Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Fedora 41 Aims To Ship AMD SEV-SNP Confidential Virtualization Host Support

Written by Michael Larabel in AMD on 17 June 2024 at 04:49 PM EDT. Add A Comment
AMD
With the release of Fedora 41 in October, this Red Hat sponsored Linux distribution is hoping to have all the software bits aligned that its AMD SEV-SNP virtualization stack will be all squared away for this latest iteration of Secure Encrypted Virtualization.

If all goes according to newly-filed plans, Fedora 41 this autumn should be shipping with confidential virtualization host support for AMD SEV-SNP. This is coming about as all of the relevant upstream pieces are finally coming together. As noted recently on Phoronix, Linux 6.11 will bring the AMD SEV-SNP KVM guest bits. QEMU 9.1 is working its way toward release in the coming months and it has the SEV-SNP feature integration complete. Libvirt is also having its SEV-SNP support cross the finish line this summer. Fedora 41 is also planning to ship updated Coconut SVSM, iVGM, and EDK2 packages for rounding out the SEV-SNP support.

AMD EPYC CPU in front of Fedora system


The change proposal was posted today to the Fedora Wiki for having this SEV-SNP support in Fedora 41:
"This enables Fedora virtualization hosts to launch confidential virtual machines using AMD's SEV-SNP technology. Confidential virtualization prevents admins with root shell access, or a compromised host software stack, from accessing memory of any running guest. SEV-SNP is an evolution of previously provided SEV and SEV-ES technologies providing stronger protection and unlocking new features such as a secure virtual TPM.
...
Fedora has provided support for launching confidential virtual machines using KVM on x86_64 hosts for several years, using the SEV and SEV-ES technologies available from AMD CPUs. These technologies have a number of design limitations, however, that make them less secure than is desired, and prevent exposure of desirable features such as secure TPMs. The SEV-SNP technology is a significant design enhancement and architectural change to addresses the key gaps, increasing security and unlocking more powerful use cases for confidential virtual machines."

SEV-SNP is indeed a nice upgrade over the earlier SEV and SEV-ES capabilities:

SEV-SNP comparison


It's great seeing all the upstream software bits finally coming together with SEV-SNP that is supported with AMD EPYC server processors since the EPYC 7003 "Milan" series. Other Q3~Q4 Linux distributions and later in turn should also be able to tap into this upstream support for the newest Secure Encrypted Virtualization functionality.
Add A Comment
Related News
Cloudflare Goes With AMD EPYC Genoa-X For Their Next-Gen Servers
Initial AMD Zen 5 "Znver5" Support Merged For LLVM/Clang
Linux 6.12 EDAC Prepares For Address Translation On Future AMD Platforms
AMD Posts Linux Patches For New Secure AVIC Guest Feature
AMD XDNA Linux Driver v3 Published For Ryzen AI Upstreaming
AMD Submits Initial Zen 5 Enablement For LLVM/Clang Compiler
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
NVIDIA Publishes Open-Source Linux Driver Code For GPU Virtualization "vGPU" Support
Wow! Microsoft DirectX Adopting SPIR-V Moving Forward
Linus Torvalds Adds User-Access Fast Validation Via Address Masking To Linux 6.12
Linux Preparing Support For The RISC-V Framework Laptop 13
Valve's Proton 9.0-3 Brings Support For More Games On Linux, Many Fixes
Sched_ext Merged For Linux 6.12 - Scheduling Policies As BPF Programs
H.264/H.265 Vulkan Encoder Support Merged Into FFmpeg
Updated XZ Code Lands In Linux 6.12