From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id AEB00907F5 for ; Fri, 2 Sep 2022 13:50:45 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id A51A12FA7B for ; Fri, 2 Sep 2022 13:50:45 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 2 Sep 2022 13:50:44 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 365FD440E0 for ; Fri, 2 Sep 2022 13:50:44 +0200 (CEST) Message-ID: Date: Fri, 2 Sep 2022 13:50:42 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.13.0 From: Daniel Tschlatscher To: pve-devel@lists.proxmox.com References: <20220610105351.75132-1-m.frank@proxmox.com> Content-Language: en-US In-Reply-To: <20220610105351.75132-1-m.frank@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.082 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_SHORT 0.001 Use of a URL Shortener for very short URL NICE_REPLY_A -0.001 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: Re: [pve-devel] [PATCH pve-docs v2] added Memory Encryption documentation X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2022 11:50:45 -0000 A few suggestions I would have found helpful when first reading this documentation, inline: On 6/10/22 12:53, Markus Frank wrote: > added AMD SEV documentation for "[PATCH qemu-server] QEMU AMD SEV > enable" > > Signed-off-by: Markus Frank > --- > v2: > * added check if sev is enabled > * added more limitations > * added suse doc link > > qm.adoc | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 89 insertions(+) > > diff --git a/qm.adoc b/qm.adoc > index e666d7d..d60753e 100644 > --- a/qm.adoc > +++ b/qm.adoc > @@ -583,6 +583,95 @@ systems. > When allocating RAM to your VMs, a good rule of thumb is always to leave 1GB > of RAM available to the host. > > +[[qm_memory_encryption]] > +Memory Encryption > +~~~~~~~~~~~~~~~~~ > + > +[[qm_memory_encryption_sev]] > +AMD SEV > +^^^^^^^ > + > +Memory Encryption using AES-128 Encryption and the AMD Secure Processor.> +See https://developer.amd.com/sev/[AMD SEV] > + > +Requirements: > + > +* AMD EPYC/Ryzen PRO CPU > +* configured SEV BIOS Settings on Host Machine Nit: spell 'settings' lowercase > +* add Kernel Parameters: "mem_encrypt=on kvm_amd.sev=1" This should include that using edk2-OVMF is a requirement (see below) > + > +Example Configuration: > + > +---- > +# qm set -memory_encryption type=sev,cbitpos=47,policy=0x0005,reduced-phys-bits=1 > +---- > + > +*SEV Parameters* > + > +"type" defines the encryption technology ("type=" is not necessary): sev, sev-snp, mktme > + > +"reduced-phys-bios", "cbitpos" and "policy" correspond to the variables with the > +same name in qemu. > + > +"reduced-phys-bios" and "cbitpos" are system specific and can be read out > +with QMP. If not set, qm starts a dummy-vm to read QMP > +for these variables out and saves them to config. > + > +"policy" can be calculated with > +https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf[AMD SEV API Specification Chapter 3] > + > +To use SEV-ES (CPU register encryption) the "policy" should be set > +somewhere between 0x4 and 0x7 or 0xC and 0xF, etc. > +(Bit-2 has to be set 1 (LSB 0 bit numbering)) > + > +*Check if SEV is working* > + > +Method 1 - dmesg: > + > +Output should look like this. > + > +---- > +# dmesg | grep -i sev > +AMD Memory Encryption Features active: SEV > +---- > + > +Method 2 - MSR 0xc0010131 (MSR_AMD64_SEV): > + > +Output should be 1. > + > +---- > +# apt install msr-tools > +# modprobe msr > +# rdmsr -a 0xc0010131 > +1 > +---- This part should mention that Method 1 is to be executed on the host and Method 2 is executed on the SEV-enabled guest. > + > +Limitations: > + > +* Because the memory is encrypted the memory usage on host is always wrong > +and around 82% usage This seems to depend on multiple factors, but the value of 82% does not always apply and could therefore be confusing. In my testing the value ranged from around 46% to nearly 95%. However, the usage percentage seems to always stay the same for a certain configuration. > +* Operations that involve saving or restoring memory like snapshots > +& live migration do not work yet > +* edk2-OVMF required I think this bullet point would be better placed under requirements, as it's much easier to overlook it here. > +* The guest operating system inside a VM must contain SEV-support This one could be moved to requirements as well. Additionally, it would be nice to add a link to a list of distributions with SEV support, if you know of one. > +* Recommendable: VirtIO RNG for more entropy (VMs sometimes will not > +boot without) > + > +Links: > + > +* https://github.com/AMDESE/AMDSEV > +* https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html > +* https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf > +* https://documentation.suse.com/sles/15-SP1/html/SLES-amd-sev/index.html > + > +// Commented because not supported by kernel yet > +//AMD SEV-SNP > +//^^^^^^^^^^^ > + > +//* SEV-SNP support is not in the Linux Kernel yet and needs EPYC 7003 "Milan" > +//processors. > +//* SEV-SNP should be in Kernel 5.19: https://www.phoronix.com/scan.php?page=news_item&px=AMD-SEV-SNP-Arrives-Linux-5.19 > +//* patched Kernel: https://github.com/AMDESE/linux/tree/sev-snp-5.18-rc3 > > [[qm_network_device]] > Network Device