From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 8E5061FF15F
	for <inbox@lore.proxmox.com>; Mon, 18 Nov 2024 15:34:50 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id AFFFD123EA;
	Mon, 18 Nov 2024 15:34:54 +0100 (CET)
Mime-Version: 1.0
Date: Mon, 18 Nov 2024 15:34:51 +0100
Message-Id: <D5PDNXQZUI6K.7AWPTKWGKS5J@proxmox.com>
From: "Shannon Sterz" <s.sterz@proxmox.com>
To: "Proxmox VE development discussion" <pve-devel@lists.proxmox.com>
X-Mailer: aerc 0.17.0-69-g65571b67d7d3-dirty
References: <20241118111700.110077-1-m.frank@proxmox.com>
 <20241118111700.110077-5-m.frank@proxmox.com>
In-Reply-To: <20241118111700.110077-5-m.frank@proxmox.com>
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.044 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH docs v13 4/5] add AMD SEV documentation
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

On Mon Nov 18, 2024 at 12:16 PM CET, Markus Frank wrote:
> add documentation for the "[PATCH qemu-server] config: QEMU AMD SEV
> enable" patch.
>
> Signed-off-by: Markus Frank <m.frank@proxmox.com>
> ---
>  qm.adoc | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 103 insertions(+)
>
> diff --git a/qm.adoc b/qm.adoc
> index b550888..83bb20b 100644
> --- a/qm.adoc
> +++ b/qm.adoc
> @@ -715,6 +715,109 @@ systems.
>  When allocating RAM to your VMs, a good rule of thumb is always to leave 1GB
>  of RAM available to the host.
>
> +[[qm_memory_encryption]]
> +Memory Encryption
> +~~~~~~~~~~~~~~~~~
> +
> +[[qm_memory_encryption_sev]]
> +AMD SEV
> +^^^^^^^
> +
> +SEV (Secure Encrypted Virtualization) enables memory encryption per VM using
> +AES-128 encryption and the AMD Secure Processor.
> +
> +SEV-ES (Secure Encrypted Virtualization-Encrypted State) in addition encrypts
> +all CPU register contents when a VM stops running, to prevent leakage of
> +information to the hypervisor. This feature is very experimental.
> +
> +*Host Requirements:*
> +
> +* AMD EPYC CPU
> +* SEV-ES is only supported on AMD EPYC 7xx2 and newer
> +* configure AMD memory encryption in the BIOS settings of the host machine
> +* add "kvm_amd.sev=1" to kernel parameters if not enabled by default
> +* add "mem_encrypt=on" to kernel parameters if you want to encrypt memory on the
> +host (SME) see https://www.kernel.org/doc/Documentation/x86/amd-memory-encryption.txt
> +* maybe increase SWIOTLB see https://github.com/AMDESE/AMDSEV#faq-4
> +
> +To check if SEV is enabled on the host search for `sev` in dmesg and print out
> +the SEV kernel parameter of kvm_amd:
> +
> +----
> +# dmesg | grep -i sev
> +[...] ccp 0000:45:00.1: sev enabled
> +[...] ccp 0000:45:00.1: SEV API: <buildversion>
> +[...] SEV supported: <number> ASIDs
> +[...] SEV-ES supported: <number> ASIDs
> +# cat /sys/module/kvm_amd/parameters/sev
> +Y
> +----
> +
> +*Guest Requirements:*
> +
> +* edk2-OVMF
> +* advisable to use Q35
> +* The guest operating system must contain SEV-support.
> +
> +*Limitations:*
> +
> +* Because the memory is encrypted the memory usage on host is always wrong.
> +* Operations that involve saving or restoring memory like snapshots
> +& live migration do not work yet or are attackable.
> +https://github.com/PSPReverse/amd-sev-migration-attack
> +* PCI passthrough is not supported.
> +* SEV-ES is very experimental.
> +* QEMU & AMD-SEV documentation is very limited.
> +
> +Example Configuration:
> +
> +----
> +# qm set <vmid> -amd_sev type=std,no-debug=1,no-key-sharing=1,kernel-hashes=1
> +----
> +
> +The *type* defines the encryption technology ("type=" is not necessary).
> +Available options are std & es.
> +
> +The QEMU *policy* parameter gets calculated with the *no-debug* and
> +*no-key-sharing* parameters. These parameters correspond to policy-bit 0 and 1.
> +If *type* is *es* the policy-bit 2 is set to 1 so that SEV-ES is enabled.
> +Policy-bit 3 (nosend) is always set to 1 to prevent migration-attacks. For more
> +information on how to calculate the policy see:
> +https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf[AMD SEV API Specification Chapter 3]
> +
> +The *kernel-hashes* is per default off for backward compatibility with older

tiny nit: I think "The *kernel-hases* options is off per default..."
would sound more natural

> +OVMF images and guests that do not measure the kernel/initrd.
> +See https://lists.gnu.org/archive/html/qemu-devel/2021-11/msg02598.html
> +
> +*Check if SEV is working on the guest*
> +
> +Method 1 - dmesg:
> +
> +Output should look like this.
> +
> +----
> +# dmesg | grep -i sev
> +AMD Memory Encryption Features active: SEV
> +----
> +
> +Method 2 - MSR 0xc0010131 (MSR_AMD64_SEV):
> +
> +Output should be 1.
> +
> +----
> +# apt install msr-tools
> +# modprobe msr
> +# rdmsr -a 0xc0010131
> +1
> +----
> +
> +Links:
> +
> +* https://developer.amd.com/sev/
> +* https://github.com/AMDESE/AMDSEV
> +* https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html
> +* https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf
> +* https://documentation.suse.com/sles/15-SP1/html/SLES-amd-sev/index.html
>
>  [[qm_network_device]]
>  Network Device



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel