This RFC series provides support for AMD's new Secure Encrypted
Virtualization (SEV) feature. This RFC is based KVM RFC .
SEV is an extension to the AMD-V architecture which supports running
multiple VMs under the control of a hypervisor. The SEV feature allows
the memory contents of a virtual machine (VM) to be transparently encrypted
with a key unique to the guest VM. The memory controller contains a
high performance encryption engine which can be programmed with multiple
keys for use by a different VMs in the system. The programming and
management of these keys is handled by the AMD Secure Processor firmware
which exposes a commands for these tasks.
SEV is designed to protect guest VMs from a benign but vulnerable
(i.e. not fully malicious) hypervisor. In particular, it reduces the attack
surface of guest VMs and can prevent certain types of VM-escape bugs
(e.g. hypervisor read-anywhere) from being used to steal guest data.
The KVM RFC introduced a new ioctl (KVM_SEV_ISSUE_CMD) which can be
used by qemu to enable SEV for secure guest and assist performing common
hypervisor activities such as a launching, running, snapshooting, migration
and debugging a guests data.
The following links provide additional details:
AMD Memory Encryption whitepaper:
AMD64 Architecture Programmer's Manual:
SME is section 7.10
SEV is section 15.34
Secure Encrypted Virutualization Key Management:
KVM Forum slides:
KVM RFC link:
Video of the KVM Forum Talk:
The patches are based on (d75aa43 Update version for v2.7.0-rc4 release)
Changes since v1:
- Added Documentation
- Added security-policy object.
- Drop sev config parsing support and create new objects to get/set SEV
- Added sev-guest-info object.
- Added sev-launch-info object.
- Added kvm_memory_encrytion_* APIs. The idea behind this was to allow adding
a non SEV memory encrytion object without modifying interfaces.
- Drop patch to load OS image at fixed location.
- updated LAUNCH_FINISH command structure. Now the structure contains
just 'measurement' field. Other fields are not used and will also be removed
from newer SEV firmware API spec.
- investigate the possibilty of adding SEV support in UEFI BIOS.
- implement RECEIVE_START, RECEIVE_UPDATE and RECEIVE_FINISH commands
- implement SEND_START, SEND_UPDATE and SEND_FINISH commands
- implement SEV guest migration and snapshotting support
- virtio support in SEV guest
Brijesh Singh (16):
memattrs: add debug attrs
exec: add guest RAM read and write ops
exec: add debug version of physical memory read and write apis
monitor: use debug version of memory access apis
core: add new security-policy object
sev: add Secure Encrypted Virtulization (SEV) support
hmp: display memory encryption support in 'info kvm'
core: loader: create memory encryption context before copying data
sev: add LAUNCH_START command
sev: add LAUNCH_UPDATE command
sev: add LAUNCH_FINISH command
sev: add DEBUG_DECRYPT command
sev: add DEBUG_ENCRYPT command
i386: set memory encryption ops for PC.BIOS and PC.RAM regions
target-i386: add cpuid Fn8000_001f
i386: clear C-bit in SEV guest page table walk
Makefile.target | 2
cpus.c | 2
disas.c | 2
docs/amd-memory-encryption.txt | 260 ++++++++
exec.c | 96 +++
hmp.c | 2
hw/core/Makefile.objs | 1
hw/core/loader.c | 13
hw/core/machine.c | 22 +
hw/core/security-policy.c | 166 +++++
hw/i386/pc.c | 7
hw/i386/pc_sysfw.c | 4
include/exec/cpu-common.h | 17 +
include/exec/memattrs.h | 4
include/exec/memory.h | 25 +
include/hw/boards.h | 1
include/sysemu/kvm.h | 6
include/sysemu/security-policy.h | 75 ++
include/sysemu/sev.h | 208 +++++++
kvm-all.c | 71 ++
monitor.c | 2
qapi-schema.json | 7
qemu-options.hx | 127 ++++
qmp.c | 1
sev.c | 1176 ++++++++++++++++++++++++++++++++++++++
target-i386/cpu.c | 10
target-i386/helper.c | 37 +
target-i386/monitor.c | 51 +-
28 files changed, 2356 insertions(+), 39 deletions(-)
create mode 100644 docs/amd-memory-encryption.txt
create mode 100644 hw/core/security-policy.c
create mode 100644 include/sysemu/security-policy.h
create mode 100644 include/sysemu/sev.h
create mode 100644 sev.c