AMD Advances Confidential Computing In Linux 6.11 With SEV-SNP + SVSM Guest Support
([AMD] 3 Hours Ago
Secure VM Service Module)
- Reference: 0001478916
- News link: https://www.phoronix.com/news/AMD-SEV-SNP-SVSM-Linux-6.11
- Source link:
The AMD Secure Encrypted Virtualization (SEV) changes have been submitted for the recently opened [1]Linux 6.11 merge window. Notable this cycle is getting support in the mainline kernel for SEV-SNP guest support over a Secure VM Service Module (SVSM).
As reported on a few months back, the mainline kernel support around Secure Encrypted Virtualization Secure Nested Paging (SEV-SNP) was nearing " [2]the ultimate goal of the AMD confidential computing side, providing the most comprehensive confidential computing environment up to date. " While the hope then was to have it all buttoned up for Linux 6.10, now with Linux 6.11 it appears to be that way with the SEV-SNP guest bits landing.
AMD Linux engineer Borislav Petkov today sent out the [3]x86/sev pull request and explained:
"Add support for running the kernel in a SEV-SNP guest, over a Secure VM Service Module (SVSM).
When running over a SVSM, different services can run at different protection levels, apart from the guest OS but still within the secure SNP environment. They can provide services to the guest, like a vTPM, for example.
This series adds the required facilities to interface with such a SVSM module."
That pull as of minutes ago was merged to Linux 6.11 Git.
[4]
Additionally, to be sent in separately as part of the KVM updates for Linux 6.11 is the long-awaited [5]SEV-SNP KVM guest support for the mainline kernel. That's been a long time coming and up to now maintained out-of-tree by AMD while it went through the lengthy review process.
For the Secure VM Service Module, AMD does maintain [6]this repository providing a Linux SVSM module for secure x86 virtualization in Rust and their newer solution is the [7]COCONUT SVSM for confidential VMs.
[8]SEV-SNP is found with AMD EPYC processors since the EPYC 7003 "Milan" series for providing greater security for virtual machines.
[1] https://www.phoronix.com/search/Linux+6.11
[2] https://www.phoronix.com/news/AMD-EPYC-SEV-SNP-CoCo
[3] https://lore.kernel.org/lkml/20240716095557.GAZpZDrdC3HA0Zilxr@fat_crate.local/
[4] https://www.phoronix.com/image-viewer.php?id=2024&image=amd_epyc_sev_snp_lrg
[5] https://www.phoronix.com/news/Linux-611-AMD-SEV-SNP-KVM-Guest
[6] https://github.com/AMDESE/linux-svsm
[7] https://github.com/coconut-svsm/svsm
[8] https://www.phoronix.com/search/SEV-SNP
As reported on a few months back, the mainline kernel support around Secure Encrypted Virtualization Secure Nested Paging (SEV-SNP) was nearing " [2]the ultimate goal of the AMD confidential computing side, providing the most comprehensive confidential computing environment up to date. " While the hope then was to have it all buttoned up for Linux 6.10, now with Linux 6.11 it appears to be that way with the SEV-SNP guest bits landing.
AMD Linux engineer Borislav Petkov today sent out the [3]x86/sev pull request and explained:
"Add support for running the kernel in a SEV-SNP guest, over a Secure VM Service Module (SVSM).
When running over a SVSM, different services can run at different protection levels, apart from the guest OS but still within the secure SNP environment. They can provide services to the guest, like a vTPM, for example.
This series adds the required facilities to interface with such a SVSM module."
That pull as of minutes ago was merged to Linux 6.11 Git.
[4]
Additionally, to be sent in separately as part of the KVM updates for Linux 6.11 is the long-awaited [5]SEV-SNP KVM guest support for the mainline kernel. That's been a long time coming and up to now maintained out-of-tree by AMD while it went through the lengthy review process.
For the Secure VM Service Module, AMD does maintain [6]this repository providing a Linux SVSM module for secure x86 virtualization in Rust and their newer solution is the [7]COCONUT SVSM for confidential VMs.
[8]SEV-SNP is found with AMD EPYC processors since the EPYC 7003 "Milan" series for providing greater security for virtual machines.
[1] https://www.phoronix.com/search/Linux+6.11
[2] https://www.phoronix.com/news/AMD-EPYC-SEV-SNP-CoCo
[3] https://lore.kernel.org/lkml/20240716095557.GAZpZDrdC3HA0Zilxr@fat_crate.local/
[4] https://www.phoronix.com/image-viewer.php?id=2024&image=amd_epyc_sev_snp_lrg
[5] https://www.phoronix.com/news/Linux-611-AMD-SEV-SNP-KVM-Guest
[6] https://github.com/AMDESE/linux-svsm
[7] https://github.com/coconut-svsm/svsm
[8] https://www.phoronix.com/search/SEV-SNP
oleid