149 lines
6.3 KiB
Plaintext
149 lines
6.3 KiB
Plaintext
Secure Encrypted Virtualization (SEV) is a feature found on AMD processors.
|
|
|
|
SEV is an extension to the AMD-V architecture which supports running encrypted
|
|
virtual machines (VMs) under the control of KVM. Encrypted VMs have their pages
|
|
(code and data) secured such that only the guest itself has access to the
|
|
unencrypted version. Each encrypted VM is associated with a unique encryption
|
|
key; if its data is accessed by a different entity using a different key the
|
|
encrypted guests data will be incorrectly decrypted, leading to unintelligible
|
|
data.
|
|
|
|
Key management for this feature is handled by a separate processor known as the
|
|
AMD secure processor (AMD-SP), which is present in AMD SOCs. Firmware running
|
|
inside the AMD-SP provides commands to support a common VM lifecycle. This
|
|
includes commands for launching, snapshotting, migrating and debugging the
|
|
encrypted guest. These SEV commands can be issued via KVM_MEMORY_ENCRYPT_OP
|
|
ioctls.
|
|
|
|
Secure Encrypted Virtualization - Encrypted State (SEV-ES) builds on the SEV
|
|
support to additionally protect the guest register state. In order to allow a
|
|
hypervisor to perform functions on behalf of a guest, there is architectural
|
|
support for notifying a guest's operating system when certain types of VMEXITs
|
|
are about to occur. This allows the guest to selectively share information with
|
|
the hypervisor to satisfy the requested function.
|
|
|
|
Launching
|
|
---------
|
|
Boot images (such as bios) must be encrypted before a guest can be booted. The
|
|
MEMORY_ENCRYPT_OP ioctl provides commands to encrypt the images: LAUNCH_START,
|
|
LAUNCH_UPDATE_DATA, LAUNCH_MEASURE and LAUNCH_FINISH. These four commands
|
|
together generate a fresh memory encryption key for the VM, encrypt the boot
|
|
images and provide a measurement than can be used as an attestation of a
|
|
successful launch.
|
|
|
|
For a SEV-ES guest, the LAUNCH_UPDATE_VMSA command is also used to encrypt the
|
|
guest register state, or VM save area (VMSA), for all of the guest vCPUs.
|
|
|
|
LAUNCH_START is called first to create a cryptographic launch context within
|
|
the firmware. To create this context, guest owner must provide a guest policy,
|
|
its public Diffie-Hellman key (PDH) and session parameters. These inputs
|
|
should be treated as a binary blob and must be passed as-is to the SEV firmware.
|
|
|
|
The guest policy is passed as plaintext. A hypervisor may choose to read it,
|
|
but should not modify it (any modification of the policy bits will result
|
|
in bad measurement). The guest policy is a 4-byte data structure containing
|
|
several flags that restricts what can be done on a running SEV guest.
|
|
See KM Spec section 3 and 6.2 for more details.
|
|
|
|
The guest policy can be provided via the 'policy' property (see below)
|
|
|
|
# ${QEMU} \
|
|
sev-guest,id=sev0,policy=0x1...\
|
|
|
|
Setting the "SEV-ES required" policy bit (bit 2) will launch the guest as a
|
|
SEV-ES guest (see below)
|
|
|
|
# ${QEMU} \
|
|
sev-guest,id=sev0,policy=0x5...\
|
|
|
|
The guest owner provided DH certificate and session parameters will be used to
|
|
establish a cryptographic session with the guest owner to negotiate keys used
|
|
for the attestation.
|
|
|
|
The DH certificate and session blob can be provided via the 'dh-cert-file' and
|
|
'session-file' properties (see below)
|
|
|
|
# ${QEMU} \
|
|
sev-guest,id=sev0,dh-cert-file=<file1>,session-file=<file2>
|
|
|
|
LAUNCH_UPDATE_DATA encrypts the memory region using the cryptographic context
|
|
created via the LAUNCH_START command. If required, this command can be called
|
|
multiple times to encrypt different memory regions. The command also calculates
|
|
the measurement of the memory contents as it encrypts.
|
|
|
|
LAUNCH_UPDATE_VMSA encrypts all the vCPU VMSAs for a SEV-ES guest using the
|
|
cryptographic context created via the LAUNCH_START command. The command also
|
|
calculates the measurement of the VMSAs as it encrypts them.
|
|
|
|
LAUNCH_MEASURE can be used to retrieve the measurement of encrypted memory and,
|
|
for a SEV-ES guest, encrypted VMSAs. This measurement is a signature of the
|
|
memory contents and, for a SEV-ES guest, the VMSA contents, that can be sent
|
|
to the guest owner as an attestation that the memory and VMSAs were encrypted
|
|
correctly by the firmware. The guest owner may wait to provide the guest
|
|
confidential information until it can verify the attestation measurement.
|
|
Since the guest owner knows the initial contents of the guest at boot, the
|
|
attestation measurement can be verified by comparing it to what the guest owner
|
|
expects.
|
|
|
|
LAUNCH_FINISH finalizes the guest launch and destroys the cryptographic
|
|
context.
|
|
|
|
See SEV KM API Spec [1] 'Launching a guest' usage flow (Appendix A) for the
|
|
complete flow chart.
|
|
|
|
To launch a SEV guest
|
|
|
|
# ${QEMU} \
|
|
-machine ...,confidential-guest-support=sev0 \
|
|
-object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1
|
|
|
|
To launch a SEV-ES guest
|
|
|
|
# ${QEMU} \
|
|
-machine ...,confidential-guest-support=sev0 \
|
|
-object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1,policy=0x5
|
|
|
|
An SEV-ES guest has some restrictions as compared to a SEV guest. Because the
|
|
guest register state is encrypted and cannot be updated by the VMM/hypervisor,
|
|
a SEV-ES guest:
|
|
- Does not support SMM - SMM support requires updating the guest register
|
|
state.
|
|
- Does not support reboot - a system reset requires updating the guest register
|
|
state.
|
|
- Requires in-kernel irqchip - the burden is placed on the hypervisor to
|
|
manage booting APs.
|
|
|
|
Debugging
|
|
-----------
|
|
Since the memory contents of a SEV guest are encrypted, hypervisor access to
|
|
the guest memory will return cipher text. If the guest policy allows debugging,
|
|
then a hypervisor can use the DEBUG_DECRYPT and DEBUG_ENCRYPT commands to access
|
|
the guest memory region for debug purposes. This is not supported in QEMU yet.
|
|
|
|
Snapshot/Restore
|
|
-----------------
|
|
TODO
|
|
|
|
Live Migration
|
|
----------------
|
|
TODO
|
|
|
|
References
|
|
-----------------
|
|
|
|
AMD Memory Encryption whitepaper:
|
|
https://developer.amd.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf
|
|
|
|
Secure Encrypted Virtualization Key Management:
|
|
[1] http://developer.amd.com/wordpress/media/2017/11/55766_SEV-KM-API_Specification.pdf
|
|
|
|
KVM Forum slides:
|
|
http://www.linux-kvm.org/images/7/74/02x08A-Thomas_Lendacky-AMDs_Virtualizatoin_Memory_Encryption_Technology.pdf
|
|
https://www.linux-kvm.org/images/9/94/Extending-Secure-Encrypted-Virtualization-with-SEV-ES-Thomas-Lendacky-AMD.pdf
|
|
|
|
AMD64 Architecture Programmer's Manual:
|
|
http://support.amd.com/TechDocs/24593.pdf
|
|
SME is section 7.10
|
|
SEV is section 15.34
|
|
SEV-ES is section 15.35
|