From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id BBBB0E5F2 for ; Fri, 9 Dec 2022 15:26:24 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 89EB12520C for ; Fri, 9 Dec 2022 15:25:54 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 9 Dec 2022 15:25:52 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 38E0843956 for ; Fri, 9 Dec 2022 15:25:52 +0100 (CET) From: Markus Frank To: pve-devel@lists.proxmox.com Date: Fri, 9 Dec 2022 15:25:22 +0100 Message-Id: <20221209142522.236233-2-m.frank@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20221209142522.236233-1-m.frank@proxmox.com> References: <20221209142522.236233-1-m.frank@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.040 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_SHORT 0.001 Use of a URL Shortener for very short URL SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH docs v3] added Memory Encryption documentation X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2022 14:26:24 -0000 added AMD SEV documentation for "[PATCH qemu-server] QEMU AMD SEV enable" Signed-off-by: Markus Frank --- v3: * added more information * removed some grammar errors v2: * added more details for host & guests * moved things from Limitations to Requirements * changed order of text qm.adoc | 118 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 118 insertions(+) diff --git a/qm.adoc b/qm.adoc index e7d0c07..6f79289 100644 --- a/qm.adoc +++ b/qm.adoc @@ -598,6 +598,124 @@ systems. When allocating RAM to your VMs, a good rule of thumb is always to leave 1GB of RAM available to the host. +[[qm_memory_encryption]] +Memory Encryption +~~~~~~~~~~~~~~~~~ + +[[qm_memory_encryption_sev]] +AMD SEV +^^^^^^^ + +SEV (Secure Encrypted Virtualization) enables Memory Encryption per VM using +AES-128 Encryption and the AMD Secure Processor. + +SEV-ES (Secure Encrypted Virtualization-Encrypted State) in addition encrypts +all CPU register contents when a VM stops running, to prevent leakage of +information to the hypervisor. + +*Host Requirements:* + +* AMD EPYC/Ryzen PRO +* SEV-ES is only supported on AMD EPYC 7xx2 and newer +* configured SEV BIOS settings on Host Machine +* add "kvm_amd.sev=1" to kernel parameters if not enabled by default +* add "mem_encrypt=on" to kernel parameters if you want to encrypt memory on the +host (SME) +see https://www.kernel.org/doc/Documentation/x86/amd-memory-encryption.txt +* maybe increase SWIOTLB see https://github.com/AMDESE/AMDSEV#faq-4 + +To check if SEV is enabled on the host search for `sev` in dmesg +and print out the SEV kernel parameter of kvm_amd: + +---- +# dmesg | grep -i sev +[...] ccp 0000:45:00.1: sev enabled +[...] ccp 0000:45:00.1: SEV API: +[...] SEV supported: ASIDs +[...] SEV-ES supported: ASIDs +# cat /sys/module/kvm_amd/parameters/sev +Y +---- + +Node Configuration (/etc/pve/nodes/mona/config): + +---- +amd_sev: cbitpos=47,reduced-phys-bits=1 +---- + +*reduced-phys-bios* and *cbitpos* correspond to the variables with the +same name in qemu. They are system specific and can be read out +with QMP. If not set, qm starts a dummy-vm to read QMP +for these variables out and saves them to config. + +*Guest Requirements:* + +* edk2-OVMF +* advisable to use Q35 +* The guest operating system must contain SEV-support. +* If there are problems while booting (stops at blank/splash screen) +try to add virtio-rng. + +*Limitations:* + +* Because the memory is encrypted the memory usage on host is always wrong. +* Operations that involve saving or restoring memory like snapshots +& live migration do not work yet or are attackable. +https://github.com/PSPReverse/amd-sev-migration-attack +* PCI passthrough is not supported. +* Qemu & AMD-SEV documentation is very limited. +* Nested virtualization and kvm is not supported under SEV-ES. + +Example Configuration: + +---- +# qm set -amd_sev type=std,nodbg=1,noks=1,kernel-hashes=1 +---- + +*type* defines the encryption technology ("type=" is not necessary). +Available options: std, es + +The Qemu *policy* parameter gets calculated with the *nodbg* and *noks* +parameters. +These parameters correspond to policy-bit 0 and 1. +If *type* is *es* the policy-bit 2 is set to 1 so that SEV-ES is enabled. +Policy-bit 3 (nosend) is always set to 1 to prevent migration-attacks. +For more information on how to calculate the policy see: +https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf[AMD SEV API Specification Chapter 3] + +The *kernel-hashes* is per default off for backward compatibility with older OVMF images +and guests that do not measure the kernel/initrd. +See https://lists.gnu.org/archive/html/qemu-devel/2021-11/msg02598.html + +*Check if SEV is working on the guest* + +Method 1 - dmesg: + +Output should look like this. + +---- +# dmesg | grep -i sev +AMD Memory Encryption Features active: SEV +---- + +Method 2 - MSR 0xc0010131 (MSR_AMD64_SEV): + +Output should be 1. + +---- +# apt install msr-tools +# modprobe msr +# rdmsr -a 0xc0010131 +1 +---- + +Links: + +* https://developer.amd.com/sev/ +* https://github.com/AMDESE/AMDSEV +* https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html +* https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf +* https://documentation.suse.com/sles/15-SP1/html/SLES-amd-sev/index.html [[qm_network_device]] Network Device -- 2.30.2