1AMD Secure Encrypted Virtualization (SEV) 2========================================= 3 4Secure Encrypted Virtualization (SEV) is a feature found on AMD processors. 5 6SEV is an extension to the AMD-V architecture which supports running encrypted 7virtual machines (VMs) under the control of KVM. Encrypted VMs have their pages 8(code and data) secured such that only the guest itself has access to the 9unencrypted version. Each encrypted VM is associated with a unique encryption 10key; if its data is accessed by a different entity using a different key the 11encrypted guests data will be incorrectly decrypted, leading to unintelligible 12data. 13 14Key management for this feature is handled by a separate processor known as the 15AMD secure processor (AMD-SP), which is present in AMD SOCs. Firmware running 16inside the AMD-SP provides commands to support a common VM lifecycle. This 17includes commands for launching, snapshotting, migrating and debugging the 18encrypted guest. These SEV commands can be issued via KVM_MEMORY_ENCRYPT_OP 19ioctls. 20 21Secure Encrypted Virtualization - Encrypted State (SEV-ES) builds on the SEV 22support to additionally protect the guest register state. In order to allow a 23hypervisor to perform functions on behalf of a guest, there is architectural 24support for notifying a guest's operating system when certain types of VMEXITs 25are about to occur. This allows the guest to selectively share information with 26the hypervisor to satisfy the requested function. 27 28Launching 29--------- 30 31Boot images (such as bios) must be encrypted before a guest can be booted. The 32``MEMORY_ENCRYPT_OP`` ioctl provides commands to encrypt the images: ``LAUNCH_START``, 33``LAUNCH_UPDATE_DATA``, ``LAUNCH_MEASURE`` and ``LAUNCH_FINISH``. These four commands 34together generate a fresh memory encryption key for the VM, encrypt the boot 35images and provide a measurement than can be used as an attestation of a 36successful launch. 37 38For a SEV-ES guest, the ``LAUNCH_UPDATE_VMSA`` command is also used to encrypt the 39guest register state, or VM save area (VMSA), for all of the guest vCPUs. 40 41``LAUNCH_START`` is called first to create a cryptographic launch context within 42the firmware. To create this context, guest owner must provide a guest policy, 43its public Diffie-Hellman key (PDH) and session parameters. These inputs 44should be treated as a binary blob and must be passed as-is to the SEV firmware. 45 46The guest policy is passed as plaintext. A hypervisor may choose to read it, 47but should not modify it (any modification of the policy bits will result 48in bad measurement). The guest policy is a 4-byte data structure containing 49several flags that restricts what can be done on a running SEV guest. 50See KM Spec section 3 and 6.2 for more details. 51 52The guest policy can be provided via the ``policy`` property:: 53 54 # ${QEMU} \ 55 sev-guest,id=sev0,policy=0x1...\ 56 57Setting the "SEV-ES required" policy bit (bit 2) will launch the guest as a 58SEV-ES guest:: 59 60 # ${QEMU} \ 61 sev-guest,id=sev0,policy=0x5...\ 62 63The guest owner provided DH certificate and session parameters will be used to 64establish a cryptographic session with the guest owner to negotiate keys used 65for the attestation. 66 67The DH certificate and session blob can be provided via the ``dh-cert-file`` and 68``session-file`` properties:: 69 70 # ${QEMU} \ 71 sev-guest,id=sev0,dh-cert-file=<file1>,session-file=<file2> 72 73``LAUNCH_UPDATE_DATA`` encrypts the memory region using the cryptographic context 74created via the ``LAUNCH_START`` command. If required, this command can be called 75multiple times to encrypt different memory regions. The command also calculates 76the measurement of the memory contents as it encrypts. 77 78``LAUNCH_UPDATE_VMSA`` encrypts all the vCPU VMSAs for a SEV-ES guest using the 79cryptographic context created via the ``LAUNCH_START`` command. The command also 80calculates the measurement of the VMSAs as it encrypts them. 81 82``LAUNCH_MEASURE`` can be used to retrieve the measurement of encrypted memory and, 83for a SEV-ES guest, encrypted VMSAs. This measurement is a signature of the 84memory contents and, for a SEV-ES guest, the VMSA contents, that can be sent 85to the guest owner as an attestation that the memory and VMSAs were encrypted 86correctly by the firmware. The guest owner may wait to provide the guest 87confidential information until it can verify the attestation measurement. 88Since the guest owner knows the initial contents of the guest at boot, the 89attestation measurement can be verified by comparing it to what the guest owner 90expects. 91 92``LAUNCH_FINISH`` finalizes the guest launch and destroys the cryptographic 93context. 94 95See SEV KM API Spec ([SEVKM]_) 'Launching a guest' usage flow (Appendix A) for the 96complete flow chart. 97 98To launch a SEV guest:: 99 100 # ${QEMU} \ 101 -machine ...,confidential-guest-support=sev0 \ 102 -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1 103 104To launch a SEV-ES guest:: 105 106 # ${QEMU} \ 107 -machine ...,confidential-guest-support=sev0 \ 108 -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1,policy=0x5 109 110An SEV-ES guest has some restrictions as compared to a SEV guest. Because the 111guest register state is encrypted and cannot be updated by the VMM/hypervisor, 112a SEV-ES guest: 113 114 - Does not support SMM - SMM support requires updating the guest register 115 state. 116 - Does not support reboot - a system reset requires updating the guest register 117 state. 118 - Requires in-kernel irqchip - the burden is placed on the hypervisor to 119 manage booting APs. 120 121Debugging 122--------- 123 124Since the memory contents of a SEV guest are encrypted, hypervisor access to 125the guest memory will return cipher text. If the guest policy allows debugging, 126then a hypervisor can use the DEBUG_DECRYPT and DEBUG_ENCRYPT commands to access 127the guest memory region for debug purposes. This is not supported in QEMU yet. 128 129Snapshot/Restore 130---------------- 131 132TODO 133 134Live Migration 135--------------- 136 137TODO 138 139References 140---------- 141 142`AMD Memory Encryption whitepaper 143<https://developer.amd.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf>`_ 144 145.. [SEVKM] `Secure Encrypted Virtualization Key Management 146 <http://developer.amd.com/wordpress/media/2017/11/55766_SEV-KM-API_Specification.pdf>`_ 147 148KVM Forum slides: 149 150* `AMD’s Virtualization Memory Encryption (2016) 151 <http://www.linux-kvm.org/images/7/74/02x08A-Thomas_Lendacky-AMDs_Virtualizatoin_Memory_Encryption_Technology.pdf>`_ 152* `Extending Secure Encrypted Virtualization With SEV-ES (2018) 153 <https://www.linux-kvm.org/images/9/94/Extending-Secure-Encrypted-Virtualization-with-SEV-ES-Thomas-Lendacky-AMD.pdf>`_ 154 155`AMD64 Architecture Programmer's Manual: 156<http://support.amd.com/TechDocs/24593.pdf>`_ 157 158* SME is section 7.10 159* SEV is section 15.34 160* SEV-ES is section 15.35 161