Initial AMD SEV-SNP KVM Guest VM Support Merged Into Linux 6.11
([Virtualization] 5 Hours Ago
KVM Updates)
- Reference: 0001480099
- News link: https://www.phoronix.com/news/Linux-6.11-KVM
- Source link:
The Kernel-based Virtual Machine (KVM) updates for Linux 6.11 have been merged and it's a very exciting one for AMD EPYC servers with [1]SEV-SNP guest VM support finally being in the mainline kernel.
Separately, merged for Linux 6.11 last week was [2]support for running the kernel in a SEV-SMP guest via SVSM as the Secure VM Service Module. Hitting Linux 6.11 Git this weekend meanwhile was the SEV-SNP guest support in the KVM side code.
The KVM guest support with Secure Encrypted Virtualization Secure Nested Paging (SEV-SNP) is very exciting with AMD long having maintained it out-of-tree while working through the lengthy review process across a number of revisions to get the code into shape for the mainline kernel.
Long story short, Linux 6.11 is a great kernel upgrade for those making use of virtualization on EPYC 7003 "Milan" processors and newer. The KVM pull requests sums up the initial AMD SEV-SNP guest VM support as:
"Base support for running SEV-SNP guests. API-wise, this includes a new KVM_X86_SNP_VM type, encrypting/measure the initial image into guest memory, and finalizing it before launching it. Internally, there are some gmem/mmu hooks needed to prepare gmem-allocated pages before mapping them into guest private memory ranges
This includes basic support for attestation guest requests, enough to say that KVM supports the GHCB 2.0 specification
There is no support yet for loading into the firmware those signing keys to be used for attestation requests, and therefore no need yet for the host to provide certificate data for those keys.
To support fetching certificate data from userspace, a new KVM exit type will be needed to handle fetching the certificate from userspace.
An attempt to define a new KVM_EXIT_COCO / KVM_EXIT_COCO_REQ_CERTS exit type to handle this was introduced in v1 of this patchset, but is still being discussed by community, so for now this patchset only implements a stub version of SNP Extended Guest Requests that does not provide certificate data"
So look for more improvements still over forthcoming kernel cycles.
Linux 6.11 KVM also adds ARM infrastructure for shadow stage-2 MMUs, fixes for x86 Xen emulation, NUMA-aware per-CPU save area allocations on AMD, enables halt poll shrinking by default, and various other improvements. See [3]this Git merge for more details on the Linux 6.11 KVM feature updates.
[1] https://www.phoronix.com/search/SEV-SNP
[2] https://www.phoronix.com/news/AMD-SEV-SNP-SVSM-Linux-6.11
[3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2c9b3512402ed192d1f43f4531fb5da947e72bd0
Separately, merged for Linux 6.11 last week was [2]support for running the kernel in a SEV-SMP guest via SVSM as the Secure VM Service Module. Hitting Linux 6.11 Git this weekend meanwhile was the SEV-SNP guest support in the KVM side code.
The KVM guest support with Secure Encrypted Virtualization Secure Nested Paging (SEV-SNP) is very exciting with AMD long having maintained it out-of-tree while working through the lengthy review process across a number of revisions to get the code into shape for the mainline kernel.
Long story short, Linux 6.11 is a great kernel upgrade for those making use of virtualization on EPYC 7003 "Milan" processors and newer. The KVM pull requests sums up the initial AMD SEV-SNP guest VM support as:
"Base support for running SEV-SNP guests. API-wise, this includes a new KVM_X86_SNP_VM type, encrypting/measure the initial image into guest memory, and finalizing it before launching it. Internally, there are some gmem/mmu hooks needed to prepare gmem-allocated pages before mapping them into guest private memory ranges
This includes basic support for attestation guest requests, enough to say that KVM supports the GHCB 2.0 specification
There is no support yet for loading into the firmware those signing keys to be used for attestation requests, and therefore no need yet for the host to provide certificate data for those keys.
To support fetching certificate data from userspace, a new KVM exit type will be needed to handle fetching the certificate from userspace.
An attempt to define a new KVM_EXIT_COCO / KVM_EXIT_COCO_REQ_CERTS exit type to handle this was introduced in v1 of this patchset, but is still being discussed by community, so for now this patchset only implements a stub version of SNP Extended Guest Requests that does not provide certificate data"
So look for more improvements still over forthcoming kernel cycles.
Linux 6.11 KVM also adds ARM infrastructure for shadow stage-2 MMUs, fixes for x86 Xen emulation, NUMA-aware per-CPU save area allocations on AMD, enables halt poll shrinking by default, and various other improvements. See [3]this Git merge for more details on the Linux 6.11 KVM feature updates.
[1] https://www.phoronix.com/search/SEV-SNP
[2] https://www.phoronix.com/news/AMD-SEV-SNP-SVSM-Linux-6.11
[3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2c9b3512402ed192d1f43f4531fb5da947e72bd0
drastic