From mboxrd@z Thu Jan 1 00:00:00 1970 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932908AbeAKNZq (ORCPT + 1 other); Thu, 11 Jan 2018 08:25:46 -0500 Received: from mx1.redhat.com ([209.132.183.28]:49332 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932306AbeAKNZn (ORCPT ); Thu, 11 Jan 2018 08:25:43 -0500 Subject: Re: [Part2 PATCH v9 00/38] x86: Secure Encrypted Virtualization (AMD) To: Brijesh Singh , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, x86@kernel.org Cc: bp@alien8.de, Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , =?UTF-8?B?UmFkaW0gS3LDhMKNbcODwqHDheKEog==?= , Joerg Roedel , Borislav Petkov , Tom Lendacky , Herbert Xu , "David S . Miller" , Gary Hook , linux-crypto@vger.kernel.org References: <20171205010438.5773-1-brijesh.singh@amd.com> From: Paolo Bonzini Message-ID: <03c41419-4c66-c391-0792-d3c419c12bb0@redhat.com> Date: Thu, 11 Jan 2018 13:20:38 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <20171205010438.5773-1-brijesh.singh@amd.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 11 Jan 2018 13:25:43 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On 05/12/2017 02:04, Brijesh Singh wrote: > This part of Secure Encrypted Virtualization (SEV) patch series focuses on KVM > changes required to create and manage SEV guests. > > SEV is an extension to the AMD-V architecture which supports running encrypted > virtual machine (VMs) under the control of a hypervisor. Encrypted VMs have their > pages (code and data) secured such that only the guest itself has access to > unencrypted version. Each encrypted VM is associated with a unique encryption key; > if its data is accessed to a different entity using a different key the encrypted > guest's data will be incorrectly decrypted, leading to unintelligible data. > This security model ensures that hypervisor will no longer able to inspect or > alter any guest code or data. > > The key management of this feature is handled by a separate processor known as > the AMD Secure Processor (AMD-SP) which is present on AMD SOCs. The SEV Key > Management Specification (see below) provides a set of commands which can be > used by hypervisor to load virtual machine keys through the AMD-SP driver. > > The patch series adds a new ioctl in KVM driver (KVM_MEMORY_ENCRYPT_OP). The > ioctl will be used by qemu to issue SEV guest-specific commands defined in Key > Management Specification. > > The following links provide additional details: > > AMD Memory Encryption white paper: > http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf > > AMD64 Architecture Programmer's Manual: > http://support.amd.com/TechDocs/24593.pdf > SME is section 7.10 > SEV is section 15.34 > > SEV Key Management: > http://support.amd.com/TechDocs/55766_SEV-KM API_Specification.pdf > > KVM Forum Presentation: > http://www.linux-kvm.org/images/7/74/02x08A-Thomas_Lendacky-AMDs_Virtualizatoin_Memory_Encryption_Technology.pdf > > SEV Guest BIOS support: > SEV support has been add to EDKII/OVMF BIOS > https://github.com/tianocore/edk2 Merged! Thanks, Paolo