From 7f43b7e9a91ef56d3442a67a9f6a169779bbffe6 Mon Sep 17 00:00:00 2001 From: Adam Spiers Date: Thu, 7 Feb 2019 17:58:16 +0000 Subject: [PATCH] Add HW_CPU_AMD_SEV trait Add a trait reflecting a compute host's capability to offer AMD's on-chip Secure Encrypted Virtualization functionality: https://en.wikipedia.org/wiki/Zen_(microarchitecture)#Enhanced_security_and_virtualization_support https://developer.amd.com/sev/ This will facilitate booting of security-sensitive VMs only on hosts which offer additional security via SEV. More details available here: https://specs.openstack.org/openstack/nova-specs/specs/stein/approved/amd-sev-libvirt-support.html Change-Id: I8ebfeac3cabbb64a7913f0b8193010a1b712382b blueprint: amd-sev-libvirt-support --- doc/source/reference/index.rst | 32 ++++++++++++++++++++++++++++++++ os_traits/hw/cpu/amd.py | 19 +++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 os_traits/hw/cpu/amd.py diff --git a/doc/source/reference/index.rst b/doc/source/reference/index.rst index b2ae1a7..94b0ac8 100644 --- a/doc/source/reference/index.rst +++ b/doc/source/reference/index.rst @@ -2,6 +2,8 @@ Reference ========= +.. contents:: :local: + CUDA ---- @@ -56,3 +58,33 @@ the CUDA SDK 8.0 is capable of working with:: For more information on CUDA, see the `Wikipedia article`_. .. _Wikipedia article: https://en.wikipedia.org/wiki/CUDA + +AMD SEV +------- + +While data is typically encrypted today when stored on disk, it is +stored in DRAM in the clear. This can leave the data vulnerable to +snooping by unauthorized administrators or software, or by hardware +probing. New non-volatile memory technology (NVDIMM) exacerbates this +problem since an NVDIMM chip can be physically removed from a system +with the data intact, similar to a hard drive. Without encryption any +stored information such as sensitive data, passwords, or secret keys +can be easily compromised. + +`AMD's SEV (Secure Encrypted Virtualization) +`_ is a VM protection technology which +transparently encrypts the memory of each VM with a unique key. It +can also calculate a signature of the memory contents, which can be +sent to the VM's owner as an attestation that the memory was encrypted +correctly by the firmware. SEV is particularly applicable to cloud +computing since it can reduce the amount of trust VMs need to place in +the hypervisor and administrator of their host system. + +The ``os_traits.hw.cpu.amd.SEV`` trait can be used to indicate that a +compute host contains support for SEV not only on-CPU, but also in all +other layers of the hypervisor stack required in order to take +advantage of this feature: the kernel, QEMU, and libvirt. This trait +can be specified as required by a flavor extra spec or image property +``trait:HW_CPU_AMD_SEV=required`` in order to indicate that VMs with +that flavor or image must only be booted on SEV-capable hosts with the +SEV functionality enabled. diff --git a/os_traits/hw/cpu/amd.py b/os_traits/hw/cpu/amd.py new file mode 100644 index 0000000..1d95ade --- /dev/null +++ b/os_traits/hw/cpu/amd.py @@ -0,0 +1,19 @@ +# -*- coding: utf-8 -*- + +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +TRAITS = [ + # ref: https://developer.amd.com/sev/ + 'SEV', +]