From: Brijesh Singh <brijesh.singh@amd.com>
To: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, x86@kernel.org
Cc: bp@alien8.de, "Brijesh Singh" <brijesh.singh@amd.com>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Ingo Molnar" <mingo@redhat.com>,
"H. Peter Anvin" <hpa@zytor.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Radim Krčmář" <rkrcmar@redhat.com>,
"Jonathan Corbet" <corbet@lwn.net>,
"Borislav Petkov" <bp@suse.de>,
"Tom Lendacky" <thomas.lendacky@amd.com>
Subject: [Part2 PATCH v9 01/38] Documentation/virtual/kvm: Add AMD Secure Encrypted Virtualization (SEV)
Date: Mon, 4 Dec 2017 19:04:01 -0600 [thread overview]
Message-ID: <20171205010438.5773-2-brijesh.singh@amd.com> (raw)
In-Reply-To: <20171205010438.5773-1-brijesh.singh@amd.com>
Create a Documentation entry to describe the AMD Secure Encrypted
Virtualization (SEV) feature.
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Borislav Petkov <bp@suse.de>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: kvm@vger.kernel.org
Cc: x86@kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Borislav Petkov <bp@suse.de>
---
Documentation/virtual/kvm/00-INDEX | 3 ++
.../virtual/kvm/amd-memory-encryption.rst | 45 ++++++++++++++++++++++
2 files changed, 48 insertions(+)
create mode 100644 Documentation/virtual/kvm/amd-memory-encryption.rst
diff --git a/Documentation/virtual/kvm/00-INDEX b/Documentation/virtual/kvm/00-INDEX
index 69fe1a8b7ad1..3da73aabff5a 100644
--- a/Documentation/virtual/kvm/00-INDEX
+++ b/Documentation/virtual/kvm/00-INDEX
@@ -26,3 +26,6 @@ s390-diag.txt
- Diagnose hypercall description (for IBM S/390)
timekeeping.txt
- timekeeping virtualization for x86-based architectures.
+amd-memory-encryption.txt
+ - notes on AMD Secure Encrypted Virtualization feature and SEV firmware
+ command description
diff --git a/Documentation/virtual/kvm/amd-memory-encryption.rst b/Documentation/virtual/kvm/amd-memory-encryption.rst
new file mode 100644
index 000000000000..a8ef21e737db
--- /dev/null
+++ b/Documentation/virtual/kvm/amd-memory-encryption.rst
@@ -0,0 +1,45 @@
+======================================
+Secure Encrypted Virtualization (SEV)
+======================================
+
+Overview
+========
+
+Secure Encrypted Virtualization (SEV) is a feature found on AMD processors.
+
+SEV is an extension to the AMD-V architecture which supports running
+virtual machines (VMs) under the control of a hypervisor. When enabled,
+the memory contents of a VM will be transparently encrypted with a key
+unique to that VM.
+
+The hypervisor can determine the SEV support through the CPUID
+instruction. The CPUID function 0x8000001f reports information related
+to SEV::
+
+ 0x8000001f[eax]:
+ Bit[1] indicates support for SEV
+ ...
+ [ecx]:
+ Bits[31:0] Number of encrypted guests supported simultaneously
+
+If support for SEV is present, MSR 0xc001_0010 (MSR_K8_SYSCFG) and MSR 0xc001_0015
+(MSR_K7_HWCR) can be used to determine if it can be enabled::
+
+ 0xc001_0010:
+ Bit[23] 1 = memory encryption can be enabled
+ 0 = memory encryption can not be enabled
+
+ 0xc001_0015:
+ Bit[0] 1 = memory encryption can be enabled
+ 0 = memory encryption can not be enabled
+
+When SEV support is available, it can be enabled in a specific VM by
+setting the SEV bit before executing VMRUN.::
+
+ VMCB[0x90]:
+ Bit[1] 1 = SEV is enabled
+ 0 = SEV is disabled
+
+SEV hardware uses ASIDs to associate a memory encryption key with a VM.
+Hence, the ASID for the SEV-enabled guests must be from 1 to a maximum value
+defined in the CPUID 0x8000001f[ecx] field.
--
2.9.5
next prev parent reply other threads:[~2017-12-05 1:05 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-05 1:04 [Part2 PATCH v9 00/38] x86: Secure Encrypted Virtualization (AMD) Brijesh Singh
2017-12-05 1:04 ` Brijesh Singh [this message]
2017-12-05 1:04 ` [Part2 PATCH v9 02/38] x86/CPU/AMD: Add the Secure Encrypted Virtualization CPU feature Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 03/38] kvm: svm: prepare for new bit definition in nested_ctl Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 04/38] kvm: svm: Add SEV feature definitions to KVM Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 05/38] KVM: SVM: Prepare to reserve asid for SEV guest Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 06/38] KVM: X86: Extend CPUID range to include new leaf Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 07/38] KVM: Introduce KVM_MEMORY_ENCRYPT_OP ioctl Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 08/38] KVM: Introduce KVM_MEMORY_ENCRYPT_{UN,}REG_REGION ioctl Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 09/38] crypto: ccp: Build the AMD secure processor driver only with AMD CPU support Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 10/38] crypto: ccp: Define SEV userspace ioctl and command id Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 11/38] crypto: ccp: Define SEV key management " Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 12/38] crypto: ccp: Add Platform Security Processor (PSP) device support Brijesh Singh
2017-12-06 21:10 ` Philippe Ombredanne
2017-12-07 20:21 ` Brijesh Singh
2017-12-07 21:20 ` Philippe Ombredanne
2017-12-05 1:04 ` [Part2 PATCH v9 13/38] crypto: ccp: Add Secure Encrypted Virtualization (SEV) command support Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 14/38] crypto: ccp: Implement SEV_FACTORY_RESET ioctl command Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 15/38] crypto: ccp: Implement SEV_PLATFORM_STATUS " Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 16/38] crypto: ccp: Implement SEV_PEK_GEN " Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 17/38] crypto: ccp: Implement SEV_PDH_GEN " Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 18/38] crypto: ccp: Implement SEV_PEK_CSR " Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 19/38] crypto: ccp: Implement SEV_PEK_CERT_IMPORT " Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 20/38] crypto: ccp: Implement SEV_PDH_CERT_EXPORT " Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 21/38] KVM: X86: Add CONFIG_KVM_AMD_SEV Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 22/38] KVM: SVM: Reserve ASID range for SEV guest Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 23/38] KVM: SVM: Add sev module_param Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 24/38] KVM: Define SEV key management command id Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 25/38] KVM: SVM: Add KVM_SEV_INIT command Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 26/38] KVM: SVM: VMRUN should use associated ASID when SEV is enabled Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 27/38] KVM: SVM: Add support for KVM_SEV_LAUNCH_START command Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 28/38] KVM: SVM: Add support for KVM_SEV_LAUNCH_UPDATE_DATA command Brijesh Singh
2017-12-05 1:04 ` [Part2 PATCH v9 29/38] KVM: SVM: Add support for KVM_SEV_LAUNCH_MEASURE command Brijesh Singh
2017-12-21 13:06 ` [Part2 PATCH v9 00/38] x86: Secure Encrypted Virtualization (AMD) Paolo Bonzini
2017-12-21 15:51 ` Brijesh Singh
2017-12-21 16:09 ` Brijesh Singh
2018-01-11 12:20 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171205010438.5773-2-brijesh.singh@amd.com \
--to=brijesh.singh@amd.com \
--cc=bp@alien8.de \
--cc=bp@suse.de \
--cc=corbet@lwn.net \
--cc=hpa@zytor.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox