docs/system/i386/amd-memory-encryption.rst

   1 AMD Secure Encrypted Virtualization (SEV)
   2 =========================================
   3
   4 Secure Encrypted Virtualization (SEV) is a feature found on AMD processors.
   5
   6 SEV is an extension to the AMD-V architecture which supports running encrypted
   7 virtual machines (VMs) under the control of KVM. Encrypted VMs have their pages
   8 (code and data) secured such that only the guest itself has access to the
   9 unencrypted version. Each encrypted VM is associated with a unique encryption
  10 key; if its data is accessed by a different entity using a different key the
  11 encrypted guests data will be incorrectly decrypted, leading to unintelligible
  12 data.
  13
  14 Key management for this feature is handled by a separate processor known as the
  15 AMD secure processor (AMD-SP), which is present in AMD SOCs. Firmware running
  16 inside the AMD-SP provides commands to support a common VM lifecycle. This
  17 includes commands for launching, snapshotting, migrating and debugging the
  18 encrypted guest. These SEV commands can be issued via KVM_MEMORY_ENCRYPT_OP
  19 ioctls.
  20
  21 Secure Encrypted Virtualization - Encrypted State (SEV-ES) builds on the SEV
  22 support to additionally protect the guest register state. In order to allow a
  23 hypervisor to perform functions on behalf of a guest, there is architectural
  24 support for notifying a guest's operating system when certain types of VMEXITs
  25 are about to occur. This allows the guest to selectively share information with
  26 the hypervisor to satisfy the requested function.
  27
  28 Launching
  29 ---------
  30
  31 Boot images (such as bios) must be encrypted before a guest can be booted. The
  32 ``MEMORY_ENCRYPT_OP`` ioctl provides commands to encrypt the images: ``LAUNCH_START``,
  33 ``LAUNCH_UPDATE_DATA``, ``LAUNCH_MEASURE`` and ``LAUNCH_FINISH``. These four commands
  34 together generate a fresh memory encryption key for the VM, encrypt the boot
  35 images and provide a measurement than can be used as an attestation of a
  36 successful launch.
  37
  38 For a SEV-ES guest, the ``LAUNCH_UPDATE_VMSA`` command is also used to encrypt the
  39 guest register state, or VM save area (VMSA), for all of the guest vCPUs.
  40
  41 ``LAUNCH_START`` is called first to create a cryptographic launch context within
  42 the firmware. To create this context, guest owner must provide a guest policy,
  43 its public Diffie-Hellman key (PDH) and session parameters. These inputs
  44 should be treated as a binary blob and must be passed as-is to the SEV firmware.
  45
  46 The guest policy is passed as plaintext. A hypervisor may choose to read it,
  47 but should not modify it (any modification of the policy bits will result
  48 in bad measurement). The guest policy is a 4-byte data structure containing
  49 several flags that restricts what can be done on a running SEV guest.
  50 See KM Spec section 3 and 6.2 for more details.
  51
  52 The guest policy can be provided via the ``policy`` property::
  53
  54   # ${QEMU} \
  55      sev-guest,id=sev0,policy=0x1...\
  56
  57 Setting the "SEV-ES required" policy bit (bit 2) will launch the guest as a
  58 SEV-ES guest::
  59
  60   # ${QEMU} \
  61      sev-guest,id=sev0,policy=0x5...\
  62
  63 The guest owner provided DH certificate and session parameters will be used to
  64 establish a cryptographic session with the guest owner to negotiate keys used
  65 for the attestation.
  66
  67 The DH certificate and session blob can be provided via the ``dh-cert-file`` and
  68 ``session-file`` properties::
  69
  70   # ${QEMU} \
  71        sev-guest,id=sev0,dh-cert-file=<file1>,session-file=<file2>
  72
  73 ``LAUNCH_UPDATE_DATA`` encrypts the memory region using the cryptographic context
  74 created via the ``LAUNCH_START`` command. If required, this command can be called
  75 multiple times to encrypt different memory regions. The command also calculates
  76 the measurement of the memory contents as it encrypts.
  77
  78 ``LAUNCH_UPDATE_VMSA`` encrypts all the vCPU VMSAs for a SEV-ES guest using the
  79 cryptographic context created via the ``LAUNCH_START`` command. The command also
  80 calculates the measurement of the VMSAs as it encrypts them.
  81
  82 ``LAUNCH_MEASURE`` can be used to retrieve the measurement of encrypted memory and,
  83 for a SEV-ES guest, encrypted VMSAs. This measurement is a signature of the
  84 memory contents and, for a SEV-ES guest, the VMSA contents, that can be sent
  85 to the guest owner as an attestation that the memory and VMSAs were encrypted
  86 correctly by the firmware. The guest owner may wait to provide the guest
  87 confidential information until it can verify the attestation measurement.
  88 Since the guest owner knows the initial contents of the guest at boot, the
  89 attestation measurement can be verified by comparing it to what the guest owner
  90 expects.
  91
  92 ``LAUNCH_FINISH`` finalizes the guest launch and destroys the cryptographic
  93 context.
  94
  95 See SEV KM API Spec ([SEVKM]_) 'Launching a guest' usage flow (Appendix A) for the
  96 complete flow chart.
  97
  98 To launch a SEV guest::
  99
 100   # ${QEMU} \
 101       -machine ...,confidential-guest-support=sev0 \
 102       -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1
 103
 104 To launch a SEV-ES guest::
 105
 106   # ${QEMU} \
 107       -machine ...,confidential-guest-support=sev0 \
 108       -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1,policy=0x5
 109
 110 An SEV-ES guest has some restrictions as compared to a SEV guest. Because the
 111 guest register state is encrypted and cannot be updated by the VMM/hypervisor,
 112 a SEV-ES guest:
 113
 114  - Does not support SMM - SMM support requires updating the guest register
 115    state.
 116  - Does not support reboot - a system reset requires updating the guest register
 117    state.
 118  - Requires in-kernel irqchip - the burden is placed on the hypervisor to
 119    manage booting APs.
 120
 121 Debugging
 122 ---------
 123
 124 Since the memory contents of a SEV guest are encrypted, hypervisor access to
 125 the guest memory will return cipher text. If the guest policy allows debugging,
 126 then a hypervisor can use the DEBUG_DECRYPT and DEBUG_ENCRYPT commands to access
 127 the guest memory region for debug purposes.  This is not supported in QEMU yet.
 128
 129 Snapshot/Restore
 130 ----------------
 131
 132 TODO
 133
 134 Live Migration
 135 ---------------
 136
 137 TODO
 138
 139 References
 140 ----------
 141
 142 `AMD Memory Encryption whitepaper
 143 <https://developer.amd.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf>`_
 144
 145 .. [SEVKM] `Secure Encrypted Virtualization Key Management
 146    <http://developer.amd.com/wordpress/media/2017/11/55766_SEV-KM-API_Specification.pdf>`_
 147
 148 KVM Forum slides:
 149
 150 * `AMD’s Virtualization Memory Encryption (2016)
 151   <http://www.linux-kvm.org/images/7/74/02x08A-Thomas_Lendacky-AMDs_Virtualizatoin_Memory_Encryption_Technology.pdf>`_
 152 * `Extending Secure Encrypted Virtualization With SEV-ES (2018)
 153   <https://www.linux-kvm.org/images/9/94/Extending-Secure-Encrypted-Virtualization-with-SEV-ES-Thomas-Lendacky-AMD.pdf>`_
 154
 155 `AMD64 Architecture Programmer's Manual:
 156 <http://support.amd.com/TechDocs/24593.pdf>`_
 157
 158 * SME is section 7.10
 159 * SEV is section 15.34
 160 * SEV-ES is section 15.35