AMD SEV-ES and Guest-Host Communicaiton Block (GHCB) usage standardization

AMD SEV-ES and Guest-Host Communicaiton Block (GHCB) usage standardization

[Lendacky, Thomas]

This is an informational post about AMD Secure Encrypted Virtualization -
Encrypted State.

In addition to the Secure Encrypted Virtualization (SEV) feature, AMD EPYC
processors also provide a feature called Secure Encrypted Virtualization -
Encrypted State (SEV-ES). Building on the memory encryption technology in
SEV, SEV-ES protects the guest register state from the hypervisor by
encrypting the guest register state. Since the guest register state is
encrypted, a method of communicating between the guest and the hypervisor
is required in order for the hypervisor to provide certain functionality
to the guest (e.g. CPUID support).

A specification has been developed to ensure that a single guest image can
run without modification across multiple hypervisors. This specification
establishes how an SEV-ES guest and an SEV-ES capable hypervisor should
communicate with each other. Since the register state of an SEV-ES guest
is encrypted, a shared communication area must be used in order to allow
the guest and hypervisor to communicate, the Guest-Host Communication
Block (GHCB). The specification defines the format and use of the GHCB,
the guest exits that must be initially supported and requirements for
certain scenarios, such as AP booting.

The specification is defined as the SEV-ES Guest-Hypervisor Communication
Block Standardization document. This document is available at the AMD
Secure Encrypted Virtualization web page [1] (or directly [2]). The AMD
Secure Encrypted Virtualization web page also contains additional
information related to SEV and SEV-ES.

Thanks,
Tom

[1] https://developer.amd.com/sev/
[2] https://developer.amd.com/wp-content/resources/56421.pdf