[pve-devel] [PATCH pve-docs v2] added Memory Encryption documentation

Fri Jun 10 12:53:51 CEST 2022

added AMD SEV documentation for "[PATCH qemu-server] QEMU AMD SEV
enable"

Signed-off-by: Markus Frank <m.frank at proxmox.com>
---
v2:
* added check if sev is enabled
* added more limitations
* added suse doc link

 qm.adoc | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 89 insertions(+)

diff --git a/qm.adoc b/qm.adoc
index e666d7d..d60753e 100644
--- a/qm.adoc
+++ b/qm.adoc
@@ -583,6 +583,95 @@ systems.
 When allocating RAM to your VMs, a good rule of thumb is always to leave 1GB
 of RAM available to the host.
 
+[[qm_memory_encryption]]
+Memory Encryption
+~~~~~~~~~~~~~~~~~
+
+[[qm_memory_encryption_sev]]
+AMD SEV
+^^^^^^^
+
+Memory Encryption using AES-128 Encryption and the AMD Secure Processor.
+See https://developer.amd.com/sev/[AMD SEV]
+
+Requirements:
+
+* AMD EPYC/Ryzen PRO CPU
+* configured SEV BIOS Settings on Host Machine
+* add Kernel Parameters: "mem_encrypt=on kvm_amd.sev=1"
+
+Example Configuration:
+
+----
+# qm set <vmid> -memory_encryption type=sev,cbitpos=47,policy=0x0005,reduced-phys-bits=1
+----
+
+*SEV Parameters*
+
+"type" defines the encryption technology ("type=" is not necessary): sev, sev-snp, mktme
+
+"reduced-phys-bios", "cbitpos" and "policy" correspond to the variables with the
+same name in qemu.
+
+"reduced-phys-bios" and "cbitpos" are system specific and can be read out
+with QMP. If not set, qm starts a dummy-vm to read QMP
+for these variables out and saves them to config.
+
+"policy" can be calculated with
+https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf[AMD SEV API Specification Chapter 3]
+
+To use SEV-ES (CPU register encryption) the "policy" should be set
+somewhere between 0x4 and 0x7 or 0xC and 0xF, etc.
+(Bit-2 has to be set 1 (LSB 0 bit numbering))
+
+*Check if SEV is working*
+
+Method 1 - dmesg:
+
+Output should look like this.
+
+----
+# dmesg | grep -i sev
+AMD Memory Encryption Features active: SEV
+----
+
+Method 2 - MSR 0xc0010131 (MSR_AMD64_SEV):
+
+Output should be 1.
+
+----
+# apt install msr-tools
+# modprobe msr
+# rdmsr -a 0xc0010131
+1
+----
+
+Limitations:
+
+* Because the memory is encrypted the memory usage on host is always wrong
+and around 82% usage
+* Operations that involve saving or restoring memory like snapshots
+& live migration do not work yet
+* edk2-OVMF required
+* The guest operating system inside a VM must contain SEV-support
+* Recommendable: VirtIO RNG for more entropy (VMs sometimes will not
+boot without)
+
+Links:
+
+* https://github.com/AMDESE/AMDSEV
+* https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html
+* https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf
+* https://documentation.suse.com/sles/15-SP1/html/SLES-amd-sev/index.html
+
+// Commented because not supported by kernel yet
+//AMD SEV-SNP
+//^^^^^^^^^^^
+
+//* SEV-SNP support is not in the Linux Kernel yet and needs EPYC 7003 "Milan"
+//processors.
+//* SEV-SNP should be in Kernel 5.19: https://www.phoronix.com/scan.php?page=news_item&px=AMD-SEV-SNP-Arrives-Linux-5.19
+//* patched Kernel: https://github.com/AMDESE/linux/tree/sev-snp-5.18-rc3
 
 [[qm_network_device]]
 Network Device
-- 
2.30.2




