[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [RFC PATCH v1 00/22] x86: Secure Encrypted Virtualizati
|
From: |
Eduardo Habkost |
|
Subject: |
Re: [Qemu-devel] [RFC PATCH v1 00/22] x86: Secure Encrypted Virtualization (AMD) |
|
Date: |
Tue, 13 Sep 2016 12:20:43 -0300 |
|
User-agent: |
Mutt/1.7.0 (2016-08-17) |
On Tue, Sep 13, 2016 at 10:46:46AM -0400, Brijesh Singh wrote:
> This RFC series provides support for AMD's new Secure Encrypted
> Virtualization (SEV) feature. This RFC is based KVM RFC [1].
>
> SEV is an extension to the AMD-V architecture which supports running
> multiple VMs under the control of a hypervisor. The SEV feature allows
> the memory contents of a virtual machine (VM) to be transparently encrypted
> with a key unique to the guest VM. The memory controller contains a
> high performance encryption engine which can be programmed with multiple
> keys for use by a different VMs in the system. The programming and
> management of these keys is handled by the AMD Secure Processor firmware
> which exposes a commands for these tasks.
>
> SEV is designed to protect guest VMs from a benign but vulnerable
> (i.e. not fully malicious) hypervisor. In particular, it reduces the attack
> surface of guest VMs and can prevent certain types of VM-escape bugs
> (e.g. hypervisor read-anywhere) from being used to steal guest data.
>
> The KVM RFC introduced a new ioctl (KVM_SEV_ISSUE_CMD) which can be
> used by qemu to enable SEV for secure guest and assist performing common
> hypervisor activities such as a launching, running, snapshooting, migration
> and debugging a guests data.
>
>
> The following links provide additional details:
>
> AMD Memory Encryption whitepaper:
>
> http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf
>
> AMD64 Architecture Programmer's Manual:
> http://support.amd.com/TechDocs/24593.pdf
> SME is section 7.10
> SEV is section 15.34
>
> Secure Encrypted Virutualization Key Management:
> http://support.amd.com/TechDocs/55766_SEV-KM API_Spec.pdf
>
> KVM Forum slides:
> http://www.linux-kvm.org/images/7/74/02x08A-Thomas_Lendacky-AMDs_Virtualizatoin_Memory_Encryption_Technology.pdf
For reference, video of the KVM Forum Talk:
https://www.youtube.com/watch?v=RcvQ1xN55Ew
I was not present at the session and I plan to watch it to be
able to give better feedback.
>
> KVM RFC link:
>
> [1] http://marc.info/?l=kvm&m=147191038624432&w=2
>
--
Eduardo
- [Qemu-devel] [RFC PATCH v1 00/22] x86: Secure Encrypted Virtualization (AMD), Brijesh Singh, 2016/09/13
- Re: [Qemu-devel] [RFC PATCH v1 00/22] x86: Secure Encrypted Virtualization (AMD),
Eduardo Habkost <=
- [Qemu-devel] [RFC PATCH v1 01/22] exec: add guest RAM read/write ops, Brijesh Singh, 2016/09/13
- [Qemu-devel] [RFC PATCH v1 03/22] monitor: use debug version of physical memory read api, Brijesh Singh, 2016/09/13
- [Qemu-devel] [RFC PATCH v1 11/22] sev: add SEV debug encrypt command, Brijesh Singh, 2016/09/13
- [Qemu-devel] [RFC PATCH v1 13/22] hmp: update 'info kvm' to display SEV status, Brijesh Singh, 2016/09/13
- Re: [Qemu-devel] [RFC PATCH v1 13/22] hmp: update 'info kvm' to display SEV status, Paolo Bonzini, 2016/09/13
- [Qemu-devel] [RFC PATCH v1 14/22] sev: provide SEV-enabled guest RAM read/write ops, Brijesh Singh, 2016/09/13
- [Qemu-devel] [RFC PATCH v1 02/22] cpu-common: add debug version of physical memory read/write, Brijesh Singh, 2016/09/13