Pasting v5 here. > From: Brijesh Singh <brijesh.singh@xxxxxxx> > > Create a Documentation entry to describe the AMD Secure Encrypted > Virtualization (SEV) feature. > > Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx> > Cc: Ingo Molnar <mingo@xxxxxxxxxx> > Cc: "H. Peter Anvin" <hpa@xxxxxxxxx> > Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx> > Cc: "Radim Krčmář" <rkrcmar@xxxxxxxxxx> > Cc: Jonathan Corbet <corbet@xxxxxxx> > Cc: Borislav Petkov <bp@xxxxxxx> > Cc: Tom Lendacky <thomas.lendacky@xxxxxxx> > Cc: kvm@xxxxxxxxxxxxxxx > Cc: x86@xxxxxxxxxx > Cc: linux-kernel@xxxxxxxxxxxxxxx > Signed-off-by: Brijesh Singh <brijesh.singh@xxxxxxx> > --- > Documentation/virtual/kvm/00-INDEX | 3 ++ > .../virtual/kvm/amd-memory-encryption.txt | 38 ++++++++++++++++++++++ > 2 files changed, 41 insertions(+) > create mode 100644 Documentation/virtual/kvm/amd-memory-encryption.txt Nice and sweet. Reviewed-by: Borislav Petkov <bp@xxxxxxx> (Leaving in the rest for reference). > diff --git a/Documentation/virtual/kvm/00-INDEX b/Documentation/virtual/kvm/00-INDEX > index 69fe1a8b7ad1..3da73aabff5a 100644 > --- a/Documentation/virtual/kvm/00-INDEX > +++ b/Documentation/virtual/kvm/00-INDEX > @@ -26,3 +26,6 @@ s390-diag.txt > - Diagnose hypercall description (for IBM S/390) > timekeeping.txt > - timekeeping virtualization for x86-based architectures. > +amd-memory-encryption.txt > + - notes on AMD Secure Encrypted Virtualization feature and SEV firmware > + command description > diff --git a/Documentation/virtual/kvm/amd-memory-encryption.txt b/Documentation/virtual/kvm/amd-memory-encryption.txt > new file mode 100644 > index 000000000000..26472b4cdbaf > --- /dev/null > +++ b/Documentation/virtual/kvm/amd-memory-encryption.txt > @@ -0,0 +1,38 @@ > +Secure Encrypted Virtualization (SEV) is a feature found on AMD processors. > + > +SEV is an extension to the AMD-V architecture which supports running > +virtual machines (VMs) under the control of a hypervisor. When enabled, > +the memory contents of a VM will be transparently encrypted with a key > +unique to that VM. > + > +The hypervisor can determine the SEV support through the CPUID > +instruction. The CPUID function 0x8000001f reports information related > +to SEV: > + > + 0x8000001f[eax]: > + Bit[1] indicates support for SEV > + ... > + [ecx]: > + Bits[31:0] Number of encrypted guests supported simultaneously > + > +If support for SEV is present, MSR 0xc001_0010 (MSR_K8_SYSCFG) and MSR 0xc001_0015 > +(MSR_K7_HWCR) can be used to determine if it can be enabled: > + > + 0xc001_0010: > + Bit[23] 1 = memory encryption can be enabled > + 0 = memory encryption can not be enabled > + > + 0xc001_0015: > + Bit[0] 1 = memory encryption can be enabled > + 0 = memory encryption can not be enabled > + > +When SEV support is available, it can be enabled in a specific VM by > +setting the SEV bit before executing VMRUN. > + > + VMCB[0x90]: > + Bit[1] 1 = SEV is enabled > + 0 = SEV is disabled > + > +SEV hardware uses ASIDs to associate a memory encryption key with a VM. > +Hence, the ASID for the SEV-enabled guests must be from 1 to a maximum value > +defined in the CPUID 0x8000001f[ecx] field. > -- > 2.13.0 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) --
