From Fedora Project Wiki
 
(48 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= Confidential Virtualization Host with AMD SEV-SNP =
= Confidential Virtualization Host with AMD SEV-SNP =
{{Change_Proposal_Banner}}


== Summary ==
== Summary ==
Line 10: Line 8:
* Name: [[User:berrange| Daniel P. Berrangé]]
* Name: [[User:berrange| Daniel P. Berrangé]]
* Email: berrange@redhat.com
* Email: berrange@redhat.com
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
-->


== Current status ==
== Current status ==
[[Category:ChangePageIncomplete]]
<!-- Select proper category, default is Self Contained Change -->
[[Category:SelfContainedChange]]
[[Category:SelfContainedChange]]
<!-- [[Category:SystemWideChange]] -->
[[Category:ChangeAcceptedF42]]


* Targeted release: [https://docs.fedoraproject.org/en-US/releases/f41/ Fedora Linux 41]
* Targeted release: [https://docs.fedoraproject.org/en-US/releases/f42/ Fedora Linux 42]
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
Line 29: Line 21:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* [Announced]
* [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/QBDGTXHFVDUJSFLHHOCHSFTNROQUGUQC/ Announced]
* [<will be assigned by the Wrangler> Discussion thread]
* [https://discussion.fedoraproject.org/t/f41-change-proposal-confidential-virtualization-host-with-amd-sev-snp-self-contained/120326 Discussion thread]
* FESCo issue: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/3236 #3236]
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2298853 #2298853]
* Release notes tracker: <will be assigned by the Wrangler>
* Release notes tracker: <will be assigned by the Wrangler>


Line 38: Line 30:
Fedora has provided support for launching confidential virtual machines using KVM on x86_64 hosts for several years, using the SEV and SEV-ES technologies available from AMD CPUs. These technologies have a number of design limitations, however, that make them less secure than is desired, and prevent exposure of desirable features such as secure TPMs. The SEV-SNP technology is a significant design enhancement and architectural change to addresses the key gaps, increasing security and unlocking more powerful use cases for confidential virtual machines.  
Fedora has provided support for launching confidential virtual machines using KVM on x86_64 hosts for several years, using the SEV and SEV-ES technologies available from AMD CPUs. These technologies have a number of design limitations, however, that make them less secure than is desired, and prevent exposure of desirable features such as secure TPMs. The SEV-SNP technology is a significant design enhancement and architectural change to addresses the key gaps, increasing security and unlocking more powerful use cases for confidential virtual machines.  


With SEV/SEV-ES, attestation of the launched VM has to be initiated from the host, which means for a guest owner to attest their VM, they need to rely on API services exposed by the virtualization management stack which will vary across applications. With SEV-SNP, guest owners can initiated attestation from within guest context, providing a standard mechanism across any environment running SEV-SNP.  
With SEV/SEV-ES, attestation of the launched VM has to be initiated from the host, which means for a guest owner to attest their VM, they need to rely on API services exposed by the virtualization management stack which will vary across applications. With SEV-SNP, guest owners can initiate attestation from within guest context, providing a standard mechanism across any virtualization environment running SEV-SNP, avoiding a reliance on any host platform tools/APIs.  


The SEV-SNP technology also unlocks the ability to have a paravisor run in guest context, which is a miniature OS that runs at a higher privilege level (VMPL 0) than the guest firmware / OS (VMPL 3). The paravisor, specifically the Coconut SVSM implementation, is able to expose trusted services to the guest, which remain inaccessible to the host. This makes it possible to provide a secure virtual TPM for confidential guests, thus allowing guest OS software to be better secured than is the case with normal virtual TPMs running in host OS context.
<strike>The SEV-SNP technology also unlocks the ability to have a paravisor run in guest context, which is a miniature OS that runs at a higher privilege level (VMPL 0) than the guest firmware / OS (VMPL 3). The paravisor, specifically the [https://github.com/coconut-svsm/svsm Coconut SVSM] implementation, is able to expose trusted services to the guest firmware and OS, which also remain inaccessible to the host. This makes it possible to provide a secure virtual TPM for confidential guests, thus allowing guest OS software to be better secured than is the case with normal virtual TPMs running in host OS context.</strike> ⌛ Postponed to F42.


== Feedback ==
== Feedback ==


* TBD


== Benefit to Fedora ==
== Benefit to Fedora ==
Line 49: Line 42:
Confidential guests running under a Fedora SEV-SNP enabled KVM host will be able to:
Confidential guests running under a Fedora SEV-SNP enabled KVM host will be able to:


* Self initiate an VM attestation to prove integrity of their running guest machine. This guarantees their guest is running on AMD hardware with SEV-SNP setup in a given configuration, running a particular build for EDK2 firmware
* Self initiate an VM attestation to prove integrity of their running guest machine. This guarantees their guest is running on AMD hardware with SEV-SNP setup in a given configuration, running a particular build for EDK2 firmware, providing data confidentiality even if the host is compromised or malicious.
* Measure all aspects of the guest machine boot process into PCRs in a securely hosted virtual TPM
* <strike>Measure all aspects of the guest machine boot process into PCRs in a securely hosted virtual TPM</strike> ⌛ Postponed to F42.
* Protected against various known weaknesses of the traditional SEV and SEV-ES technologies
* Protect against various known weaknesses of the traditional SEV and SEV-ES technologies


== Scope ==
== Scope ==
* Proposal owners:
=== Proposal owners ===
 
* Ensure kernel packages built in Fedora have SEV-SNP feature integrated and enabled. Code from kvm/next tree is merged into linus' 6.11 tree and due to small F41 schedule change, Fedora has switched to kernel 6.11-rc5 which includes SNP support. ✅
* Ensure QEMU packages built in Fedora have SEV-SNP feature integrated and enabled. Merged into the forthcoming [https://wiki.qemu.org/Planning/9.1 9.1.0 upstream release]. F41 current has 9.1.0-rc3 which includes SNP. ✅
* Ensure libvirt packages built in Fedora have SEV-SNP feature integrated. Included in the [https://libvirt.org/news.html#v10-5-0-2024-07-01 10.5.0 release] and in Fedora ✅
* Ensure EDK2 packages built in Fedora have a EFI binary built suitable for use with SEV-SNP guests with SVSM paravisor. EDK2 currently in rawhide has support for SNP + SVSM. ✅ vTPM support postponed to a later Fedora release.
* <strike>Add new Coconut SVSM package, to provide paravisor for SEV-SNP guests.</strike> ⌛ Postponed to F42.
* <strike>Add new IGVM library package, to enable bundling of Coconut SVSM and EDK2 firmware into one launch binary. Work in progress adding required rust deps.</strike> ⌛ Postponed to F42.
* <strike>Ensure that an IGVM binary is built containing paired EDK2 and SVSM binaries.</strike> ⌛ Postponed to F42.
* Ensure that virt-install is able to launch an SEV-SNP guest with SVSM and EDK2. In Fedora with 4.2.0-9.fc41 ✅


# Ensure kernel packages built in Fedora have SEV-SNP feature integrated and enabled. Currently targeted for 6.10 upstream release, with possibility of slip to 6.11.
=== Other developers ===
# Ensure QEMU packages built in Fedora have SEV-SNP feature integrated and enabled. Currently targeted at 9.1.0 upstream release
# Ensure libvirt packages built in Fedora have SEV-SNP feature integrated. Targeted to release immediately following merge into QEMU git HEAD
# Ensure EDK2 packages built in Fedora have a EFI binary built suitable for use with SEV-SNP guests with SVSM paravisor.
# Add new Cococnut SVSM package, to provide paravisor for SEV-SNP guests
# Add new IGVM package, to enable bundling of Coconut SVSM and EDK2 firmware into one launch binary
# Ensure that an IGVM binary is built containing paired EDK2 and SVSM binaries.
# Ensure that virt-install is able to launch an SEV-SNP guest with SVSM and EDK2


* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Kernel maintainers: responsible for building new kernel that includes SEV-SNP feature. Currently code is in kvm/next tree, targetted for linus' tree when the 6.11 merge window opens. '''ONLY''' if it merges to linus' tree, then proposal owners are to provide Fedora kernel maintainers with a set of backported patches against 6.10 prior to Fedora Beta. Fedora 41 will get 6.11 kernels after GA.


# Kernel maintainers: responsible for building new kernel that includes SEV-SNP feature. This should not involve anything notable beyond their normal procedure of rebasing to new upstream kernel releases when they occur, enabling newly introduced KConfig features that are relevant.
=== Release engineering ===


* Release engineering: N/a
N/A


* Policies and guidelines: N/A
=== Policies and guidelines ===


* Trademark approval: N/A  
N/A


* Alignment with the Fedora Strategy:
=== Trademark approval ===


Fedora will be demonstrating leading / state of the art integration of SEV-SNP feature into a Linux distribution's virtualization host stack.
N/A


Fedora will be providing the fully OSS host-to-guest stack for confidential virtual machines.
=== Alignment with the Fedora Strategy ===
 
* Fedora will be demonstrating leading / state of the art integration of SEV-SNP feature into a Linux distribution's virtualization host stack.
* Fedora will be providing the fully OSS host-to-guest stack for confidential virtual machines on modern AMD x86_64 EPYC hardware.


== Upgrade/compatibility impact ==
== Upgrade/compatibility impact ==


No impact anticipated. Existing users of SEV/SEV-ES technology will keep running as is. The new SEV-SNP technology is an opt-in for users, with suitably new AMD CPUs.
No impact anticipated. Existing users of SEV/SEV-ES technology will keep using it without changes. The new SEV-SNP technology is strictly an opt-in for users with suitably new AMD CPUs.


== Early Testing (Optional) ==
== Early Testing (Optional) ==
Line 90: Line 88:


== How To Test ==
== How To Test ==
<!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this change implementation is expected to pass when it is done.  This can be based off of the above section if early testing has been completed. If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.


Remember that you are writing this how to for interested testers to use to check out your change implementation - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your change.
Use of AMD SEV-SNP technology requires an AMD EPYC CPU with the Zen 3 generation micro-architecture, or newer (Milan, Genoa). These are identified by the 4th digit in the processor model name having the value '3' or greater. eg EPYC7xx3 or EPYC9xx4. See also [https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/tuning-guides/58207-using-sev-with-amd-epyc-processors.pdf SEV User Guide (pdf), Chapter 1] for CPU model support guidance.


A good "how to test" should answer these four questions:


0. What special hardware / data / etc. is needed (if any)?
* TBD: document process for configuring host bare metal firmware (if applicable?)
1. How do I prepare my system to test this change? What packages
* TBD: document process for deploying host software components. Likely should not require any special steps, beyond the normal libvirt + KVM install process.
need to be installed, config files edited, etc.?
* TBD: document process for creating a guest. Will update existing [https://libvirt.org/kbase/launch_security_sev.html libvirt SEV docs] to cover SEV-SNP
2. What specific actions do I perform to check that the change is
* TBD: document process for attesting a running guest. Again, will update above libvirt SEV docs.
working like it's supposed to?
3. What are the expected results of those actions?
-->
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->


== User Experience ==
== User Experience ==
<!-- If this change proposal is noticeable by users, how will their experiences change as a result?


This section partially overlaps with the Benefit to Fedora section above. This section should be primarily about the User Experience, written in a way that does not assume deep technical knowledge. More detailed technical description should be left for the Benefit to Fedora section.
* Virtualization host owners will be launch confidential virtual machines using AMD SEV-SNP technology
 
* Virtualization host owners will be able to provide a secure virtual TPM to confidential guests, replacing the current non-confidential swtpm solution in the host
Describe what Users will see or notice, for example:
* Guest owners will be able to prove that their OS is running in a Fedora host confidential virtual machine protected by AMD SEV-SNP, by performing a guest attestation
  - Packages are compressed more efficiently, making downloads and upgrades faster by 10%.
* Guest owners will be able to measure their guest OS software environment using the TPM. Caveat: this is an ephemeral TPM initially, which imposes limits on the ways in which users can take advantage of it. A persistent TPM will be supported at a later date.
  - Kerberos tickets can be renewed automatically. Users will now have to authenticate less and become more productive. Credential management improvements mean a user can start their work day with a single sign on and not have to pause for reauthentication during their entire day.
- Libreoffice is one of the most commonly installed applications on Fedora and it is now available by default to help users "hit the ground running".
- Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system.
-->


== Dependencies ==
== Dependencies ==
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this change depends?  In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel change)? -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->


* kernel
* edk2
* <strike>coconut-svsm</strike> (new package [https://github.com/coconut-svsm/svsm github upstream])
** <strike>rust-intrusive-collections</strike> (new package, [https://bugzilla.redhat.com/show_bug.cgi?id=2290692 Review Request])
** <strike>rust-packit</strike> (new package or include as vendored)
* <strike>igvm</strike> (new package [https://github.com/microsoft/igvm/ github upstream])
** <strike>rust-hmac-sha512</strike> (new package, [https://bugzilla.redhat.com/show_bug.cgi?id=2290698 Review Request])
** <strike>rust-bitfield-struct</strike> (new package, [https://bugzilla.redhat.com/show_bug.cgi?id=2290696 Review Request])
** <strike>rust-open-enum</strike> (new package)
** <strike>rust-open-enum-derive</strike> (new package)
** <strike>rust-range-map-vec</strike> (new package, [https://bugzilla.redhat.com/show_bug.cgi?id=2282977 Review Request]: Approved)
* qemu
* libvirt
* virt-manager (for virt-install tool)
* <strike>snphost [https://github.com/virtee/snphost github upstream]</strike>
* <strike>snpguest (new package, [https://github.com/virtee/snpguest github upstream])</strike>


== Contingency Plan ==
== Contingency Plan ==


<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages). If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. -->
* Contingency mechanism: None. All the work is arriving either via rebases to new upstream versions of existing packages, patches to existing packages, or via new package reviews. If the deadline is missed, then whatever has already arrived in Fedora will remain in Fedora and will not harm other existing Fedora functionality. The remaining pieces will wait until the next Fedora dev cycle to be integrated, completing the desired user experience. As such, no contingency action needs to be taken should the Fedora feature completion deadline be missed.
* Contingency mechanism: (What to do?  Who will do it?) N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency deadline: N/A
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
* Blocks release? No
* Contingency deadline: N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
* Blocks release? N/A (not a System Wide Change), Yes/No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 


== Documentation ==
== Documentation ==

Latest revision as of 16:19, 13 September 2024

Confidential Virtualization Host with AMD SEV-SNP

Summary

This enables Fedora virtualization hosts to launch confidential virtual machines using AMD's SEV-SNP technology. Confidential virtualization prevents admins with root shell access, or a compromised host software stack, from accessing memory of any running guest. SEV-SNP is an evolution of previously provided SEV and SEV-ES technologies providing stronger protection and unlocking new features such as a secure virtual TPM.

Owner

Current status

Detailed Description

Fedora has provided support for launching confidential virtual machines using KVM on x86_64 hosts for several years, using the SEV and SEV-ES technologies available from AMD CPUs. These technologies have a number of design limitations, however, that make them less secure than is desired, and prevent exposure of desirable features such as secure TPMs. The SEV-SNP technology is a significant design enhancement and architectural change to addresses the key gaps, increasing security and unlocking more powerful use cases for confidential virtual machines.

With SEV/SEV-ES, attestation of the launched VM has to be initiated from the host, which means for a guest owner to attest their VM, they need to rely on API services exposed by the virtualization management stack which will vary across applications. With SEV-SNP, guest owners can initiate attestation from within guest context, providing a standard mechanism across any virtualization environment running SEV-SNP, avoiding a reliance on any host platform tools/APIs.

The SEV-SNP technology also unlocks the ability to have a paravisor run in guest context, which is a miniature OS that runs at a higher privilege level (VMPL 0) than the guest firmware / OS (VMPL 3). The paravisor, specifically the Coconut SVSM implementation, is able to expose trusted services to the guest firmware and OS, which also remain inaccessible to the host. This makes it possible to provide a secure virtual TPM for confidential guests, thus allowing guest OS software to be better secured than is the case with normal virtual TPMs running in host OS context. ⌛ Postponed to F42.

Feedback

  • TBD

Benefit to Fedora

Confidential guests running under a Fedora SEV-SNP enabled KVM host will be able to:

  • Self initiate an VM attestation to prove integrity of their running guest machine. This guarantees their guest is running on AMD hardware with SEV-SNP setup in a given configuration, running a particular build for EDK2 firmware, providing data confidentiality even if the host is compromised or malicious.
  • Measure all aspects of the guest machine boot process into PCRs in a securely hosted virtual TPM ⌛ Postponed to F42.
  • Protect against various known weaknesses of the traditional SEV and SEV-ES technologies

Scope

Proposal owners

  • Ensure kernel packages built in Fedora have SEV-SNP feature integrated and enabled. Code from kvm/next tree is merged into linus' 6.11 tree and due to small F41 schedule change, Fedora has switched to kernel 6.11-rc5 which includes SNP support. ✅
  • Ensure QEMU packages built in Fedora have SEV-SNP feature integrated and enabled. Merged into the forthcoming 9.1.0 upstream release. F41 current has 9.1.0-rc3 which includes SNP. ✅
  • Ensure libvirt packages built in Fedora have SEV-SNP feature integrated. Included in the 10.5.0 release and in Fedora ✅
  • Ensure EDK2 packages built in Fedora have a EFI binary built suitable for use with SEV-SNP guests with SVSM paravisor. EDK2 currently in rawhide has support for SNP + SVSM. ✅ vTPM support postponed to a later Fedora release.
  • Add new Coconut SVSM package, to provide paravisor for SEV-SNP guests. ⌛ Postponed to F42.
  • Add new IGVM library package, to enable bundling of Coconut SVSM and EDK2 firmware into one launch binary. Work in progress adding required rust deps. ⌛ Postponed to F42.
  • Ensure that an IGVM binary is built containing paired EDK2 and SVSM binaries. ⌛ Postponed to F42.
  • Ensure that virt-install is able to launch an SEV-SNP guest with SVSM and EDK2. In Fedora with 4.2.0-9.fc41 ✅

Other developers

  • Kernel maintainers: responsible for building new kernel that includes SEV-SNP feature. Currently code is in kvm/next tree, targetted for linus' tree when the 6.11 merge window opens. ONLY if it merges to linus' tree, then proposal owners are to provide Fedora kernel maintainers with a set of backported patches against 6.10 prior to Fedora Beta. Fedora 41 will get 6.11 kernels after GA.

Release engineering

N/A

Policies and guidelines

N/A

Trademark approval

N/A

Alignment with the Fedora Strategy

  • Fedora will be demonstrating leading / state of the art integration of SEV-SNP feature into a Linux distribution's virtualization host stack.
  • Fedora will be providing the fully OSS host-to-guest stack for confidential virtual machines on modern AMD x86_64 EPYC hardware.

Upgrade/compatibility impact

No impact anticipated. Existing users of SEV/SEV-ES technology will keep using it without changes. The new SEV-SNP technology is strictly an opt-in for users with suitably new AMD CPUs.

Early Testing (Optional)

Do you require 'QA Blueprint' support? Y (probably useful?)

How To Test

Use of AMD SEV-SNP technology requires an AMD EPYC CPU with the Zen 3 generation micro-architecture, or newer (Milan, Genoa). These are identified by the 4th digit in the processor model name having the value '3' or greater. eg EPYC7xx3 or EPYC9xx4. See also SEV User Guide (pdf), Chapter 1 for CPU model support guidance.


  • TBD: document process for configuring host bare metal firmware (if applicable?)
  • TBD: document process for deploying host software components. Likely should not require any special steps, beyond the normal libvirt + KVM install process.
  • TBD: document process for creating a guest. Will update existing libvirt SEV docs to cover SEV-SNP
  • TBD: document process for attesting a running guest. Again, will update above libvirt SEV docs.

User Experience

  • Virtualization host owners will be launch confidential virtual machines using AMD SEV-SNP technology
  • Virtualization host owners will be able to provide a secure virtual TPM to confidential guests, replacing the current non-confidential swtpm solution in the host
  • Guest owners will be able to prove that their OS is running in a Fedora host confidential virtual machine protected by AMD SEV-SNP, by performing a guest attestation
  • Guest owners will be able to measure their guest OS software environment using the TPM. Caveat: this is an ephemeral TPM initially, which imposes limits on the ways in which users can take advantage of it. A persistent TPM will be supported at a later date.

Dependencies

Contingency Plan

  • Contingency mechanism: None. All the work is arriving either via rebases to new upstream versions of existing packages, patches to existing packages, or via new package reviews. If the deadline is missed, then whatever has already arrived in Fedora will remain in Fedora and will not harm other existing Fedora functionality. The remaining pieces will wait until the next Fedora dev cycle to be integrated, completing the desired user experience. As such, no contingency action needs to be taken should the Fedora feature completion deadline be missed.
  • Contingency deadline: N/A
  • Blocks release? No

Documentation

  • Insert link to kernel docs, when available
  • Insert link to QEMU docs, when available
  • Insert link to libvirt docs, when available
  • Write a Fedora wiki page illustrating end-to-end setup and usage example

Release Notes