documentation.suse.com / SUSE Linux Enterprise Server Documentation / Virtualization Guide / Managing virtual machines with libvirt / Enhancing virtual machine security with AMD SEV-SNP
Applies to SUSE Linux Enterprise Server 15 SP7

16 Enhancing virtual machine security with AMD SEV-SNP

  

You can enhance the security of your virtual machines with AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP). The AMD SEV-SNP feature isolates virtual machines from the host system and other VMs, protecting the data and code. This feature encrypts data and ensures that all changes with the code and data in the VM are detected or tracked. Since this isolates VMs, the other VMs or the host machine are not affected by threats.

This section explains the steps to enable and use AMD SEV-SNP on your AMD EPYC server with SUSE Linux Enterprise Server 15 SP7.

16.1 Supported hardware

  

A system with an AMD EPYC (3rd Gen or newer) is required to run AMD SEV-SNP virtual machines. The BIOS of the AMD machine must provide the necessary options to enable support for confidential computing on the platform.

16.2 Setting up the base system

  

The VM Host Server requires minor configuration changes prior to running AMD SEV-SNP enabled VM Guests. The default IOMMU configuration in SUSE Linux Enterprise Server 15 SP7 is passthrough mode. To use the AMD SEV-SNP feature, the IOMMU must be configured in non-passthrough mode. This is required to prevent peripheral devices from accessing memory that belongs to an encrypted VM Guest, compromising its data integrity. The MSR kernel module is required to use the optional snphost tool.

  1. To automatically load the msr module at boot: 

    > sudo  echo "msr" > /etc/modules-load.d/msr.conf

  2. To disable the IOMMU configuration in SUSE Linux Enterprise Server 15 SP7, open the /etc/default/grub file and add iommu=nopt to the GRUB_CMDLINE_LINUX_DEFAULT variable.

  3. To update the bootloader configuration, run the command: 

    > sudo ; update-bootloader

  4. The system is now ready to be restarted with the confidential computing kernel. It is not selected as the default kernel in the bootloader, so be sure to select it in the boot menu.

16.3 Verifying setup

  

You can verify the installation and configuration of the VM Host Server using dmesg or the optional snphost tool.

  • To check the initialization result of the AMD Secure Processor in the kernel log when the kernel is running, run the command: 

    > sudo  dmesg | grep -i ccp
[ 10.103166] ccp 0000:42:00.1: enabling device (0000 -> 0002)
[ 10.114951] ccp 0000:42:00.1: no command queues available
[ 10.127137] ccp 0000:42:00.1: sev enabled
[ 10.133152] ccp 0000:42:00.1: psp enabled
[ 10.240817] ccp 0000:42:00.1: SEV firmware update successful
[ 11.128307] ccp 0000:42:00.1: SEV API:1.55 build:8
[ 11.135057] ccp 0000:42:00.1: SEV-SNP API:1.55 build:8

    The message about the SEV-SNP API version indicates the successful initialization of the AMD Secure Processor. Sometimes it happens that these messages do not appear in the kernel log. In this case, the BIOS settings or the IOMMU configuration are often the root cause.

16.4 Launching an AMD SEV-SNP virtual machine

  

You can run AMD SEV-SNP protected virtual machines using the libvirt framework once the confidential computing kernel is booted and the AMD Secure Processor is initialized.

libvirt has several ways of setting up new virtual machines. This document uses a prepared disk image and the virt-manager graphical user interface.

  1. Connect virt-manager to the AMD EPYC host and create a new virtual machine.

  2. In the Create a new virtual machine window, select the details:

    • Select how you want to install the operating system.

    • Select the ISO or CD-ROM install media.

    • Select the memory and CPU settings.

    • Select the required storage details.

  3. In the fifth step, verify the details and select Customize configuration before install.

    Select Customize configuration before install
    Figure 16.1: Create Virtual Machine
      

  4. Click Finish.

  5. Select the XML tab in the virtual machine configuration window.

    In the XML tab, you can edit the XML configuration of the virtual machine used by the libvirt back-end.

    Click XML tab
    Figure 16.2: XML view of virtual machine configuration
      

  6. To protect the virtual machine with AMD SEV-SNP, set the correct firmware by modifying the os section as shown below:

    Set firmware
    Figure 16.3: Set firmware
      

    The loader line sets the firmware to the SEV version of OVMF.

  7. Add a launchSecurity section. For AMD SEV-SNP, the section looks like this:

    Add launchSecurity
    Figure 16.4: launchSecurity
      

  8. Click Apply and then click the Details tab.

  9. Select CPUs in the left-hand list and set the CPU Model to host-model:

    Select CPU model
    Figure 16.5: The Details view of virtual machine configuration
      

  10. Click Apply and then click Begin Installation.

    This starts the virtual machine and installs it according to your settings. The virtual machine boots up once the process is complete, and you can verify the AMD SEV-SNP protection.

16.5 Verifying the AMD SEV-SNP virtual machine

  

From the appearance of the virtual machine, one cannot tell whether it runs in a confidential computing environment. But there are several ways to verify that from within the virtual machine.

To check the kernel log, run the command: 

> sudo  dmesg | grep -i sev-snp
[ 1.986186] Memory Encryption Features active: AMD SEV SEV-ES SEV-SNP

The presence of the SEV-SNP feature in the kernel log, among other active memory encryption features, shows that it is active for the virtual machine.

There are also cryptographically secure ways to prove the security of the AMD SEV-SNP environment.

Documentation survey