The Linux Kernel Now Seeing Patches For AMD SEV-ES "Encrypted State" Support
While since 2016~2017 AMD has been posting Linux kernel patches for Secure Memory Encryption (SME) and Secure Encrypted Virtualization, coming out this morning is finally the first public patch series wiring up the Linux kernel for SEV-ES as further enhancing virtualization encryption.
On top of the Secure Encrypted Virtualization support that's been plumbed into the mainline Linux kernel and related components for a while now, AMD and SUSE developers have sent out the patches today for SEV "Encrypted State" support.
AMD SEV-ES allows for protecting the guest register state from the hypervisor. CPU register state is encrypted that cannot be accessed or modified by the system hypervisor. The intent of SEV-ES is to help fend off control-flow attacks by modifying the VM state, unauthorized reading of the virtual machine state, and other similar attacks. SEV-ES does allow for selectively sharing certain information to the hypervisor about certain switches where needed.
SEV-ES is supported with EPYC CPUs but has taken some time to get the Linux kernel support plumbed. There are also patches still coming out for adding the AMD SEV-ES support to the Kernel-based Virtual Machine (KVM) code. Other hypervisors also need to be updated to handle SEV Encrypted State functionality as well.
There are 62 patches out today and go more into the technical details of SEV-ES. The intent now is for getting more public code review of the changes while there are some known issues with the current code that could lead to crashes and other shortcomings still being addressed.
Further technical information on SEV-ES can also be found via the APM. On a higher level, there is this late 2017 presentation by AMD's Thomas Lendacky that covers AMD SEV-ES for those interested in more information on this long work-in-progress feature for Linux hypervisors.
Given there still is a lot of work ahead and code review of these dozens of patches, it's not clear if the work will be settled in time for the Linux 5.7 cycle this spring otherwise will likely end up in a kernel release later in 2020.
On top of the Secure Encrypted Virtualization support that's been plumbed into the mainline Linux kernel and related components for a while now, AMD and SUSE developers have sent out the patches today for SEV "Encrypted State" support.
AMD SEV-ES allows for protecting the guest register state from the hypervisor. CPU register state is encrypted that cannot be accessed or modified by the system hypervisor. The intent of SEV-ES is to help fend off control-flow attacks by modifying the VM state, unauthorized reading of the virtual machine state, and other similar attacks. SEV-ES does allow for selectively sharing certain information to the hypervisor about certain switches where needed.
SEV-ES is supported with EPYC CPUs but has taken some time to get the Linux kernel support plumbed. There are also patches still coming out for adding the AMD SEV-ES support to the Kernel-based Virtual Machine (KVM) code. Other hypervisors also need to be updated to handle SEV Encrypted State functionality as well.
There are 62 patches out today and go more into the technical details of SEV-ES. The intent now is for getting more public code review of the changes while there are some known issues with the current code that could lead to crashes and other shortcomings still being addressed.
Further technical information on SEV-ES can also be found via the APM. On a higher level, there is this late 2017 presentation by AMD's Thomas Lendacky that covers AMD SEV-ES for those interested in more information on this long work-in-progress feature for Linux hypervisors.
Given there still is a lot of work ahead and code review of these dozens of patches, it's not clear if the work will be settled in time for the Linux 5.7 cycle this spring otherwise will likely end up in a kernel release later in 2020.
10 Comments