amd-memory-encryption.rst 24 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663
  1. .. SPDX-License-Identifier: GPL-2.0
  2. ======================================
  3. Secure Encrypted Virtualization (SEV)
  4. ======================================
  5. Overview
  6. ========
  7. Secure Encrypted Virtualization (SEV) is a feature found on AMD processors.
  8. SEV is an extension to the AMD-V architecture which supports running
  9. virtual machines (VMs) under the control of a hypervisor. When enabled,
  10. the memory contents of a VM will be transparently encrypted with a key
  11. unique to that VM.
  12. The hypervisor can determine the SEV support through the CPUID
  13. instruction. The CPUID function 0x8000001f reports information related
  14. to SEV::
  15. 0x8000001f[eax]:
  16. Bit[1] indicates support for SEV
  17. ...
  18. [ecx]:
  19. Bits[31:0] Number of encrypted guests supported simultaneously
  20. If support for SEV is present, MSR 0xc001_0010 (MSR_AMD64_SYSCFG) and MSR 0xc001_0015
  21. (MSR_K7_HWCR) can be used to determine if it can be enabled::
  22. 0xc001_0010:
  23. Bit[23] 1 = memory encryption can be enabled
  24. 0 = memory encryption can not be enabled
  25. 0xc001_0015:
  26. Bit[0] 1 = memory encryption can be enabled
  27. 0 = memory encryption can not be enabled
  28. When SEV support is available, it can be enabled in a specific VM by
  29. setting the SEV bit before executing VMRUN.::
  30. VMCB[0x90]:
  31. Bit[1] 1 = SEV is enabled
  32. 0 = SEV is disabled
  33. SEV hardware uses ASIDs to associate a memory encryption key with a VM.
  34. Hence, the ASID for the SEV-enabled guests must be from 1 to a maximum value
  35. defined in the CPUID 0x8000001f[ecx] field.
  36. The KVM_MEMORY_ENCRYPT_OP ioctl
  37. ===============================
  38. The main ioctl to access SEV is KVM_MEMORY_ENCRYPT_OP, which operates on
  39. the VM file descriptor. If the argument to KVM_MEMORY_ENCRYPT_OP is NULL,
  40. the ioctl returns 0 if SEV is enabled and ``ENOTTY`` if it is disabled
  41. (on some older versions of Linux, the ioctl tries to run normally even
  42. with a NULL argument, and therefore will likely return ``EFAULT`` instead
  43. of zero if SEV is enabled). If non-NULL, the argument to
  44. KVM_MEMORY_ENCRYPT_OP must be a struct kvm_sev_cmd::
  45. struct kvm_sev_cmd {
  46. __u32 id;
  47. __u64 data;
  48. __u32 error;
  49. __u32 sev_fd;
  50. };
  51. The ``id`` field contains the subcommand, and the ``data`` field points to
  52. another struct containing arguments specific to command. The ``sev_fd``
  53. should point to a file descriptor that is opened on the ``/dev/sev``
  54. device, if needed (see individual commands).
  55. On output, ``error`` is zero on success, or an error code. Error codes
  56. are defined in ``<linux/psp-dev.h>``.
  57. KVM implements the following commands to support common lifecycle events of SEV
  58. guests, such as launching, running, snapshotting, migrating and decommissioning.
  59. 1. KVM_SEV_INIT2
  60. ----------------
  61. The KVM_SEV_INIT2 command is used by the hypervisor to initialize the SEV platform
  62. context. In a typical workflow, this command should be the first command issued.
  63. For this command to be accepted, either KVM_X86_SEV_VM or KVM_X86_SEV_ES_VM
  64. must have been passed to the KVM_CREATE_VM ioctl. A virtual machine created
  65. with those machine types in turn cannot be run until KVM_SEV_INIT2 is invoked.
  66. Parameters: struct kvm_sev_init (in)
  67. Returns: 0 on success, -negative on error
  68. ::
  69. struct kvm_sev_init {
  70. __u64 vmsa_features; /* initial value of features field in VMSA */
  71. __u32 flags; /* must be 0 */
  72. __u16 ghcb_version; /* maximum guest GHCB version allowed */
  73. __u16 pad1;
  74. __u32 pad2[8];
  75. };
  76. It is an error if the hypervisor does not support any of the bits that
  77. are set in ``flags`` or ``vmsa_features``. ``vmsa_features`` must be
  78. 0 for SEV virtual machines, as they do not have a VMSA.
  79. ``ghcb_version`` must be 0 for SEV virtual machines, as they do not issue GHCB
  80. requests. If ``ghcb_version`` is 0 for any other guest type, then the maximum
  81. allowed guest GHCB protocol will default to version 2.
  82. This command replaces the deprecated KVM_SEV_INIT and KVM_SEV_ES_INIT commands.
  83. The commands did not have any parameters (the ```data``` field was unused) and
  84. only work for the KVM_X86_DEFAULT_VM machine type (0).
  85. They behave as if:
  86. * the VM type is KVM_X86_SEV_VM for KVM_SEV_INIT, or KVM_X86_SEV_ES_VM for
  87. KVM_SEV_ES_INIT
  88. * the ``flags`` and ``vmsa_features`` fields of ``struct kvm_sev_init`` are
  89. set to zero, and ``ghcb_version`` is set to 0 for KVM_SEV_INIT and 1 for
  90. KVM_SEV_ES_INIT.
  91. If the ``KVM_X86_SEV_VMSA_FEATURES`` attribute does not exist, the hypervisor only
  92. supports KVM_SEV_INIT and KVM_SEV_ES_INIT. In that case, note that KVM_SEV_ES_INIT
  93. might set the debug swap VMSA feature (bit 5) depending on the value of the
  94. ``debug_swap`` parameter of ``kvm-amd.ko``.
  95. 2. KVM_SEV_LAUNCH_START
  96. -----------------------
  97. The KVM_SEV_LAUNCH_START command is used for creating the memory encryption
  98. context. To create the encryption context, user must provide a guest policy,
  99. the owner's public Diffie-Hellman (PDH) key and session information.
  100. Parameters: struct kvm_sev_launch_start (in/out)
  101. Returns: 0 on success, -negative on error
  102. ::
  103. struct kvm_sev_launch_start {
  104. __u32 handle; /* if zero then firmware creates a new handle */
  105. __u32 policy; /* guest's policy */
  106. __u64 dh_uaddr; /* userspace address pointing to the guest owner's PDH key */
  107. __u32 dh_len;
  108. __u64 session_addr; /* userspace address which points to the guest session information */
  109. __u32 session_len;
  110. };
  111. On success, the 'handle' field contains a new handle and on error, a negative value.
  112. KVM_SEV_LAUNCH_START requires the ``sev_fd`` field to be valid.
  113. For more details, see SEV spec Section 6.2.
  114. 3. KVM_SEV_LAUNCH_UPDATE_DATA
  115. -----------------------------
  116. The KVM_SEV_LAUNCH_UPDATE_DATA is used for encrypting a memory region. It also
  117. calculates a measurement of the memory contents. The measurement is a signature
  118. of the memory contents that can be sent to the guest owner as an attestation
  119. that the memory was encrypted correctly by the firmware.
  120. Parameters (in): struct kvm_sev_launch_update_data
  121. Returns: 0 on success, -negative on error
  122. ::
  123. struct kvm_sev_launch_update {
  124. __u64 uaddr; /* userspace address to be encrypted (must be 16-byte aligned) */
  125. __u32 len; /* length of the data to be encrypted (must be 16-byte aligned) */
  126. };
  127. For more details, see SEV spec Section 6.3.
  128. 4. KVM_SEV_LAUNCH_MEASURE
  129. -------------------------
  130. The KVM_SEV_LAUNCH_MEASURE command is used to retrieve the measurement of the
  131. data encrypted by the KVM_SEV_LAUNCH_UPDATE_DATA command. The guest owner may
  132. wait to provide the guest with confidential information until it can verify the
  133. measurement. Since the guest owner knows the initial contents of the guest at
  134. boot, the measurement can be verified by comparing it to what the guest owner
  135. expects.
  136. If len is zero on entry, the measurement blob length is written to len and
  137. uaddr is unused.
  138. Parameters (in): struct kvm_sev_launch_measure
  139. Returns: 0 on success, -negative on error
  140. ::
  141. struct kvm_sev_launch_measure {
  142. __u64 uaddr; /* where to copy the measurement */
  143. __u32 len; /* length of measurement blob */
  144. };
  145. For more details on the measurement verification flow, see SEV spec Section 6.4.
  146. 5. KVM_SEV_LAUNCH_FINISH
  147. ------------------------
  148. After completion of the launch flow, the KVM_SEV_LAUNCH_FINISH command can be
  149. issued to make the guest ready for the execution.
  150. Returns: 0 on success, -negative on error
  151. 6. KVM_SEV_GUEST_STATUS
  152. -----------------------
  153. The KVM_SEV_GUEST_STATUS command is used to retrieve status information about a
  154. SEV-enabled guest.
  155. Parameters (out): struct kvm_sev_guest_status
  156. Returns: 0 on success, -negative on error
  157. ::
  158. struct kvm_sev_guest_status {
  159. __u32 handle; /* guest handle */
  160. __u32 policy; /* guest policy */
  161. __u8 state; /* guest state (see enum below) */
  162. };
  163. SEV guest state:
  164. ::
  165. enum {
  166. SEV_STATE_INVALID = 0;
  167. SEV_STATE_LAUNCHING, /* guest is currently being launched */
  168. SEV_STATE_SECRET, /* guest is being launched and ready to accept the ciphertext data */
  169. SEV_STATE_RUNNING, /* guest is fully launched and running */
  170. SEV_STATE_RECEIVING, /* guest is being migrated in from another SEV machine */
  171. SEV_STATE_SENDING /* guest is getting migrated out to another SEV machine */
  172. };
  173. 7. KVM_SEV_DBG_DECRYPT
  174. ----------------------
  175. The KVM_SEV_DEBUG_DECRYPT command can be used by the hypervisor to request the
  176. firmware to decrypt the data at the given memory region.
  177. Parameters (in): struct kvm_sev_dbg
  178. Returns: 0 on success, -negative on error
  179. ::
  180. struct kvm_sev_dbg {
  181. __u64 src_uaddr; /* userspace address of data to decrypt */
  182. __u64 dst_uaddr; /* userspace address of destination */
  183. __u32 len; /* length of memory region to decrypt */
  184. };
  185. The command returns an error if the guest policy does not allow debugging.
  186. 8. KVM_SEV_DBG_ENCRYPT
  187. ----------------------
  188. The KVM_SEV_DEBUG_ENCRYPT command can be used by the hypervisor to request the
  189. firmware to encrypt the data at the given memory region.
  190. Parameters (in): struct kvm_sev_dbg
  191. Returns: 0 on success, -negative on error
  192. ::
  193. struct kvm_sev_dbg {
  194. __u64 src_uaddr; /* userspace address of data to encrypt */
  195. __u64 dst_uaddr; /* userspace address of destination */
  196. __u32 len; /* length of memory region to encrypt */
  197. };
  198. The command returns an error if the guest policy does not allow debugging.
  199. 9. KVM_SEV_LAUNCH_SECRET
  200. ------------------------
  201. The KVM_SEV_LAUNCH_SECRET command can be used by the hypervisor to inject secret
  202. data after the measurement has been validated by the guest owner.
  203. Parameters (in): struct kvm_sev_launch_secret
  204. Returns: 0 on success, -negative on error
  205. ::
  206. struct kvm_sev_launch_secret {
  207. __u64 hdr_uaddr; /* userspace address containing the packet header */
  208. __u32 hdr_len;
  209. __u64 guest_uaddr; /* the guest memory region where the secret should be injected */
  210. __u32 guest_len;
  211. __u64 trans_uaddr; /* the hypervisor memory region which contains the secret */
  212. __u32 trans_len;
  213. };
  214. 10. KVM_SEV_GET_ATTESTATION_REPORT
  215. ----------------------------------
  216. The KVM_SEV_GET_ATTESTATION_REPORT command can be used by the hypervisor to query the attestation
  217. report containing the SHA-256 digest of the guest memory and VMSA passed through the KVM_SEV_LAUNCH
  218. commands and signed with the PEK. The digest returned by the command should match the digest
  219. used by the guest owner with the KVM_SEV_LAUNCH_MEASURE.
  220. If len is zero on entry, the measurement blob length is written to len and
  221. uaddr is unused.
  222. Parameters (in): struct kvm_sev_attestation
  223. Returns: 0 on success, -negative on error
  224. ::
  225. struct kvm_sev_attestation_report {
  226. __u8 mnonce[16]; /* A random mnonce that will be placed in the report */
  227. __u64 uaddr; /* userspace address where the report should be copied */
  228. __u32 len;
  229. };
  230. 11. KVM_SEV_SEND_START
  231. ----------------------
  232. The KVM_SEV_SEND_START command can be used by the hypervisor to create an
  233. outgoing guest encryption context.
  234. If session_len is zero on entry, the length of the guest session information is
  235. written to session_len and all other fields are not used.
  236. Parameters (in): struct kvm_sev_send_start
  237. Returns: 0 on success, -negative on error
  238. ::
  239. struct kvm_sev_send_start {
  240. __u32 policy; /* guest policy */
  241. __u64 pdh_cert_uaddr; /* platform Diffie-Hellman certificate */
  242. __u32 pdh_cert_len;
  243. __u64 plat_certs_uaddr; /* platform certificate chain */
  244. __u32 plat_certs_len;
  245. __u64 amd_certs_uaddr; /* AMD certificate */
  246. __u32 amd_certs_len;
  247. __u64 session_uaddr; /* Guest session information */
  248. __u32 session_len;
  249. };
  250. 12. KVM_SEV_SEND_UPDATE_DATA
  251. ----------------------------
  252. The KVM_SEV_SEND_UPDATE_DATA command can be used by the hypervisor to encrypt the
  253. outgoing guest memory region with the encryption context creating using
  254. KVM_SEV_SEND_START.
  255. If hdr_len or trans_len are zero on entry, the length of the packet header and
  256. transport region are written to hdr_len and trans_len respectively, and all
  257. other fields are not used.
  258. Parameters (in): struct kvm_sev_send_update_data
  259. Returns: 0 on success, -negative on error
  260. ::
  261. struct kvm_sev_launch_send_update_data {
  262. __u64 hdr_uaddr; /* userspace address containing the packet header */
  263. __u32 hdr_len;
  264. __u64 guest_uaddr; /* the source memory region to be encrypted */
  265. __u32 guest_len;
  266. __u64 trans_uaddr; /* the destination memory region */
  267. __u32 trans_len;
  268. };
  269. 13. KVM_SEV_SEND_FINISH
  270. ------------------------
  271. After completion of the migration flow, the KVM_SEV_SEND_FINISH command can be
  272. issued by the hypervisor to delete the encryption context.
  273. Returns: 0 on success, -negative on error
  274. 14. KVM_SEV_SEND_CANCEL
  275. ------------------------
  276. After completion of SEND_START, but before SEND_FINISH, the source VMM can issue the
  277. SEND_CANCEL command to stop a migration. This is necessary so that a cancelled
  278. migration can restart with a new target later.
  279. Returns: 0 on success, -negative on error
  280. 15. KVM_SEV_RECEIVE_START
  281. -------------------------
  282. The KVM_SEV_RECEIVE_START command is used for creating the memory encryption
  283. context for an incoming SEV guest. To create the encryption context, the user must
  284. provide a guest policy, the platform public Diffie-Hellman (PDH) key and session
  285. information.
  286. Parameters: struct kvm_sev_receive_start (in/out)
  287. Returns: 0 on success, -negative on error
  288. ::
  289. struct kvm_sev_receive_start {
  290. __u32 handle; /* if zero then firmware creates a new handle */
  291. __u32 policy; /* guest's policy */
  292. __u64 pdh_uaddr; /* userspace address pointing to the PDH key */
  293. __u32 pdh_len;
  294. __u64 session_uaddr; /* userspace address which points to the guest session information */
  295. __u32 session_len;
  296. };
  297. On success, the 'handle' field contains a new handle and on error, a negative value.
  298. For more details, see SEV spec Section 6.12.
  299. 16. KVM_SEV_RECEIVE_UPDATE_DATA
  300. -------------------------------
  301. The KVM_SEV_RECEIVE_UPDATE_DATA command can be used by the hypervisor to copy
  302. the incoming buffers into the guest memory region with encryption context
  303. created during the KVM_SEV_RECEIVE_START.
  304. Parameters (in): struct kvm_sev_receive_update_data
  305. Returns: 0 on success, -negative on error
  306. ::
  307. struct kvm_sev_launch_receive_update_data {
  308. __u64 hdr_uaddr; /* userspace address containing the packet header */
  309. __u32 hdr_len;
  310. __u64 guest_uaddr; /* the destination guest memory region */
  311. __u32 guest_len;
  312. __u64 trans_uaddr; /* the incoming buffer memory region */
  313. __u32 trans_len;
  314. };
  315. 17. KVM_SEV_RECEIVE_FINISH
  316. --------------------------
  317. After completion of the migration flow, the KVM_SEV_RECEIVE_FINISH command can be
  318. issued by the hypervisor to make the guest ready for execution.
  319. Returns: 0 on success, -negative on error
  320. 18. KVM_SEV_SNP_LAUNCH_START
  321. ----------------------------
  322. The KVM_SNP_LAUNCH_START command is used for creating the memory encryption
  323. context for the SEV-SNP guest. It must be called prior to issuing
  324. KVM_SEV_SNP_LAUNCH_UPDATE or KVM_SEV_SNP_LAUNCH_FINISH;
  325. Parameters (in): struct kvm_sev_snp_launch_start
  326. Returns: 0 on success, -negative on error
  327. ::
  328. struct kvm_sev_snp_launch_start {
  329. __u64 policy; /* Guest policy to use. */
  330. __u8 gosvw[16]; /* Guest OS visible workarounds. */
  331. __u16 flags; /* Must be zero. */
  332. __u8 pad0[6];
  333. __u64 pad1[4];
  334. };
  335. See SNP_LAUNCH_START in the SEV-SNP specification [snp-fw-abi]_ for further
  336. details on the input parameters in ``struct kvm_sev_snp_launch_start``.
  337. 19. KVM_SEV_SNP_LAUNCH_UPDATE
  338. -----------------------------
  339. The KVM_SEV_SNP_LAUNCH_UPDATE command is used for loading userspace-provided
  340. data into a guest GPA range, measuring the contents into the SNP guest context
  341. created by KVM_SEV_SNP_LAUNCH_START, and then encrypting/validating that GPA
  342. range so that it will be immediately readable using the encryption key
  343. associated with the guest context once it is booted, after which point it can
  344. attest the measurement associated with its context before unlocking any
  345. secrets.
  346. It is required that the GPA ranges initialized by this command have had the
  347. KVM_MEMORY_ATTRIBUTE_PRIVATE attribute set in advance. See the documentation
  348. for KVM_SET_MEMORY_ATTRIBUTES for more details on this aspect.
  349. Upon success, this command is not guaranteed to have processed the entire
  350. range requested. Instead, the ``gfn_start``, ``uaddr``, and ``len`` fields of
  351. ``struct kvm_sev_snp_launch_update`` will be updated to correspond to the
  352. remaining range that has yet to be processed. The caller should continue
  353. calling this command until those fields indicate the entire range has been
  354. processed, e.g. ``len`` is 0, ``gfn_start`` is equal to the last GFN in the
  355. range plus 1, and ``uaddr`` is the last byte of the userspace-provided source
  356. buffer address plus 1. In the case where ``type`` is KVM_SEV_SNP_PAGE_TYPE_ZERO,
  357. ``uaddr`` will be ignored completely.
  358. Parameters (in): struct kvm_sev_snp_launch_update
  359. Returns: 0 on success, < 0 on error, -EAGAIN if caller should retry
  360. ::
  361. struct kvm_sev_snp_launch_update {
  362. __u64 gfn_start; /* Guest page number to load/encrypt data into. */
  363. __u64 uaddr; /* 4k-aligned address of data to be loaded/encrypted. */
  364. __u64 len; /* 4k-aligned length in bytes to copy into guest memory.*/
  365. __u8 type; /* The type of the guest pages being initialized. */
  366. __u8 pad0;
  367. __u16 flags; /* Must be zero. */
  368. __u32 pad1;
  369. __u64 pad2[4];
  370. };
  371. where the allowed values for page_type are #define'd as::
  372. KVM_SEV_SNP_PAGE_TYPE_NORMAL
  373. KVM_SEV_SNP_PAGE_TYPE_ZERO
  374. KVM_SEV_SNP_PAGE_TYPE_UNMEASURED
  375. KVM_SEV_SNP_PAGE_TYPE_SECRETS
  376. KVM_SEV_SNP_PAGE_TYPE_CPUID
  377. See the SEV-SNP spec [snp-fw-abi]_ for further details on how each page type is
  378. used/measured.
  379. 20. KVM_SEV_SNP_LAUNCH_FINISH
  380. -----------------------------
  381. After completion of the SNP guest launch flow, the KVM_SEV_SNP_LAUNCH_FINISH
  382. command can be issued to make the guest ready for execution.
  383. Parameters (in): struct kvm_sev_snp_launch_finish
  384. Returns: 0 on success, -negative on error
  385. ::
  386. struct kvm_sev_snp_launch_finish {
  387. __u64 id_block_uaddr;
  388. __u64 id_auth_uaddr;
  389. __u8 id_block_en;
  390. __u8 auth_key_en;
  391. __u8 vcek_disabled;
  392. __u8 host_data[32];
  393. __u8 pad0[3];
  394. __u16 flags; /* Must be zero */
  395. __u64 pad1[4];
  396. };
  397. See SNP_LAUNCH_FINISH in the SEV-SNP specification [snp-fw-abi]_ for further
  398. details on the input parameters in ``struct kvm_sev_snp_launch_finish``.
  399. 21. KVM_SEV_SNP_ENABLE_REQ_CERTS
  400. --------------------------------
  401. The KVM_SEV_SNP_ENABLE_REQ_CERTS command will configure KVM to exit to
  402. userspace with a ``KVM_EXIT_SNP_REQ_CERTS`` exit type as part of handling
  403. a guest attestation report, which will to allow userspace to provide a
  404. certificate corresponding to the endorsement key used by firmware to sign
  405. that attestation report.
  406. Returns: 0 on success, -negative on error
  407. NOTE: The endorsement key used by firmware may change as a result of
  408. management activities like updating SEV-SNP firmware or loading new
  409. endorsement keys, so some care should be taken to keep the returned
  410. certificate data in sync with the actual endorsement key in use by
  411. firmware at the time the attestation request is sent to SNP firmware. The
  412. recommended scheme to do this is to use file locking (e.g. via fcntl()'s
  413. F_OFD_SETLK) in the following manner:
  414. - Prior to obtaining/providing certificate data as part of servicing an
  415. exit type of ``KVM_EXIT_SNP_REQ_CERTS``, the VMM should obtain a
  416. shared/read or exclusive/write lock on the certificate blob file before
  417. reading it and returning it to KVM, and continue to hold the lock until
  418. the attestation request is actually sent to firmware. To facilitate
  419. this, the VMM can set the ``immediate_exit`` flag of kvm_run just after
  420. supplying the certificate data, and just before resuming the vCPU.
  421. This will ensure the vCPU will exit again to userspace with ``-EINTR``
  422. after it finishes fetching the attestation request from firmware, at
  423. which point the VMM can safely drop the file lock.
  424. - Tools/libraries that perform updates to SNP firmware TCB values or
  425. endorsement keys (e.g. via /dev/sev interfaces such as ``SNP_COMMIT``,
  426. ``SNP_SET_CONFIG``, or ``SNP_VLEK_LOAD``, see
  427. Documentation/virt/coco/sev-guest.rst for more details) in such a way
  428. that the certificate blob needs to be updated, should similarly take an
  429. exclusive lock on the certificate blob for the duration of any updates
  430. to endorsement keys or the certificate blob contents to ensure that
  431. VMMs using the above scheme will not return certificate blob data that
  432. is out of sync with the endorsement key used by firmware at the time
  433. the attestation request is actually issued.
  434. This scheme is recommended so that tools can use a fairly generic/natural
  435. approach to synchronizing firmware/certificate updates via file-locking,
  436. which should make it easier to maintain interoperability across
  437. tools/VMMs/vendors.
  438. Device attribute API
  439. ====================
  440. Attributes of the SEV implementation can be retrieved through the
  441. ``KVM_HAS_DEVICE_ATTR`` and ``KVM_GET_DEVICE_ATTR`` ioctls on the ``/dev/kvm``
  442. device node, using group ``KVM_X86_GRP_SEV``.
  443. The following attributes are currently implemented:
  444. * ``KVM_X86_SEV_VMSA_FEATURES``: return the set of all bits that
  445. are accepted in the ``vmsa_features`` of ``KVM_SEV_INIT2``.
  446. * ``KVM_X86_SEV_SNP_REQ_CERTS``: return a value of 1 if the kernel supports the
  447. ``KVM_EXIT_SNP_REQ_CERTS`` exit, which allows for fetching endorsement key
  448. certificates from userspace for each SNP attestation request the guest issues.
  449. Firmware Management
  450. ===================
  451. The SEV guest key management is handled by a separate processor called the AMD
  452. Secure Processor (AMD-SP). Firmware running inside the AMD-SP provides a secure
  453. key management interface to perform common hypervisor activities such as
  454. encrypting bootstrap code, snapshot, migrating and debugging the guest. For more
  455. information, see the SEV Key Management spec [api-spec]_
  456. The AMD-SP firmware can be initialized either by using its own non-volatile
  457. storage or the OS can manage the NV storage for the firmware using
  458. parameter ``init_ex_path`` of the ``ccp`` module. If the file specified
  459. by ``init_ex_path`` does not exist or is invalid, the OS will create or
  460. override the file with PSP non-volatile storage.
  461. References
  462. ==========
  463. See [white-paper]_, [api-spec]_, [amd-apm]_, [kvm-forum]_, and [snp-fw-abi]_
  464. for more info.
  465. .. [white-paper] https://developer.amd.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf
  466. .. [api-spec] https://support.amd.com/TechDocs/55766_SEV-KM_API_Specification.pdf
  467. .. [amd-apm] https://support.amd.com/TechDocs/24593.pdf (section 15.34)
  468. .. [kvm-forum] https://www.linux-kvm.org/images/7/74/02x08A-Thomas_Lendacky-AMDs_Virtualizatoin_Memory_Encryption_Technology.pdf
  469. .. [snp-fw-abi] https://www.amd.com/system/files/TechDocs/56860.pdf