kvm/x86/amd-memory-encryption.rst

4 Secure Encrypted Virtualization (SEV)
10 Secure Encrypted Virtualization (SEV) is a feature found on AMD processors.
12 SEV is an extension to the AMD-V architecture which supports running
17 The hypervisor can determine the SEV support through the CPUID
19 to SEV::
22 			Bit[1] 	indicates support for SEV
27 If support for SEV is present, MSR 0xc001_0010 (MSR_AMD64_SYSCFG) and MSR 0xc001_0015
38 When SEV support is available, it can be enabled in a specific VM by
39 setting the SEV bit before executing VMRUN.::
42 		Bit[1]	    1 = SEV is enabled
43 			    0 = SEV is disabled
45 SEV hardware uses ASIDs to associate a memory encryption key with a VM.
46 Hence, the ASID for the SEV-enabled guests must be from 1 to a maximum value
49 SEV Key Management
52 The SEV guest key management is handled by a separate processor called the AMD
56 information, see the SEV Key Management spec [api-spec]_
58 The main ioctl to access SEV is KVM_MEMORY_ENCRYPT_OP.  If the argument
59 to KVM_MEMORY_ENCRYPT_OP is NULL, the ioctl returns 0 if SEV is enabled
81 KVM implements the following commands to support common lifecycle events of SEV
87 The KVM_SEV_INIT command is used by the hypervisor to initialize the SEV platform
125 For more details, see SEV spec Section 6.2.
146 For more details, see SEV spec Section 6.3.
172 For more details on the measurement verification flow, see SEV spec Section 6.4.
186 SEV-enabled guest.
200 SEV guest state:
209         SEV_STATE_RECEIVING,    /* guest is being migrated in from another SEV machine */
210         SEV_STATE_SENDING       /* guest is getting migrated out to another SEV machine */
380 context for an incoming SEV guest. To create the encryption context, the user must
403 For more details, see SEV spec Section 6.12.