Lines Matching +full:inside +full:- +full:secure
1 AMD Secure Encrypted Virtualization (SEV)
4 Secure Encrypted Virtualization (SEV) is a feature found on AMD processors.
6 SEV is an extension to the AMD-V architecture which supports running encrypted
15 AMD secure processor (AMD-SP), which is present in AMD SOCs. Firmware running
16 inside the AMD-SP provides commands to support a common VM lifecycle. This
21 Secure Encrypted Virtualization - Encrypted State (SEV-ES) builds on the SEV
28 Launching (SEV and SEV-ES)
29 --------------------------
38 For a SEV-ES guest, the ``LAUNCH_UPDATE_VMSA`` command is also used to encrypt the
43 its public Diffie-Hellman key (PDH) and session parameters. These inputs
44 should be treated as a binary blob and must be passed as-is to the SEV firmware.
48 in bad measurement). The guest policy is a 4-byte data structure containing
55 sev-guest,id=sev0,policy=0x1...\
57 Setting the "SEV-ES required" policy bit (bit 2) will launch the guest as a
58 SEV-ES guest::
61 sev-guest,id=sev0,policy=0x5...\
67 The DH certificate and session blob can be provided via the ``dh-cert-file`` and
68 ``session-file`` properties::
71 sev-guest,id=sev0,dh-cert-file=<file1>,session-file=<file2>
78 ``LAUNCH_UPDATE_VMSA`` encrypts all the vCPU VMSAs for a SEV-ES guest using the
83 for a SEV-ES guest, encrypted VMSAs. This measurement is a signature of the
84 memory contents and, for a SEV-ES guest, the VMSA contents, that can be sent
101 -machine ...,confidential-guest-support=sev0 \
102 -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1
104 To launch a SEV-ES guest::
107 -machine ...,confidential-guest-support=sev0 \
108 -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1,policy=0x5
110 An SEV-ES guest has some restrictions as compared to a SEV guest. Because the
112 a SEV-ES guest:
114 - Does not support SMM - SMM support requires updating the guest register
116 - Does not support reboot - a system reset requires updating the guest register
118 - Requires in-kernel irqchip - the burden is placed on the hypervisor to
122 ---------------------------------------------
125 it in the exact same way as it is calculated by the AMD-SP. SEV API Spec
126 ([SEVAPI]_) section 6.5.1 describes the AMD-SP operations:
138 from the ``query-sev`` qmp command.
140 The value of MNONCE is part of the response of ``query-sev-launch-measure``: it
141 is the last 16 bytes of the base64-decoded data field (see SEV API Spec
150 therefore it is not secure to use a firmware which uses state from an NVRAM
152 * if kernel is used, and ``kernel-hashes=on``, then ``kernel_hashes_blob`` is
156 * if SEV-ES is enabled (``policy & 0x4 != 0``), ``vmsas_blob`` is the
158 its content is defined inside Linux kernel code as ``struct vmcb_save_area``,
159 or in AMD APM Volume 2 ([APMVOL2]_) Table B-2: VMCB Layout, State Save Area.
161 If kernel hashes are not used, or SEV-ES is disabled, use empty blobs for
164 Launching (SEV-SNP)
165 -------------------
169 three commands communicate with SEV-SNP firmware to generate a fresh memory
171 more details on the SEV-SNP firmware interfaces used by these commands please
172 see the SEV-SNP Firmware ABI.
176 guest policy and other parameters as described in the SEV-SNP firmware
178 QAPI schema for the sev-snp-guest object.
182 'sev-snp-guest' object.
184 +--------+-------+----------+-------------------------------------------------+
186 +---------------------------+-------------------------------------------------+
187 | policy | hex | 0x30000 | a 64-bit guest policy |
188 +---------------------------+-------------------------------------------------+
189 | guest-visible-workarounds | string| 0 | 16-byte base64 encoded string|
192 +---------------------------+-------------------------------------------------+
203 in the attestation report. See the SEV-SNP spec for further details.
207 'sev-snp-guest' object.
209 +--------------------+-------+----------+-------------------------------------+
211 +--------------------+-------+----------+-------------------------------------+
212 | id-block | string| none | base64 encoded ID block |
213 +--------------------+-------+----------+-------------------------------------+
214 | id-auth | string| none | base64 encoded authentication |
216 +--------------------+-------+----------+-------------------------------------+
217 | author-key-enabled | bool | 0 | auth block contains author key |
218 +--------------------+-------+----------+-------------------------------------+
220 +--------------------+-------+----------+-------------------------------------+
222 To launch a SEV-SNP guest (additional parameters are documented in the QAPI
223 schema for the 'sev-snp-guest' object)::
226 -machine ...,confidential-guest-support=sev0 \
227 -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1
231 ---------
239 ----------------
244 ---------------
249 ----------
252 …ps://www.amd.com/content/dam/amd/en/documents/epyc-business-docs/white-papers/memory-encryption-wh…
254 .. [SEVAPI] `Secure Encrypted Virtualization API
255 <https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf>`_
258 …<https://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/programmer-references/24593.…
263 …<http://www.linux-kvm.org/images/7/74/02x08A-Thomas_Lendacky-AMDs_Virtualizatoin_Memory_Encryption…
264 * `Extending Secure Encrypted Virtualization With SEV-ES (2018)
265 …<https://www.linux-kvm.org/images/9/94/Extending-Secure-Encrypted-Virtualization-with-SEV-ES-Thoma…
268 <https://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/programmer-references/24593.p…
272 * SEV-ES is section 15.35