[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [RFC PATCH v1 00/22] x86: Secure Encrypted Virtualizati
|
From: |
Michael S. Tsirkin |
|
Subject: |
Re: [Qemu-devel] [RFC PATCH v1 00/22] x86: Secure Encrypted Virtualization (AMD) |
|
Date: |
Wed, 14 Sep 2016 05:55:37 +0300 |
On Tue, Sep 13, 2016 at 10:46:46AM -0400, Brijesh Singh wrote:
> This RFC series provides support for AMD's new Secure Encrypted
> Virtualization (SEV) feature. This RFC is based KVM RFC [1].
>
> SEV is an extension to the AMD-V architecture which supports running
> multiple VMs under the control of a hypervisor. The SEV feature allows
> the memory contents of a virtual machine (VM) to be transparently encrypted
> with a key unique to the guest VM. The memory controller contains a
> high performance encryption engine which can be programmed with multiple
> keys for use by a different VMs in the system. The programming and
> management of these keys is handled by the AMD Secure Processor firmware
> which exposes a commands for these tasks.
>
> SEV is designed to protect guest VMs from a benign but vulnerable
> (i.e. not fully malicious) hypervisor.
Not fully malicious? This sounds kind of weird. In my humble opinion,
the attack needs to be much better defined to be of any use.
I attempt to do this below.
> In particular, it reduces the attack
> surface of guest VMs and can prevent certain types of VM-escape bugs
> (e.g. hypervisor read-anywhere) from being used to steal guest data.
To rephrase this in terms I understand:
someone gets to read all hypervisor memory, we do not
want this someone to be able to read all guest memory too.
Sounds reasonable.
But I don't think you need to break features like debugging: clearly if
you decrypt memory it is readable in hypervisor memory, but I think
that's fine since it's encrypted if you do not debug. In other words
policy should not be up to guest since fundamentally hypervisor is
benign.
> The KVM RFC introduced a new ioctl (KVM_SEV_ISSUE_CMD) which can be
> used by qemu to enable SEV for secure guest and assist performing common
> hypervisor activities such as a launching, running, snapshooting, migration
> and debugging a guests data.
>
>
> The following links provide additional details:
>
> AMD Memory Encryption whitepaper:
>
> http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf
>
> AMD64 Architecture Programmer's Manual:
> http://support.amd.com/TechDocs/24593.pdf
> SME is section 7.10
> SEV is section 15.34
>
> Secure Encrypted Virutualization Key Management:
> http://support.amd.com/TechDocs/55766_SEV-KM API_Spec.pdf
>
> KVM Forum slides:
> http://www.linux-kvm.org/images/7/74/02x08A-Thomas_Lendacky-AMDs_Virtualizatoin_Memory_Encryption_Technology.pdf
>
> KVM RFC link:
>
> [1] http://marc.info/?l=kvm&m=147191038624432&w=2
>
> ---
>
> TODO:
> - send seabios RFC's on seabios mailing list
> - implement SEV guest migration command support
> - implement SEV snapshotting command support
> - virtio support in SEV guest
>
> Brijesh Singh (22):
> exec: add guest RAM read/write ops
> cpu-common: add debug version of physical memory read/write
> monitor: use debug version of physical memory read api
> memattrs: add SEV debug attrs
> i386: add new option to enable SEV guest
> sev: add initial SEV support
> sev: add SEV launch start command
> sev: add SEV launch update command
> sev: add SEV launch finish command
> sev: add SEV debug decrypt command
> sev: add SEV debug encrypt command
> sev: add SEV guest status command
> hmp: update 'info kvm' to display SEV status
> sev: provide SEV-enabled guest RAM read/write ops
> i386: sev: register RAM read/write ops for BIOS and PC.RAM region
> i386: pc: load OS images at fixed location in SEV-enabled guest
> target-i386: add cpuid Fn8000_001f
> i386: clear C-bit in SEV guest page table walk
> exec: set debug attribute in SEV-enabled guest
> fw_cfg: sev: disable dma in real mode
> hw: add pre and post system reset callback
> loader: reload bios image on ROM reset in SEV-enabled guest
>
>
> Makefile.target | 2
> disas.c | 2
> exec.c | 323 ++++++++++++++++++++-----
> hmp.c | 14 +
> hw/core/loader.c | 7 -
> hw/i386/pc.c | 99 ++++++++
> hw/i386/pc_sysfw.c | 6
> hw/nvram/fw_cfg.c | 6
> include/exec/cpu-common.h | 12 +
> include/exec/memattrs.h | 4
> include/exec/memory.h | 25 ++
> include/hw/hw.h | 2
> include/sysemu/kvm.h | 10 +
> include/sysemu/sev.h | 104 ++++++++
> kvm-all.c | 6
> monitor.c | 2
> qapi-schema.json | 4
> qemu-options.hx | 6
> qmp.c | 1
> sev.c | 574
> +++++++++++++++++++++++++++++++++++++++++++++
> target-i386/cpu.c | 3
> target-i386/helper.c | 36 ++-
> target-i386/monitor.c | 50 +++-
> vl.c | 74 ++++++
> 24 files changed, 1288 insertions(+), 84 deletions(-)
> create mode 100644 include/sysemu/sev.h
> create mode 100644 sev.c
>
> --
>
> Brijesh Singh
Message not available
- Re: [Qemu-devel] [RFC PATCH v1 16/22] i386: pc: load OS images at fixed location in SEV-enabled guest, Michael S. Tsirkin, 2016/09/13
- Re: [Qemu-devel] [RFC PATCH v1 16/22] i386: pc: load OS images at fixed location in SEV-enabled guest, Brijesh Singh, 2016/09/21
- Re: [Qemu-devel] [RFC PATCH v1 16/22] i386: pc: load OS images at fixed location in SEV-enabled guest, Paolo Bonzini, 2016/09/21
- Re: [Qemu-devel] [RFC PATCH v1 16/22] i386: pc: load OS images at fixed location in SEV-enabled guest, Brijesh Singh, 2016/09/21
- Re: [Qemu-devel] [RFC PATCH v1 16/22] i386: pc: load OS images at fixed location in SEV-enabled guest, Paolo Bonzini, 2016/09/21
Re: [Qemu-devel] [RFC PATCH v1 00/22] x86: Secure Encrypted Virtualization (AMD),
Michael S. Tsirkin <=