From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54552) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bjpW3-0003JF-El for qemu-devel@nongnu.org; Tue, 13 Sep 2016 11:20:58 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bjpVy-0007gU-P0 for qemu-devel@nongnu.org; Tue, 13 Sep 2016 11:20:55 -0400 Received: from mx1.redhat.com ([209.132.183.28]:49440) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bjpVy-0007g0-IX for qemu-devel@nongnu.org; Tue, 13 Sep 2016 11:20:50 -0400 Date: Tue, 13 Sep 2016 12:20:43 -0300 From: Eduardo Habkost Message-ID: <20160913152043.GW24695@thinpad.lan.raisama.net> References: <147377800565.11859.4411044563640180545.stgit@brijesh-build-machine> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <147377800565.11859.4411044563640180545.stgit@brijesh-build-machine> Subject: Re: [Qemu-devel] [RFC PATCH v1 00/22] x86: Secure Encrypted Virtualization (AMD) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Brijesh Singh Cc: crosthwaite.peter@gmail.com, armbru@redhat.com, mst@redhat.com, p.fedin@samsung.com, qemu-devel@nongnu.org, lcapitulino@redhat.com, pbonzini@redhat.com, rth@twiddle.net On Tue, Sep 13, 2016 at 10:46:46AM -0400, Brijesh Singh wrote: > This RFC series provides support for AMD's new Secure Encrypted > Virtualization (SEV) feature. This RFC is based KVM RFC [1]. > > SEV is an extension to the AMD-V architecture which supports running > multiple VMs under the control of a hypervisor. The SEV feature allows > the memory contents of a virtual machine (VM) to be transparently encrypted > with a key unique to the guest VM. The memory controller contains a > high performance encryption engine which can be programmed with multiple > keys for use by a different VMs in the system. The programming and > management of these keys is handled by the AMD Secure Processor firmware > which exposes a commands for these tasks. > > SEV is designed to protect guest VMs from a benign but vulnerable > (i.e. not fully malicious) hypervisor. In particular, it reduces the attack > surface of guest VMs and can prevent certain types of VM-escape bugs > (e.g. hypervisor read-anywhere) from being used to steal guest data. > > The KVM RFC introduced a new ioctl (KVM_SEV_ISSUE_CMD) which can be > used by qemu to enable SEV for secure guest and assist performing common > hypervisor activities such as a launching, running, snapshooting, migration > and debugging a guests data. > > > The following links provide additional details: > > AMD Memory Encryption whitepaper: > > http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf > > AMD64 Architecture Programmer's Manual: > http://support.amd.com/TechDocs/24593.pdf > SME is section 7.10 > SEV is section 15.34 > > Secure Encrypted Virutualization Key Management: > http://support.amd.com/TechDocs/55766_SEV-KM API_Spec.pdf > > KVM Forum slides: > http://www.linux-kvm.org/images/7/74/02x08A-Thomas_Lendacky-AMDs_Virtualizatoin_Memory_Encryption_Technology.pdf For reference, video of the KVM Forum Talk: https://www.youtube.com/watch?v=RcvQ1xN55Ew I was not present at the session and I plan to watch it to be able to give better feedback. > > KVM RFC link: > > [1] http://marc.info/?l=kvm&m=147191038624432&w=2 > -- Eduardo