| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20171004101140.u5vh5yryr5m76pb7@pd.tnic>
Date: Wed, 4 Oct 2017 12:11:40 +0200
From: Borislav Petkov <bp@...e.de>
To: Brijesh Singh <brijesh.singh@....com>
Cc: linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>,
Paolo Bonzini <pbonzini@...hat.com>,
Radim Krčmář <rkrcmar@...hat.com>,
Jonathan Corbet <corbet@....net>,
Tom Lendacky <thomas.lendacky@....com>, x86@...nel.org
Subject: [PATCH v5] Documentation/virtual/kvm: Add AMD Secure Encrypted
Virtualization (SEV)
Pasting v5 here.
> From: Brijesh Singh <brijesh.singh@....com>
>
> Create a Documentation entry to describe the AMD Secure Encrypted
> Virtualization (SEV) feature.
>
> Cc: Thomas Gleixner <tglx@...utronix.de>
> Cc: Ingo Molnar <mingo@...hat.com>
> Cc: "H. Peter Anvin" <hpa@...or.com>
> Cc: Paolo Bonzini <pbonzini@...hat.com>
> Cc: "Radim Krčmář" <rkrcmar@...hat.com>
> Cc: Jonathan Corbet <corbet@....net>
> Cc: Borislav Petkov <bp@...e.de>
> Cc: Tom Lendacky <thomas.lendacky@....com>
> Cc: kvm@...r.kernel.org
> Cc: x86@...nel.org
> Cc: linux-kernel@...r.kernel.org
> Signed-off-by: Brijesh Singh <brijesh.singh@....com>
> ---
> Documentation/virtual/kvm/00-INDEX | 3 ++
> .../virtual/kvm/amd-memory-encryption.txt | 38 ++++++++++++++++++++++
> 2 files changed, 41 insertions(+)
> create mode 100644 Documentation/virtual/kvm/amd-memory-encryption.txt
Nice and sweet.
Reviewed-by: Borislav Petkov <bp@...e.de>
(Leaving in the rest for reference).
> diff --git a/Documentation/virtual/kvm/00-INDEX b/Documentation/virtual/kvm/00-INDEX
> index 69fe1a8b7ad1..3da73aabff5a 100644
> --- a/Documentation/virtual/kvm/00-INDEX
> +++ b/Documentation/virtual/kvm/00-INDEX
> @@ -26,3 +26,6 @@ s390-diag.txt
> - Diagnose hypercall description (for IBM S/390)
> timekeeping.txt
> - timekeeping virtualization for x86-based architectures.
> +amd-memory-encryption.txt
> + - notes on AMD Secure Encrypted Virtualization feature and SEV firmware
> + command description
> diff --git a/Documentation/virtual/kvm/amd-memory-encryption.txt b/Documentation/virtual/kvm/amd-memory-encryption.txt
> new file mode 100644
> index 000000000000..26472b4cdbaf
> --- /dev/null
> +++ b/Documentation/virtual/kvm/amd-memory-encryption.txt
> @@ -0,0 +1,38 @@
> +Secure Encrypted Virtualization (SEV) is a feature found on AMD processors.
> +
> +SEV is an extension to the AMD-V architecture which supports running
> +virtual machines (VMs) under the control of a hypervisor. When enabled,
> +the memory contents of a VM will be transparently encrypted with a key
> +unique to that VM.
> +
> +The hypervisor can determine the SEV support through the CPUID
> +instruction. The CPUID function 0x8000001f reports information related
> +to SEV:
> +
> + 0x8000001f[eax]:
> + Bit[1] indicates support for SEV
> + ...
> + [ecx]:
> + Bits[31:0] Number of encrypted guests supported simultaneously
> +
> +If support for SEV is present, MSR 0xc001_0010 (MSR_K8_SYSCFG) and MSR 0xc001_0015
> +(MSR_K7_HWCR) can be used to determine if it can be enabled:
> +
> + 0xc001_0010:
> + Bit[23] 1 = memory encryption can be enabled
> + 0 = memory encryption can not be enabled
> +
> + 0xc001_0015:
> + Bit[0] 1 = memory encryption can be enabled
> + 0 = memory encryption can not be enabled
> +
> +When SEV support is available, it can be enabled in a specific VM by
> +setting the SEV bit before executing VMRUN.
> +
> + VMCB[0x90]:
> + Bit[1] 1 = SEV is enabled
> + 0 = SEV is disabled
> +
> +SEV hardware uses ASIDs to associate a memory encryption key with a VM.
> +Hence, the ASID for the SEV-enabled guests must be from 1 to a maximum value
> +defined in the CPUID 0x8000001f[ecx] field.
> --
> 2.13.0
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
--
Powered by blists - more mailing lists