From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 8E5061FF15F for ; Mon, 18 Nov 2024 15:34:50 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id AFFFD123EA; Mon, 18 Nov 2024 15:34:54 +0100 (CET) Mime-Version: 1.0 Date: Mon, 18 Nov 2024 15:34:51 +0100 Message-Id: From: "Shannon Sterz" To: "Proxmox VE development discussion" X-Mailer: aerc 0.17.0-69-g65571b67d7d3-dirty References: <20241118111700.110077-1-m.frank@proxmox.com> <20241118111700.110077-5-m.frank@proxmox.com> In-Reply-To: <20241118111700.110077-5-m.frank@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL -0.044 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH docs v13 4/5] add AMD SEV documentation X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" On Mon Nov 18, 2024 at 12:16 PM CET, Markus Frank wrote: > add documentation for the "[PATCH qemu-server] config: QEMU AMD SEV > enable" patch. > > Signed-off-by: Markus Frank > --- > qm.adoc | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 103 insertions(+) > > diff --git a/qm.adoc b/qm.adoc > index b550888..83bb20b 100644 > --- a/qm.adoc > +++ b/qm.adoc > @@ -715,6 +715,109 @@ systems. > When allocating RAM to your VMs, a good rule of thumb is always to leave 1GB > of RAM available to the host. > > +[[qm_memory_encryption]] > +Memory Encryption > +~~~~~~~~~~~~~~~~~ > + > +[[qm_memory_encryption_sev]] > +AMD SEV > +^^^^^^^ > + > +SEV (Secure Encrypted Virtualization) enables memory encryption per VM using > +AES-128 encryption and the AMD Secure Processor. > + > +SEV-ES (Secure Encrypted Virtualization-Encrypted State) in addition encrypts > +all CPU register contents when a VM stops running, to prevent leakage of > +information to the hypervisor. This feature is very experimental. > + > +*Host Requirements:* > + > +* AMD EPYC CPU > +* SEV-ES is only supported on AMD EPYC 7xx2 and newer > +* configure AMD memory encryption in the BIOS settings of the host machine > +* add "kvm_amd.sev=1" to kernel parameters if not enabled by default > +* add "mem_encrypt=on" to kernel parameters if you want to encrypt memory on the > +host (SME) see https://www.kernel.org/doc/Documentation/x86/amd-memory-encryption.txt > +* maybe increase SWIOTLB see https://github.com/AMDESE/AMDSEV#faq-4 > + > +To check if SEV is enabled on the host search for `sev` in dmesg and print out > +the SEV kernel parameter of kvm_amd: > + > +---- > +# dmesg | grep -i sev > +[...] ccp 0000:45:00.1: sev enabled > +[...] ccp 0000:45:00.1: SEV API: > +[...] SEV supported: ASIDs > +[...] SEV-ES supported: ASIDs > +# cat /sys/module/kvm_amd/parameters/sev > +Y > +---- > + > +*Guest Requirements:* > + > +* edk2-OVMF > +* advisable to use Q35 > +* The guest operating system must contain SEV-support. > + > +*Limitations:* > + > +* Because the memory is encrypted the memory usage on host is always wrong. > +* Operations that involve saving or restoring memory like snapshots > +& live migration do not work yet or are attackable. > +https://github.com/PSPReverse/amd-sev-migration-attack > +* PCI passthrough is not supported. > +* SEV-ES is very experimental. > +* QEMU & AMD-SEV documentation is very limited. > + > +Example Configuration: > + > +---- > +# qm set -amd_sev type=std,no-debug=1,no-key-sharing=1,kernel-hashes=1 > +---- > + > +The *type* defines the encryption technology ("type=" is not necessary). > +Available options are std & es. > + > +The QEMU *policy* parameter gets calculated with the *no-debug* and > +*no-key-sharing* parameters. These parameters correspond to policy-bit 0 and 1. > +If *type* is *es* the policy-bit 2 is set to 1 so that SEV-ES is enabled. > +Policy-bit 3 (nosend) is always set to 1 to prevent migration-attacks. For more > +information on how to calculate the policy see: > +https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf[AMD SEV API Specification Chapter 3] > + > +The *kernel-hashes* is per default off for backward compatibility with older tiny nit: I think "The *kernel-hases* options is off per default..." would sound more natural > +OVMF images and guests that do not measure the kernel/initrd. > +See https://lists.gnu.org/archive/html/qemu-devel/2021-11/msg02598.html > + > +*Check if SEV is working on the guest* > + > +Method 1 - dmesg: > + > +Output should look like this. > + > +---- > +# dmesg | grep -i sev > +AMD Memory Encryption Features active: SEV > +---- > + > +Method 2 - MSR 0xc0010131 (MSR_AMD64_SEV): > + > +Output should be 1. > + > +---- > +# apt install msr-tools > +# modprobe msr > +# rdmsr -a 0xc0010131 > +1 > +---- > + > +Links: > + > +* https://developer.amd.com/sev/ > +* https://github.com/AMDESE/AMDSEV > +* https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html > +* https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf > +* https://documentation.suse.com/sles/15-SP1/html/SLES-amd-sev/index.html > > [[qm_network_device]] > Network Device _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel