Fedora 41 Aims To Ship AMD SEV-SNP Confidential Virtualization Host Support
([AMD] 71 Minutes Ago
AMD SEV-SNP For Fedora 41)
- Reference: 0001471489
- News link: https://www.phoronix.com/news/AMD-SEV-SNP-Fedora-41-Plan
- Source link:
With the release of [1]Fedora 41 in October, this Red Hat sponsored Linux distribution is hoping to have all the software bits aligned that its AMD [2]SEV-SNP virtualization stack will be all squared away for this latest iteration of Secure Encrypted Virtualization.
If all goes according to newly-filed plans, Fedora 41 this autumn should be shipping with confidential virtualization host support for AMD SEV-SNP. This is coming about as all of the relevant upstream pieces are finally coming together. As noted recently on Phoronix, [3]Linux 6.11 will bring the AMD SEV-SNP KVM guest bits . QEMU 9.1 is working its way toward release in the coming months and it has the SEV-SNP feature integration complete. Libvirt is also having its SEV-SNP support cross the finish line this summer. Fedora 41 is also planning to ship updated Coconut SVSM, iVGM, and EDK2 packages for rounding out the SEV-SNP support.
[4]
The change proposal was posted today to the [5]Fedora Wiki for having this SEV-SNP support in Fedora 41:
"This enables Fedora virtualization hosts to launch confidential virtual machines using AMD's SEV-SNP technology. Confidential virtualization prevents admins with root shell access, or a compromised host software stack, from accessing memory of any running guest. SEV-SNP is an evolution of previously provided SEV and SEV-ES technologies providing stronger protection and unlocking new features such as a secure virtual TPM.
...
Fedora has provided support for launching confidential virtual machines using KVM on x86_64 hosts for several years, using the SEV and SEV-ES technologies available from AMD CPUs. These technologies have a number of design limitations, however, that make them less secure than is desired, and prevent exposure of desirable features such as secure TPMs. The SEV-SNP technology is a significant design enhancement and architectural change to addresses the key gaps, increasing security and unlocking more powerful use cases for confidential virtual machines."
SEV-SNP is indeed a nice upgrade over the earlier SEV and SEV-ES capabilities:
It's great seeing all the upstream software bits finally coming together with SEV-SNP that is supported with AMD EPYC server processors since the EPYC 7003 "Milan" series. Other Q3~Q4 Linux distributions and later in turn should also be able to tap into this upstream support for the newest Secure Encrypted Virtualization functionality.
[1] https://www.phoronix.com/search/Fedora+41
[2] https://www.phoronix.com/search/SEV-SNP
[3] https://www.phoronix.com/news/Linux-611-AMD-SEV-SNP-KVM-Guest
[4] https://www.phoronix.com/image-viewer.php?id=2024&image=amd_epyc_fedora_lrg
[5] https://fedoraproject.org/wiki/Changes/ConfidentialVirtHostAMDSEVSNP
If all goes according to newly-filed plans, Fedora 41 this autumn should be shipping with confidential virtualization host support for AMD SEV-SNP. This is coming about as all of the relevant upstream pieces are finally coming together. As noted recently on Phoronix, [3]Linux 6.11 will bring the AMD SEV-SNP KVM guest bits . QEMU 9.1 is working its way toward release in the coming months and it has the SEV-SNP feature integration complete. Libvirt is also having its SEV-SNP support cross the finish line this summer. Fedora 41 is also planning to ship updated Coconut SVSM, iVGM, and EDK2 packages for rounding out the SEV-SNP support.
[4]
The change proposal was posted today to the [5]Fedora Wiki for having this SEV-SNP support in Fedora 41:
"This enables Fedora virtualization hosts to launch confidential virtual machines using AMD's SEV-SNP technology. Confidential virtualization prevents admins with root shell access, or a compromised host software stack, from accessing memory of any running guest. SEV-SNP is an evolution of previously provided SEV and SEV-ES technologies providing stronger protection and unlocking new features such as a secure virtual TPM.
...
Fedora has provided support for launching confidential virtual machines using KVM on x86_64 hosts for several years, using the SEV and SEV-ES technologies available from AMD CPUs. These technologies have a number of design limitations, however, that make them less secure than is desired, and prevent exposure of desirable features such as secure TPMs. The SEV-SNP technology is a significant design enhancement and architectural change to addresses the key gaps, increasing security and unlocking more powerful use cases for confidential virtual machines."
SEV-SNP is indeed a nice upgrade over the earlier SEV and SEV-ES capabilities:
It's great seeing all the upstream software bits finally coming together with SEV-SNP that is supported with AMD EPYC server processors since the EPYC 7003 "Milan" series. Other Q3~Q4 Linux distributions and later in turn should also be able to tap into this upstream support for the newest Secure Encrypted Virtualization functionality.
[1] https://www.phoronix.com/search/Fedora+41
[2] https://www.phoronix.com/search/SEV-SNP
[3] https://www.phoronix.com/news/Linux-611-AMD-SEV-SNP-KVM-Guest
[4] https://www.phoronix.com/image-viewer.php?id=2024&image=amd_epyc_fedora_lrg
[5] https://fedoraproject.org/wiki/Changes/ConfidentialVirtHostAMDSEVSNP
phoronix