AMD Secure Nested Paging IOMMU For SEV-SNP Lands In Linux 5.10
Written by Michael Larabel in AMD on 15 October 2020 at 06:39 AM EDT. 3 Comments
AMD --
In addition to Linux 5.10 supporting SEV-ES as the "encrypted state" for AMD EPYC's Secure Encrypted Virtualization, this kernel is also adding Secure Nested Paging (SNP) support to the AMD IOMMU driver as part of their next-generation SEV-SNP security.

AMD SEV-SNP is an effort to further boost virtual machine isolation and appears to likely be supported with upcoming AMD EPYC 7003 "Milan" processors based on the timing of their original SEV-SNP whitepaper earlier this year and now the timing of this SNP Linux kernel support. SEV-SNP builds on the original AMD SEV and SEV-ES to offer additional hardware-based memory integrity protections for fending off hypervisor-based attacks.

"The basic principle of SEV-SNP integrity is that if a VM is able to read a private (encrypted) page of memory, it must always read the value it last wrote.This means that if the VM wrote a value A to memory location X, whenever it later reads X it must either see the value A or it must get an exception indicating the memory could not be read. SEV-SNP is designed so that the VM should not be able to see a different value from memory location X," explains the SEV-SNP whitepaper from January 2020.


With Linux 5.10, the IOMMU driver changes add the Secure Nested Paging support to the AMD IOMMU code. The Linux kernel code will fault when a device tries DMA on memory owned by a guest. That came with the IOMMU PR for the ongoing Linux 5.10 merge window.

Further kernel changes for fully supporting AMD SEV-SNP are needed for this functionality that won't all be included in Linux 5.10 but at least the initial IOMMU side changes are now mainlined.
Related News
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Popular News This Week