A few suggestions I would have found helpful when first reading this documentation, inline:
On 6/10/22 12:53, Markus Frank wrote: > added AMD SEV documentation for "[PATCH qemu-server] QEMU AMD SEV > enable" > > Signed-off-by: Markus Frank <m.fr...@proxmox.com> > --- > v2: > * added check if sev is enabled > * added more limitations > * added suse doc link > > qm.adoc | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 89 insertions(+) > > diff --git a/qm.adoc b/qm.adoc > index e666d7d..d60753e 100644 > --- a/qm.adoc > +++ b/qm.adoc > @@ -583,6 +583,95 @@ systems. > When allocating RAM to your VMs, a good rule of thumb is always to leave 1GB > of RAM available to the host. > > +[[qm_memory_encryption]] > +Memory Encryption > +~~~~~~~~~~~~~~~~~ > + > +[[qm_memory_encryption_sev]] > +AMD SEV > +^^^^^^^ > + > +Memory Encryption using AES-128 Encryption and the AMD Secure Processor.> > +See https://developer.amd.com/sev/[AMD SEV] > + > +Requirements: > + > +* AMD EPYC/Ryzen PRO CPU > +* configured SEV BIOS Settings on Host Machine Nit: spell 'settings' lowercase > +* add Kernel Parameters: "mem_encrypt=on kvm_amd.sev=1" This should include that using edk2-OVMF is a requirement (see below) > + > +Example Configuration: > + > +---- > +# qm set <vmid> -memory_encryption > type=sev,cbitpos=47,policy=0x0005,reduced-phys-bits=1 > +---- > + > +*SEV Parameters* > + > +"type" defines the encryption technology ("type=" is not necessary): sev, > sev-snp, mktme > + > +"reduced-phys-bios", "cbitpos" and "policy" correspond to the variables with > the > +same name in qemu. > + > +"reduced-phys-bios" and "cbitpos" are system specific and can be read out > +with QMP. If not set, qm starts a dummy-vm to read QMP > +for these variables out and saves them to config. > + > +"policy" can be calculated with > +https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf[AMD > SEV API Specification Chapter 3] > + > +To use SEV-ES (CPU register encryption) the "policy" should be set > +somewhere between 0x4 and 0x7 or 0xC and 0xF, etc. > +(Bit-2 has to be set 1 (LSB 0 bit numbering)) > + > +*Check if SEV is working* > + > +Method 1 - dmesg: > + > +Output should look like this. > + > +---- > +# dmesg | grep -i sev > +AMD Memory Encryption Features active: SEV > +---- > + > +Method 2 - MSR 0xc0010131 (MSR_AMD64_SEV): > + > +Output should be 1. > + > +---- > +# apt install msr-tools > +# modprobe msr > +# rdmsr -a 0xc0010131 > +1 > +---- This part should mention that Method 1 is to be executed on the host and Method 2 is executed on the SEV-enabled guest. > + > +Limitations: > + > +* Because the memory is encrypted the memory usage on host is always wrong > +and around 82% usage This seems to depend on multiple factors, but the value of 82% does not always apply and could therefore be confusing. In my testing the value ranged from around 46% to nearly 95%. However, the usage percentage seems to always stay the same for a certain configuration. > +* Operations that involve saving or restoring memory like snapshots > +& live migration do not work yet > +* edk2-OVMF required I think this bullet point would be better placed under requirements, as it's much easier to overlook it here. > +* The guest operating system inside a VM must contain SEV-support This one could be moved to requirements as well. Additionally, it would be nice to add a link to a list of distributions with SEV support, if you know of one. > +* Recommendable: VirtIO RNG for more entropy (VMs sometimes will not > +boot without) > + > +Links: > + > +* https://github.com/AMDESE/AMDSEV > +* https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html > +* > https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf > +* https://documentation.suse.com/sles/15-SP1/html/SLES-amd-sev/index.html > + > +// Commented because not supported by kernel yet > +//AMD SEV-SNP > +//^^^^^^^^^^^ > + > +//* SEV-SNP support is not in the Linux Kernel yet and needs EPYC 7003 > "Milan" > +//processors. > +//* SEV-SNP should be in Kernel 5.19: > https://www.phoronix.com/scan.php?page=news_item&px=AMD-SEV-SNP-Arrives-Linux-5.19 > +//* patched Kernel: https://github.com/AMDESE/linux/tree/sev-snp-5.18-rc3 > > [[qm_network_device]] > Network Device _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
