From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 736461FF189
	for <inbox@lore.proxmox.com>; Fri,  4 Apr 2025 13:45:26 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 010851D45D;
	Fri,  4 Apr 2025 13:45:12 +0200 (CEST)
From: Markus Frank <m.frank@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Fri,  4 Apr 2025 13:44:56 +0200
Message-Id: <20250404114456.304222-1-m.frank@proxmox.com>
X-Mailer: git-send-email 2.39.5
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.005 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 KAM_SHORT               0.001 Use of a URL Shortener for very short URL
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [amd.com, qemu.org, gnu.org, suse.com]
Subject: [pve-devel] [PATCH pve-docs] amd-sev: add SEV-SNP infos and improve
 documentation
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

add SEV-SNP limitations, example configuration and hyperlinks for more
information

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
 qm.adoc | 51 +++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 39 insertions(+), 12 deletions(-)

diff --git a/qm.adoc b/qm.adoc
index 2617a7c..3aa0406 100644
--- a/qm.adoc
+++ b/qm.adoc
@@ -745,13 +745,19 @@ SEV (Secure Encrypted Virtualization) enables memory encryption per VM using
 AES-128 encryption and the AMD Secure Processor.
 
 SEV-ES (Secure Encrypted Virtualization-Encrypted State) in addition encrypts
-all CPU register contents when a VM stops running, to prevent leakage of
-information to the hypervisor. This feature is very experimental.
+all CPU register contents, to prevent leakage of information to the hypervisor.
+
+SEV-SNP (Secure Encrypted Virtualisation-Secure Nested Paging) also attempts to
+prevent software-based integrity attacks. See the
+https://www.amd.com/content/dam/amd/en/documents/epyc-business-docs/white-papers/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf[
+AMD SEV SNP white paper] for more information.
 
 *Host Requirements:*
 
 * AMD EPYC CPU
-* SEV-ES is only supported on AMD EPYC 7xx2 and newer
+* SEV-ES is only supported on AMD EPYC 7002 series and newer EPYC CPUs
+* SEV-SNP is only supported on AMD EPYC 7003 series and newer EPYC CPUs
+* SEV-SNP requires host kernel version 6.11 or higher.
 * configure AMD memory encryption in the BIOS settings of the host machine
 * add "kvm_amd.sev=1" to kernel parameters if not enabled by default
 * add "mem_encrypt=on" to kernel parameters if you want to encrypt memory on the
@@ -780,21 +786,22 @@ Y
 *Limitations:*
 
 * Because the memory is encrypted the memory usage on host is always wrong.
-* Operations that involve saving or restoring memory like snapshots
-& live migration do not work yet or are attackable.
-https://github.com/PSPReverse/amd-sev-migration-attack
+* Operations that involve saving or restoring memory like snapshots & live
+migration do not work yet or are
+https://github.com/PSPReverse/amd-sev-migration-attack[attackable].
 * PCI passthrough is not supported.
-* SEV-ES is very experimental.
-* QEMU & AMD-SEV documentation is very limited.
+* SEV-ES & SEV-SNP are very experimental.
+* EFI disks are not supported with SEV-SNP.
+* With SEV-SNP, the `reboot` command inside a VM simply shuts down the VM.
 
-Example Configuration:
+*Example Configuration (SEV):*
 
 ----
-# qm set <vmid> -amd_sev type=std,no-debug=1,no-key-sharing=1,kernel-hashes=1
+# qm set <vmid> -amd-sev type=std,no-debug=1,no-key-sharing=1,kernel-hashes=1
 ----
 
 The *type* defines the encryption technology ("type=" is not necessary).
-Available options are std & es.
+Available options are std, es & snp.
 
 The QEMU *policy* parameter gets calculated with the *no-debug* and
 *no-key-sharing* parameters. These parameters correspond to policy-bit 0 and 1.
@@ -807,7 +814,7 @@ The *kernel-hashes* option is off per default for backward compatibility with
 older OVMF images and guests that do not measure the kernel/initrd.
 See https://lists.gnu.org/archive/html/qemu-devel/2021-11/msg02598.html
 
-*Check if SEV is working on the guest*
+*Check if SEV is working in the VM*
 
 Method 1 - dmesg:
 
@@ -829,6 +836,24 @@ Output should be 1.
 1
 ----
 
+*Example Configuration (SEV-SNP):*
+
+----
+# qm set <vmid> -amd-sev type=snp,allow-smt=1,no-debug=1,kernel-hashes=1
+----
+
+The `allow-smt` policy-bit is set by default. If you disable it by setting
+`allow-smt` to `0`, SMT must be disabled on the host in order for the VM to run.
+
+*Check if SEV-SNP is working in the VM*
+
+----
+# dmesg | grep -i snp
+Memory Encryption Features active: AMD SEV SEV-ES SEV-SNP
+SEV: Using SNP CPUID table, 29 entries present.
+SEV: SNP guest platform device initialized.
+----
+
 Links:
 
 * https://developer.amd.com/sev/
@@ -836,6 +861,8 @@ Links:
 * https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html
 * https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf
 * https://documentation.suse.com/sles/15-SP1/html/SLES-amd-sev/index.html
+* https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56860.pdf[
+SEV Secure Nested Paging Firmware ABI Specification]
 
 [[qm_network_device]]
 Network Device
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel