1.. SPDX-License-Identifier: GPL-2.0 2 3====================================== 4Secure Encrypted Virtualization (SEV) 5====================================== 6 7Overview 8======== 9 10Secure Encrypted Virtualization (SEV) is a feature found on AMD processors. 11 12SEV is an extension to the AMD-V architecture which supports running 13virtual machines (VMs) under the control of a hypervisor. When enabled, 14the memory contents of a VM will be transparently encrypted with a key 15unique to that VM. 16 17The hypervisor can determine the SEV support through the CPUID 18instruction. The CPUID function 0x8000001f reports information related 19to SEV:: 20 21 0x8000001f[eax]: 22 Bit[1] indicates support for SEV 23 ... 24 [ecx]: 25 Bits[31:0] Number of encrypted guests supported simultaneously 26 27If support for SEV is present, MSR 0xc001_0010 (MSR_AMD64_SYSCFG) and MSR 0xc001_0015 28(MSR_K7_HWCR) can be used to determine if it can be enabled:: 29 30 0xc001_0010: 31 Bit[23] 1 = memory encryption can be enabled 32 0 = memory encryption can not be enabled 33 34 0xc001_0015: 35 Bit[0] 1 = memory encryption can be enabled 36 0 = memory encryption can not be enabled 37 38When SEV support is available, it can be enabled in a specific VM by 39setting the SEV bit before executing VMRUN.:: 40 41 VMCB[0x90]: 42 Bit[1] 1 = SEV is enabled 43 0 = SEV is disabled 44 45SEV hardware uses ASIDs to associate a memory encryption key with a VM. 46Hence, the ASID for the SEV-enabled guests must be from 1 to a maximum value 47defined in the CPUID 0x8000001f[ecx] field. 48 49SEV Key Management 50================== 51 52The SEV guest key management is handled by a separate processor called the AMD 53Secure Processor (AMD-SP). Firmware running inside the AMD-SP provides a secure 54key management interface to perform common hypervisor activities such as 55encrypting bootstrap code, snapshot, migrating and debugging the guest. For more 56information, see the SEV Key Management spec [api-spec]_ 57 58The main ioctl to access SEV is KVM_MEMORY_ENCRYPT_OP. If the argument 59to KVM_MEMORY_ENCRYPT_OP is NULL, the ioctl returns 0 if SEV is enabled 60and ``ENOTTY`` if it is disabled (on some older versions of Linux, 61the ioctl runs normally even with a NULL argument, and therefore will 62likely return ``EFAULT``). If non-NULL, the argument to KVM_MEMORY_ENCRYPT_OP 63must be a struct kvm_sev_cmd:: 64 65 struct kvm_sev_cmd { 66 __u32 id; 67 __u64 data; 68 __u32 error; 69 __u32 sev_fd; 70 }; 71 72 73The ``id`` field contains the subcommand, and the ``data`` field points to 74another struct containing arguments specific to command. The ``sev_fd`` 75should point to a file descriptor that is opened on the ``/dev/sev`` 76device, if needed (see individual commands). 77 78On output, ``error`` is zero on success, or an error code. Error codes 79are defined in ``<linux/psp-dev.h>``. 80 81KVM implements the following commands to support common lifecycle events of SEV 82guests, such as launching, running, snapshotting, migrating and decommissioning. 83 841. KVM_SEV_INIT 85--------------- 86 87The KVM_SEV_INIT command is used by the hypervisor to initialize the SEV platform 88context. In a typical workflow, this command should be the first command issued. 89 90The firmware can be initialized either by using its own non-volatile storage or 91the OS can manage the NV storage for the firmware using the module parameter 92``init_ex_path``. If the file specified by ``init_ex_path`` does not exist or 93is invalid, the OS will create or override the file with output from PSP. 94 95Returns: 0 on success, -negative on error 96 972. KVM_SEV_LAUNCH_START 98----------------------- 99 100The KVM_SEV_LAUNCH_START command is used for creating the memory encryption 101context. To create the encryption context, user must provide a guest policy, 102the owner's public Diffie-Hellman (PDH) key and session information. 103 104Parameters: struct kvm_sev_launch_start (in/out) 105 106Returns: 0 on success, -negative on error 107 108:: 109 110 struct kvm_sev_launch_start { 111 __u32 handle; /* if zero then firmware creates a new handle */ 112 __u32 policy; /* guest's policy */ 113 114 __u64 dh_uaddr; /* userspace address pointing to the guest owner's PDH key */ 115 __u32 dh_len; 116 117 __u64 session_addr; /* userspace address which points to the guest session information */ 118 __u32 session_len; 119 }; 120 121On success, the 'handle' field contains a new handle and on error, a negative value. 122 123KVM_SEV_LAUNCH_START requires the ``sev_fd`` field to be valid. 124 125For more details, see SEV spec Section 6.2. 126 1273. KVM_SEV_LAUNCH_UPDATE_DATA 128----------------------------- 129 130The KVM_SEV_LAUNCH_UPDATE_DATA is used for encrypting a memory region. It also 131calculates a measurement of the memory contents. The measurement is a signature 132of the memory contents that can be sent to the guest owner as an attestation 133that the memory was encrypted correctly by the firmware. 134 135Parameters (in): struct kvm_sev_launch_update_data 136 137Returns: 0 on success, -negative on error 138 139:: 140 141 struct kvm_sev_launch_update { 142 __u64 uaddr; /* userspace address to be encrypted (must be 16-byte aligned) */ 143 __u32 len; /* length of the data to be encrypted (must be 16-byte aligned) */ 144 }; 145 146For more details, see SEV spec Section 6.3. 147 1484. KVM_SEV_LAUNCH_MEASURE 149------------------------- 150 151The KVM_SEV_LAUNCH_MEASURE command is used to retrieve the measurement of the 152data encrypted by the KVM_SEV_LAUNCH_UPDATE_DATA command. The guest owner may 153wait to provide the guest with confidential information until it can verify the 154measurement. Since the guest owner knows the initial contents of the guest at 155boot, the measurement can be verified by comparing it to what the guest owner 156expects. 157 158If len is zero on entry, the measurement blob length is written to len and 159uaddr is unused. 160 161Parameters (in): struct kvm_sev_launch_measure 162 163Returns: 0 on success, -negative on error 164 165:: 166 167 struct kvm_sev_launch_measure { 168 __u64 uaddr; /* where to copy the measurement */ 169 __u32 len; /* length of measurement blob */ 170 }; 171 172For more details on the measurement verification flow, see SEV spec Section 6.4. 173 1745. KVM_SEV_LAUNCH_FINISH 175------------------------ 176 177After completion of the launch flow, the KVM_SEV_LAUNCH_FINISH command can be 178issued to make the guest ready for the execution. 179 180Returns: 0 on success, -negative on error 181 1826. KVM_SEV_GUEST_STATUS 183----------------------- 184 185The KVM_SEV_GUEST_STATUS command is used to retrieve status information about a 186SEV-enabled guest. 187 188Parameters (out): struct kvm_sev_guest_status 189 190Returns: 0 on success, -negative on error 191 192:: 193 194 struct kvm_sev_guest_status { 195 __u32 handle; /* guest handle */ 196 __u32 policy; /* guest policy */ 197 __u8 state; /* guest state (see enum below) */ 198 }; 199 200SEV guest state: 201 202:: 203 204 enum { 205 SEV_STATE_INVALID = 0; 206 SEV_STATE_LAUNCHING, /* guest is currently being launched */ 207 SEV_STATE_SECRET, /* guest is being launched and ready to accept the ciphertext data */ 208 SEV_STATE_RUNNING, /* guest is fully launched and running */ 209 SEV_STATE_RECEIVING, /* guest is being migrated in from another SEV machine */ 210 SEV_STATE_SENDING /* guest is getting migrated out to another SEV machine */ 211 }; 212 2137. KVM_SEV_DBG_DECRYPT 214---------------------- 215 216The KVM_SEV_DEBUG_DECRYPT command can be used by the hypervisor to request the 217firmware to decrypt the data at the given memory region. 218 219Parameters (in): struct kvm_sev_dbg 220 221Returns: 0 on success, -negative on error 222 223:: 224 225 struct kvm_sev_dbg { 226 __u64 src_uaddr; /* userspace address of data to decrypt */ 227 __u64 dst_uaddr; /* userspace address of destination */ 228 __u32 len; /* length of memory region to decrypt */ 229 }; 230 231The command returns an error if the guest policy does not allow debugging. 232 2338. KVM_SEV_DBG_ENCRYPT 234---------------------- 235 236The KVM_SEV_DEBUG_ENCRYPT command can be used by the hypervisor to request the 237firmware to encrypt the data at the given memory region. 238 239Parameters (in): struct kvm_sev_dbg 240 241Returns: 0 on success, -negative on error 242 243:: 244 245 struct kvm_sev_dbg { 246 __u64 src_uaddr; /* userspace address of data to encrypt */ 247 __u64 dst_uaddr; /* userspace address of destination */ 248 __u32 len; /* length of memory region to encrypt */ 249 }; 250 251The command returns an error if the guest policy does not allow debugging. 252 2539. KVM_SEV_LAUNCH_SECRET 254------------------------ 255 256The KVM_SEV_LAUNCH_SECRET command can be used by the hypervisor to inject secret 257data after the measurement has been validated by the guest owner. 258 259Parameters (in): struct kvm_sev_launch_secret 260 261Returns: 0 on success, -negative on error 262 263:: 264 265 struct kvm_sev_launch_secret { 266 __u64 hdr_uaddr; /* userspace address containing the packet header */ 267 __u32 hdr_len; 268 269 __u64 guest_uaddr; /* the guest memory region where the secret should be injected */ 270 __u32 guest_len; 271 272 __u64 trans_uaddr; /* the hypervisor memory region which contains the secret */ 273 __u32 trans_len; 274 }; 275 27610. KVM_SEV_GET_ATTESTATION_REPORT 277---------------------------------- 278 279The KVM_SEV_GET_ATTESTATION_REPORT command can be used by the hypervisor to query the attestation 280report containing the SHA-256 digest of the guest memory and VMSA passed through the KVM_SEV_LAUNCH 281commands and signed with the PEK. The digest returned by the command should match the digest 282used by the guest owner with the KVM_SEV_LAUNCH_MEASURE. 283 284If len is zero on entry, the measurement blob length is written to len and 285uaddr is unused. 286 287Parameters (in): struct kvm_sev_attestation 288 289Returns: 0 on success, -negative on error 290 291:: 292 293 struct kvm_sev_attestation_report { 294 __u8 mnonce[16]; /* A random mnonce that will be placed in the report */ 295 296 __u64 uaddr; /* userspace address where the report should be copied */ 297 __u32 len; 298 }; 299 30011. KVM_SEV_SEND_START 301---------------------- 302 303The KVM_SEV_SEND_START command can be used by the hypervisor to create an 304outgoing guest encryption context. 305 306If session_len is zero on entry, the length of the guest session information is 307written to session_len and all other fields are not used. 308 309Parameters (in): struct kvm_sev_send_start 310 311Returns: 0 on success, -negative on error 312 313:: 314 315 struct kvm_sev_send_start { 316 __u32 policy; /* guest policy */ 317 318 __u64 pdh_cert_uaddr; /* platform Diffie-Hellman certificate */ 319 __u32 pdh_cert_len; 320 321 __u64 plat_certs_uaddr; /* platform certificate chain */ 322 __u32 plat_certs_len; 323 324 __u64 amd_certs_uaddr; /* AMD certificate */ 325 __u32 amd_certs_len; 326 327 __u64 session_uaddr; /* Guest session information */ 328 __u32 session_len; 329 }; 330 33112. KVM_SEV_SEND_UPDATE_DATA 332---------------------------- 333 334The KVM_SEV_SEND_UPDATE_DATA command can be used by the hypervisor to encrypt the 335outgoing guest memory region with the encryption context creating using 336KVM_SEV_SEND_START. 337 338If hdr_len or trans_len are zero on entry, the length of the packet header and 339transport region are written to hdr_len and trans_len respectively, and all 340other fields are not used. 341 342Parameters (in): struct kvm_sev_send_update_data 343 344Returns: 0 on success, -negative on error 345 346:: 347 348 struct kvm_sev_launch_send_update_data { 349 __u64 hdr_uaddr; /* userspace address containing the packet header */ 350 __u32 hdr_len; 351 352 __u64 guest_uaddr; /* the source memory region to be encrypted */ 353 __u32 guest_len; 354 355 __u64 trans_uaddr; /* the destination memory region */ 356 __u32 trans_len; 357 }; 358 35913. KVM_SEV_SEND_FINISH 360------------------------ 361 362After completion of the migration flow, the KVM_SEV_SEND_FINISH command can be 363issued by the hypervisor to delete the encryption context. 364 365Returns: 0 on success, -negative on error 366 36714. KVM_SEV_SEND_CANCEL 368------------------------ 369 370After completion of SEND_START, but before SEND_FINISH, the source VMM can issue the 371SEND_CANCEL command to stop a migration. This is necessary so that a cancelled 372migration can restart with a new target later. 373 374Returns: 0 on success, -negative on error 375 37615. KVM_SEV_RECEIVE_START 377------------------------- 378 379The KVM_SEV_RECEIVE_START command is used for creating the memory encryption 380context for an incoming SEV guest. To create the encryption context, the user must 381provide a guest policy, the platform public Diffie-Hellman (PDH) key and session 382information. 383 384Parameters: struct kvm_sev_receive_start (in/out) 385 386Returns: 0 on success, -negative on error 387 388:: 389 390 struct kvm_sev_receive_start { 391 __u32 handle; /* if zero then firmware creates a new handle */ 392 __u32 policy; /* guest's policy */ 393 394 __u64 pdh_uaddr; /* userspace address pointing to the PDH key */ 395 __u32 pdh_len; 396 397 __u64 session_uaddr; /* userspace address which points to the guest session information */ 398 __u32 session_len; 399 }; 400 401On success, the 'handle' field contains a new handle and on error, a negative value. 402 403For more details, see SEV spec Section 6.12. 404 40516. KVM_SEV_RECEIVE_UPDATE_DATA 406------------------------------- 407 408The KVM_SEV_RECEIVE_UPDATE_DATA command can be used by the hypervisor to copy 409the incoming buffers into the guest memory region with encryption context 410created during the KVM_SEV_RECEIVE_START. 411 412Parameters (in): struct kvm_sev_receive_update_data 413 414Returns: 0 on success, -negative on error 415 416:: 417 418 struct kvm_sev_launch_receive_update_data { 419 __u64 hdr_uaddr; /* userspace address containing the packet header */ 420 __u32 hdr_len; 421 422 __u64 guest_uaddr; /* the destination guest memory region */ 423 __u32 guest_len; 424 425 __u64 trans_uaddr; /* the incoming buffer memory region */ 426 __u32 trans_len; 427 }; 428 42917. KVM_SEV_RECEIVE_FINISH 430-------------------------- 431 432After completion of the migration flow, the KVM_SEV_RECEIVE_FINISH command can be 433issued by the hypervisor to make the guest ready for execution. 434 435Returns: 0 on success, -negative on error 436 437References 438========== 439 440 441See [white-paper]_, [api-spec]_, [amd-apm]_ and [kvm-forum]_ for more info. 442 443.. [white-paper] https://developer.amd.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf 444.. [api-spec] https://support.amd.com/TechDocs/55766_SEV-KM_API_Specification.pdf 445.. [amd-apm] https://support.amd.com/TechDocs/24593.pdf (section 15.34) 446.. [kvm-forum] https://www.linux-kvm.org/images/7/74/02x08A-Thomas_Lendacky-AMDs_Virtualizatoin_Memory_Encryption_Technology.pdf 447