet and needs EPYC 7003 "Milan"
> +//processors.
> +//* SEV-SNP should be in Kernel 5.19: https://www.phoronix.com/scan.php?page=news_item&px=AMD-SEV-SNP-Arrives-Linux-5.19
> +//* patched Kernel: https://github.com/AMDESE/linux/tree/sev-snp-5.18-rc3
>
> [[qm_network_device]]
> Network Device
prev parent reply other threads:[~2022-09-02 11:50 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-10 10:53 Markus Frank
2022-09-02 11:50 ` Daniel Tschlatscher [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ae692e42-d602-dcae-d42b-362d8a131f30@proxmox.com \
--to=d.tschlatscher@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.