AMD Secure Nested Paging IOMMU For SEV-SNP Lands In Linux 5.10

Written by Michael Larabel in AMD on 15 October 2020 at 06:39 AM EDT. 3 Comments
AMD
In addition to Linux 5.10 supporting SEV-ES as the "encrypted state" for AMD EPYC's Secure Encrypted Virtualization, this kernel is also adding Secure Nested Paging (SNP) support to the AMD IOMMU driver as part of their next-generation SEV-SNP security.

AMD SEV-SNP is an effort to further boost virtual machine isolation and appears to likely be supported with upcoming AMD EPYC 7003 "Milan" processors based on the timing of their original SEV-SNP whitepaper earlier this year and now the timing of this SNP Linux kernel support. SEV-SNP builds on the original AMD SEV and SEV-ES to offer additional hardware-based memory integrity protections for fending off hypervisor-based attacks.

"The basic principle of SEV-SNP integrity is that if a VM is able to read a private (encrypted) page of memory, it must always read the value it last wrote.This means that if the VM wrote a value A to memory location X, whenever it later reads X it must either see the value A or it must get an exception indicating the memory could not be read. SEV-SNP is designed so that the VM should not be able to see a different value from memory location X," explains the SEV-SNP whitepaper from January 2020.


With Linux 5.10, the IOMMU driver changes add the Secure Nested Paging support to the AMD IOMMU code. The Linux kernel code will fault when a device tries DMA on memory owned by a guest. That came with the IOMMU PR for the ongoing Linux 5.10 merge window.

Further kernel changes for fully supporting AMD SEV-SNP are needed for this functionality that won't all be included in Linux 5.10 but at least the initial IOMMU side changes are now mainlined.
3 Comments
Related News
ASUS TUF GAMING X670E PLUS Seeing Linux Sensors Support
AMD Hardware Feedback Interface "HFI" Patches Updated For The Linux Kernel
AMD P-State Driver Improvements Getting Ready For Linux 6.14
New AMD XDNA Linux Driver Patches Add Ryzen AI NPU6 IP, Other Improvements
AMD NPU Firmware Upstreamed For The Ryzen AI AMDXDNA Driver Coming In Linux 6.14
AMD Per-Core Energy Counter Support Slated For Linux 6.14
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
Linus Torvalds Comes Out Against "Completely Broken" x86_64 Feature Levels
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
COSMIC Alpha 4 Released For System76's Rust-Based Desktop
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features