16 Enhancing virtual machine security with AMD SEV-SNP #
You can enhance the security of your virtual machines with AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP). The AMD SEV-SNP feature isolates virtual machines from the host system and other VMs, protecting the data and code. This feature encrypts data and ensures that all changes with the code and data in the VM are detected or tracked. Since this isolates VMs, the other VMs or the host machine are not affected by threats.
This section explains the steps to enable and use AMD SEV-SNP on your AMD EPYC server with SUSE Linux Enterprise Server 15 SP7.
16.1 Supported hardware #
A system with an AMD EPYC (3rd Gen or newer) is required to run AMD SEV-SNP virtual machines. The BIOS of the AMD machine must provide the necessary options to enable support for confidential computing on the platform.
16.2 Setting up the base system #
The VM Host Server requires minor configuration changes prior to running AMD SEV-SNP enabled VM Guests.
The default IOMMU configuration in SUSE Linux Enterprise Server 15 SP7 is passthrough mode.
To use the AMD SEV-SNP feature, the IOMMU must be configured in non-passthrough mode.
This is required to prevent peripheral devices from accessing memory that belongs to an encrypted VM Guest,
compromising its data integrity. The MSR kernel module is required to use the optional snphost
tool.
To automatically load the
msr
module at boot:>
sudo
echo "msr" > /etc/modules-load.d/msr.conf
To disable the IOMMU configuration in SUSE Linux Enterprise Server 15 SP7, open the
/etc/default/grub
file and addiommu=nopt
to theGRUB_CMDLINE_LINUX_DEFAULT
variable.To update the bootloader configuration, run the command:
>
sudo
;update-bootloader
The system is now ready to be restarted with the confidential computing kernel. It is not selected as the default kernel in the bootloader, so be sure to select it in the boot menu.
16.3 Verifying setup #
You can verify the installation and configuration of the VM Host Server using dmesg or
the optional snphost
tool.
To check the initialization result of the AMD Secure Processor in the kernel log when the kernel is running, run the command:
>
sudo
dmesg | grep -i ccp
[ 10.103166] ccp 0000:42:00.1: enabling device (0000 -> 0002) [ 10.114951] ccp 0000:42:00.1: no command queues available [ 10.127137] ccp 0000:42:00.1: sev enabled [ 10.133152] ccp 0000:42:00.1: psp enabled [ 10.240817] ccp 0000:42:00.1: SEV firmware update successful [ 11.128307] ccp 0000:42:00.1: SEV API:1.55 build:8 [ 11.135057] ccp 0000:42:00.1: SEV-SNP API:1.55 build:8The message about the SEV-SNP API version indicates the successful initialization of the AMD Secure Processor. Sometimes it happens that these messages do not appear in the kernel log. In this case, the BIOS settings or the IOMMU configuration are often the root cause.
16.4 Launching an AMD SEV-SNP virtual machine #
You can run AMD SEV-SNP protected virtual machines using the libvirt
framework once the
confidential computing kernel is booted and the AMD Secure Processor is initialized.
libvirt
has several ways of setting up new virtual machines. This document uses a prepared
disk image and the virt-manager graphical user interface.
Connect virt-manager to the AMD EPYC host and create a new virtual machine.
In the Create a new virtual machine window, select the details:
Select how you want to install the operating system.
Select the ISO or CD-ROM install media.
Select the memory and CPU settings.
Select the required storage details.
In the fifth step, verify the details and select Customize configuration before install.
Figure 16.1: Create Virtual Machine #Click Finish.
Select the XML tab in the virtual machine configuration window.
In the XML tab, you can edit the XML configuration of the virtual machine used by the
libvirt
back-end.Figure 16.2: view of virtual machine configuration #To protect the virtual machine with AMD SEV-SNP, set the correct firmware by modifying the
os
section as shown below:Figure 16.3: Set firmware #The
loader
line sets the firmware to the SEV version of OVMF.Add a
launchSecurity
section. For AMD SEV-SNP, the section looks like this:Figure 16.4: launchSecurity #Click Apply and then click the Details tab.
Select CPUs in the left-hand list and set the CPU Model to
host-model
:Figure 16.5: The view of virtual machine configuration #Click Apply and then click Begin Installation.
This starts the virtual machine and installs it according to your settings. The virtual machine boots up once the process is complete, and you can verify the AMD SEV-SNP protection.
16.5 Verifying the AMD SEV-SNP virtual machine #
From the appearance of the virtual machine, one cannot tell whether it runs in a confidential computing environment. But there are several ways to verify that from within the virtual machine.
To check the kernel log, run the command:
>
sudo
dmesg | grep -i sev-snp
[ 1.986186] Memory Encryption Features active: AMD SEV SEV-ES SEV-SNP
The presence of the SEV-SNP feature in the kernel log, among other active memory encryption features, shows that it is active for the virtual machine.
There are also cryptographically secure ways to prove the security of the AMD SEV-SNP environment.