From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id D0ECC8E4D7 for ; Fri, 11 Nov 2022 15:27:41 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id AEB314770 for ; Fri, 11 Nov 2022 15:27:41 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 11 Nov 2022 15:27:39 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 20578408CF for ; Fri, 11 Nov 2022 15:27:39 +0100 (CET) From: Markus Frank To: pve-devel@lists.proxmox.com Date: Fri, 11 Nov 2022 15:27:16 +0100 Message-Id: <20221111142716.235955-3-m.frank@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20221111142716.235955-1-m.frank@proxmox.com> References: <20221111142716.235955-1-m.frank@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.044 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_SHORT 0.001 Use of a URL Shortener for very short URL SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [suse.com, qemu.org, amd.com, phoronix.com] Subject: [pve-devel] [PATCH docs v2 2/2] added Memory Encryption documentation X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Nov 2022 14:27:41 -0000 added AMD SEV documentation for "[PATCH qemu-server] QEMU AMD SEV enable" Signed-off-by: Markus Frank --- qm.adoc | 113 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+) diff --git a/qm.adoc b/qm.adoc index e7d0c07..5ba43a2 100644 --- a/qm.adoc +++ b/qm.adoc @@ -598,6 +598,119 @@ systems. When allocating RAM to your VMs, a good rule of thumb is always to leave 1GB of RAM available to the host. +[[qm_memory_encryption]] +Memory Encryption +~~~~~~~~~~~~~~~~~ + +[[qm_memory_encryption_sev]] +AMD SEV +^^^^^^^ + +Memory Encryption per VM using AES-128 Encryption and the AMD Secure Processor. +See https://developer.amd.com/sev/[AMD SEV] + +*Host-Requirements:* + +* AMD EPYC/Ryzen PRO CPU +* configured SEV BIOS settings on Host Machine +* add "kvm_amd.sev=1" to kernel parameters if not enabled by default +* add "mem_encrypt=on" to kernel parameters if you want encrypt memory on the +host (SME) +see https://www.kernel.org/doc/Documentation/x86/amd-memory-encryption.txt +* maybe increase SWIOTLB see https://github.com/AMDESE/AMDSEV#faq-4 + +To check if SEV is enabled on Host-Machine search for `sev` in dmesg +and print out the sev kernel parameter of kvm_amd: + +---- +# dmesg | grep -i sev +[...] ccp 0000:45:00.1: sev enabled +[...] ccp 0000:45:00.1: SEV API: +[...] SEV supported: ASIDs +[...] SEV-ES supported: ASIDs +# cat /sys/module/kvm_amd/parameters/sev +Y +---- + +*Guest-VM-Requirements:* + +* edk2-OVMF +* advisable to use Q35 +* The guest operating system inside the VM must contain SEV-support +* if there are problems while booting (stops at blank/splash screen or "Guest has not +initialized the display (yet)") try to add virtio-rng and/or set "freeze: 1" +so that you wait a few seconds before you click on *Resume* to boot. + +*Limitations:* + +* Because the memory is encrypted the memory usage on host is always wrong +* Operations that involve saving or restoring memory like snapshots +& live migration do not work yet or are attackable +https://github.com/PSPReverse/amd-sev-migration-attack +* KVM is unsupported when running as an SEV guest +* PCI passthrough is not supported + +Example Configuration: + +---- +# qm set -memory_encryption type=sev,cbitpos=47,policy=0x0001,reduced-phys-bits=1 +---- + +*SEV Parameters* + +*type* defines the encryption technology ("type=" is not necessary): +currently-supported: *sev* +and in the future: sev-snp, mktme + +*reduced-phys-bios*, *cbitpos* and *policy* correspond to the variables with the +same name in qemu. + +*reduced-phys-bios* and *cbitpos* are system specific and can be read out +with QMP. If not set, qm starts a dummy-vm to read QMP +for these variables out and saves them to config. + +*policy* can be calculated with +https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf[AMD SEV API Specification Chapter 3] + +To use SEV-ES (CPU register encryption) the *policy* should be set +somewhere between 0x4 and 0x7 or 0xC and 0xF, etc. +(Bit-2 has to be set 1 (LSB 0 bit numbering)) + +*Check if SEV is working on the Guest* + +Method 1 - dmesg: + +Output should look like this. + +---- +# dmesg | grep -i sev +AMD Memory Encryption Features active: SEV +---- + +Method 2 - MSR 0xc0010131 (MSR_AMD64_SEV): + +Output should be 1. + +---- +# apt install msr-tools +# modprobe msr +# rdmsr -a 0xc0010131 +1 +---- + +Links: + +* https://github.com/AMDESE/AMDSEV +* https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html +* https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf +* https://documentation.suse.com/sles/15-SP1/html/SLES-amd-sev/index.html + +// Commented because cannot be tested without new EPYC-CPU +// AMD SEV-SNP +// ^^^^^^^^^^^ +// * SEV-SNP needs EPYC 7003 "Milan" processors. +// * SEV-SNP should in Kernel 5.19: +// https://www.phoronix.com/scan.php?page=news_item&px=AMD-SEV-SNP-Arrives-Linux-5.19 [[qm_network_device]] Network Device -- 2.30.2