AMD Secure Encrypted Virtualization Updated For Linux

While AMD's new Epyc processors have a new "Secure Encrypted Virtualization" feature, the support isn't yet mainlined in the Linux kernel but is getting closer.

Brijesh Singh of AMD today published the third revision to the patches implementing Secure Encrypted Virtualization for the Linux kernel. SEV allows for encrypting the memory contents of a guest VM using a unique key for each guest. As Singh further describes, "SEV guests have concept of private and shared memory. Private memory is encrypted with the guest-specific key, while shared memory may be encrypted with hypervisor key. Certain type of memory (namely insruction pages and guest page tables) are always treated as private. Due to security reasons all DMA operations inside the guest must be performed on shared memory."

Secure Encrypted Virtualization builds upon Secure Memory Encryption (SME), another new feature to AMD Epyc and another yet-to-be-mainlined feature. The latest SME patches can be found here.

Hopefully SME and SEV will be ready for merging come the Linux 4.14 cycle as it's now too late for 4.13. The latest patches for those fortunate to have their hands on Epyc can find them via this kernel mailing list post.