From: "Shannon Sterz" <s.sterz@proxmox.com>
To: "Proxmox VE development discussion" <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH docs v13 4/5] add AMD SEV documentation
Date: Mon, 18 Nov 2024 15:34:51 +0100 [thread overview]
Message-ID: <D5PDNXQZUI6K.7AWPTKWGKS5J@proxmox.com> (raw)
In-Reply-To: <20241118111700.110077-5-m.frank@proxmox.com>
On Mon Nov 18, 2024 at 12:16 PM CET, Markus Frank wrote:
> add documentation for the "[PATCH qemu-server] config: QEMU AMD SEV
> enable" patch.
>
> Signed-off-by: Markus Frank <m.frank@proxmox.com>
> ---
> qm.adoc | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 103 insertions(+)
>
> diff --git a/qm.adoc b/qm.adoc
> index b550888..83bb20b 100644
> --- a/qm.adoc
> +++ b/qm.adoc
> @@ -715,6 +715,109 @@ systems.
> When allocating RAM to your VMs, a good rule of thumb is always to leave 1GB
> of RAM available to the host.
>
> +[[qm_memory_encryption]]
> +Memory Encryption
> +~~~~~~~~~~~~~~~~~
> +
> +[[qm_memory_encryption_sev]]
> +AMD SEV
> +^^^^^^^
> +
> +SEV (Secure Encrypted Virtualization) enables memory encryption per VM using
> +AES-128 encryption and the AMD Secure Processor.
> +
> +SEV-ES (Secure Encrypted Virtualization-Encrypted State) in addition encrypts
> +all CPU register contents when a VM stops running, to prevent leakage of
> +information to the hypervisor. This feature is very experimental.
> +
> +*Host Requirements:*
> +
> +* AMD EPYC CPU
> +* SEV-ES is only supported on AMD EPYC 7xx2 and newer
> +* configure AMD memory encryption in the BIOS settings of the host machine
> +* add "kvm_amd.sev=1" to kernel parameters if not enabled by default
> +* add "mem_encrypt=on" to kernel parameters if you want to encrypt memory on the
> +host (SME) see https://www.kernel.org/doc/Documentation/x86/amd-memory-encryption.txt
> +* maybe increase SWIOTLB see https://github.com/AMDESE/AMDSEV#faq-4
> +
> +To check if SEV is enabled on the host search for `sev` in dmesg and print out
> +the SEV kernel parameter of kvm_amd:
> +
> +----
> +# dmesg | grep -i sev
> +[...] ccp 0000:45:00.1: sev enabled
> +[...] ccp 0000:45:00.1: SEV API: <buildversion>
> +[...] SEV supported: <number> ASIDs
> +[...] SEV-ES supported: <number> ASIDs
> +# cat /sys/module/kvm_amd/parameters/sev
> +Y
> +----
> +
> +*Guest Requirements:*
> +
> +* edk2-OVMF
> +* advisable to use Q35
> +* The guest operating system must contain SEV-support.
> +
> +*Limitations:*
> +
> +* Because the memory is encrypted the memory usage on host is always wrong.
> +* Operations that involve saving or restoring memory like snapshots
> +& live migration do not work yet or are attackable.
> +https://github.com/PSPReverse/amd-sev-migration-attack
> +* PCI passthrough is not supported.
> +* SEV-ES is very experimental.
> +* QEMU & AMD-SEV documentation is very limited.
> +
> +Example Configuration:
> +
> +----
> +# qm set <vmid> -amd_sev type=std,no-debug=1,no-key-sharing=1,kernel-hashes=1
> +----
> +
> +The *type* defines the encryption technology ("type=" is not necessary).
> +Available options are std & es.
> +
> +The QEMU *policy* parameter gets calculated with the *no-debug* and
> +*no-key-sharing* parameters. These parameters correspond to policy-bit 0 and 1.
> +If *type* is *es* the policy-bit 2 is set to 1 so that SEV-ES is enabled.
> +Policy-bit 3 (nosend) is always set to 1 to prevent migration-attacks. For more
> +information on how to calculate the policy see:
> +https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf[AMD SEV API Specification Chapter 3]
> +
> +The *kernel-hashes* is per default off for backward compatibility with older
tiny nit: I think "The *kernel-hases* options is off per default..."
would sound more natural
> +OVMF images and guests that do not measure the kernel/initrd.
> +See https://lists.gnu.org/archive/html/qemu-devel/2021-11/msg02598.html
> +
> +*Check if SEV is working on the guest*
> +
> +Method 1 - dmesg:
> +
> +Output should look like this.
> +
> +----
> +# dmesg | grep -i sev
> +AMD Memory Encryption Features active: SEV
> +----
> +
> +Method 2 - MSR 0xc0010131 (MSR_AMD64_SEV):
> +
> +Output should be 1.
> +
> +----
> +# apt install msr-tools
> +# modprobe msr
> +# rdmsr -a 0xc0010131
> +1
> +----
> +
> +Links:
> +
> +* https://developer.amd.com/sev/
> +* https://github.com/AMDESE/AMDSEV
> +* https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html
> +* https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf
> +* https://documentation.suse.com/sles/15-SP1/html/SLES-amd-sev/index.html
>
> [[qm_network_device]]
> Network Device
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2024-11-18 14:34 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-18 11:16 [pve-devel] [PATCH qemu-server/docs/manager v13 0/5] AMD SEV Markus Frank
2024-11-18 11:16 ` [pve-devel] [PATCH qemu-server v13 1/5] query-machine-capabilities: add systemd service file Markus Frank
2024-11-18 11:16 ` [pve-devel] [PATCH qemu-server v13 2/5] config: add AMD SEV support Markus Frank
2024-11-18 11:16 ` [pve-devel] [PATCH qemu-server v13 3/5] migration: add check_non_migratable_resources function Markus Frank
2024-11-18 11:16 ` [pve-devel] [PATCH docs v13 4/5] add AMD SEV documentation Markus Frank
2024-11-18 14:34 ` Shannon Sterz [this message]
2024-11-18 11:17 ` [pve-devel] [PATCH manager v13 5/5] ui: add AMD SEV configuration to Options Markus Frank
2024-11-18 14:38 ` Shannon Sterz
2024-11-18 21:16 ` [pve-devel] applied-series: [PATCH qemu-server/docs/manager v13 0/5] AMD SEV Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D5PDNXQZUI6K.7AWPTKWGKS5J@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox