[Part2 PATCH v8 01/38] Documentation/virtual/kvm: Add AMD Secure Encrypted Virtualization (SEV)

Mon, 06 Nov 2017 10:27:55 -0800 

Create a Documentation entry to describe the AMD Secure Encrypted
Virtualization (SEV) feature.

Cc: Thomas Gleixner <t...@linutronix.de>
Cc: Ingo Molnar <mi...@redhat.com>
Cc: "H. Peter Anvin" <h...@zytor.com>
Cc: Paolo Bonzini <pbonz...@redhat.com>
Cc: "Radim Krčmář" <rkrc...@redhat.com>
Cc: Jonathan Corbet <cor...@lwn.net>
Cc: Borislav Petkov <b...@suse.de>
Cc: Tom Lendacky <thomas.lenda...@amd.com>
Cc: k...@vger.kernel.org
Cc: x...@kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Brijesh Singh <brijesh.si...@amd.com>
Reviewed-by: Borislav Petkov <b...@suse.de>
---
 Documentation/virtual/kvm/00-INDEX                 |  3 ++
 .../virtual/kvm/amd-memory-encryption.rst          | 45 ++++++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 Documentation/virtual/kvm/amd-memory-encryption.rst

diff --git a/Documentation/virtual/kvm/00-INDEX 
b/Documentation/virtual/kvm/00-INDEX
index 69fe1a8b7ad1..3da73aabff5a 100644
--- a/Documentation/virtual/kvm/00-INDEX
+++ b/Documentation/virtual/kvm/00-INDEX
@@ -26,3 +26,6 @@ s390-diag.txt
        - Diagnose hypercall description (for IBM S/390)
 timekeeping.txt
        - timekeeping virtualization for x86-based architectures.
+amd-memory-encryption.txt
+       - notes on AMD Secure Encrypted Virtualization feature and SEV firmware
+         command description
diff --git a/Documentation/virtual/kvm/amd-memory-encryption.rst 
b/Documentation/virtual/kvm/amd-memory-encryption.rst
new file mode 100644
index 000000000000..a8ef21e737db
--- /dev/null
+++ b/Documentation/virtual/kvm/amd-memory-encryption.rst
@@ -0,0 +1,45 @@
+======================================
+Secure Encrypted Virtualization (SEV)
+======================================
+
+Overview
+========
+
+Secure Encrypted Virtualization (SEV) is a feature found on AMD processors.
+
+SEV is an extension to the AMD-V architecture which supports running
+virtual machines (VMs) under the control of a hypervisor. When enabled,
+the memory contents of a VM will be transparently encrypted with a key
+unique to that VM.
+
+The hypervisor can determine the SEV support through the CPUID
+instruction. The CPUID function 0x8000001f reports information related
+to SEV::
+
+       0x8000001f[eax]:
+                       Bit[1]  indicates support for SEV
+           ...
+                 [ecx]:
+                       Bits[31:0]  Number of encrypted guests supported 
simultaneously
+
+If support for SEV is present, MSR 0xc001_0010 (MSR_K8_SYSCFG) and MSR 
0xc001_0015
+(MSR_K7_HWCR) can be used to determine if it can be enabled::
+
+       0xc001_0010:
+               Bit[23]    1 = memory encryption can be enabled
+                          0 = memory encryption can not be enabled
+
+       0xc001_0015:
+               Bit[0]     1 = memory encryption can be enabled
+                          0 = memory encryption can not be enabled
+
+When SEV support is available, it can be enabled in a specific VM by
+setting the SEV bit before executing VMRUN.::
+
+       VMCB[0x90]:
+               Bit[1]      1 = SEV is enabled
+                           0 = SEV is disabled
+
+SEV hardware uses ASIDs to associate a memory encryption key with a VM.
+Hence, the ASID for the SEV-enabled guests must be from 1 to a maximum value
+defined in the CPUID 0x8000001f[ecx] field.
-- 
2.9.5

Reply via email to