What processors support SEV?

[anatoli26]

I can't find information about what AMD Zen processors, besides EPYC, support SEV. In other words, do Ryzen, Ryzen Pro and Threadripper support SEV? Do the chipsets and mobos have anything to do with it (i.e. should a SEV-enabled processor be combined with a SEV-supporting mobo)?

[codomania]

There are two memory encryption technologies as part of AMD Zen core. SME (Secure Memory Encryption) and SEV (Secure Encrypted Virtualization). Both SEV and SME features are supported on CPUs from EPYC family. Whereas processor from Ryzen family supports SME only.

[anatoli26]

Do you mean that any Ryzen (common and Pro) support SME? And that Ryzen Pro don't support SEV?

[anatoli26]

From what I find online, Ryzen and Threadripper don't support SME/SEV, but Ryzen Pro does support SME. What I can't determine reliably is if Ryzen Pro supports SEV, and if it does, whether its final availability also depends on the motherboard/chipset/BIOS.

E.g., Forbes says: "Some things that are new for Ryzen PRO, however, are support Transparent Secure Memory Encryption (TSME) and Secure Encrypted Virtualization (SEV) support." source

Similar reports: "Moving on, AMD's other big security feature for the PRO lineup is Secure Virtualized Encyrption (SEV). SEV in many ways resembles the SME, but in this case, it enables owners to encrypt virtual machines, isolating them from each other, hypervisors, and hosting software." anandtech

"Ryzen PRO also incorporates Secure Encrypted Virtualization (SEV) support. This integrates main memory encryption capabilities with the existing AMD-V virtualization architecture to support encrypted virtual machines." hothardware

"Ryzen Pro CPUs offers built-in hardware-based AES 128-bit encryption. The encryption offers two features, Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV)." tweaktown

But I also find reports that PRO doesn't support SEV. The official AMD website provides no details.

As you're working for AMD and working on the SEV feature, could you please shed some light on this, or better yet point to any official statement/documentation?

[anatoli26]

Also, here's a reply from AMD Support:

Response and Service Request History:

Only AMD Ryzen Pro and EPYC processors support SME and SEV.

In order to update this service request, please respond, leaving the service request reference intact.

Best regards,
AMD Global Customer Care

But I hadn't yet received a reply for the details whether motherboard/chipset/bios support is also needed and, in particular, if Lenovo M715 SFF with Ryzen PRO supports SEV.

[AnonymousII]

Ryzen Pro CPUs definitely don't support SEV. We tried using an HP Elite Desk:

• PC: HP Elite Desk 405 G3 MT
• CPU: AMD Ryzen™ 5 PRO 1500 Quad-Core
• Chipset: AMD B350 FCH
• OS: Linux 4.16-rc1 (Released few days ago on kernel.org)

When experiencing issues with the AMD PSP driver (ioread32(psp->io_regs + PSP_FEATURE_REG) & 1)=0 in sev_init() in psp-dev.c) we asked an AMD developer why this check could fail.

Quote from AMD Developer:

Processor from Ryzen family does not support SEV. Ryzen family support SME and TSME features only.

Although CPUID CPUID Fn8000_001F[EAX] bit 1 (SEV support yes/no) says the cpu supports SEV, obviously the Platform Security Processor (PSP) that comes with it doesn't:

Quote from AMD Developer:

By the way: the result of CPUID Fn8000_001F[EAX] bit 1 (SEV support yes/no) still doesnt seem to make sense to me - why would the cpu say it supports SEV i fit doesn't?

Launching a SEV guest requires support from both CPU as well as PSP Firmware. What you are seeing is that Ryzen CPU hints that it support SEV feature but since PSP does not support the feature hence we will not able launch encrypted guest.

So if you want to get SEV running you should use an AMD EPYC cpu...

[anatoli26]

@AnonymousII, thanks a lot for the details! That's a pity all these details are not provided by AMD, as well as the fact that Ryzen Pro can't be used to build a secure workstation (think CubesOS that could benefit enormously from the SEV feature). And EPYC makes no sense in the desktop segment, except for extreme HPC where probably high level of security is not that necessary.

Looks like the future of processors is RISC-V.

[AnonymousII]

update to my previous comment: we just tried using an "AMD EPYC 7451 24-Core Processor" CPU (96 logical cores) in a huge Supermicro A+ server (EPYC CPU) from our computing center and SEV works just fine - so it definitely was a hardware problem only (moved the same physical disk to our server).

Quote from AMD Developer:

Processor from Ryzen family does not support SEV. Ryzen family support SME and TSME features only.

Does it mean that Ryzen (common and Pro) supports SME?
Are rules the same for TR4 products?

[jlarrew]

Technically, all processors based on the Zen core have the hardware support for SEV. However, only the EPYC server processors currently have the firmware support to do the key management. For now, SEV is an EPYC-only feature. Sincerely, Jesse

…

On Sat, Jan 26, 2019, 8:26 AM Maxim ***@***.*** wrote: Quote from AMD Developer: Processor from Ryzen family does not support SEV. Ryzen family support SME and TSME features only. Does it mean that Ryzen (common and Pro) supports SME? Are rules the same for TR4 products? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADflBYG3kO85B1LK1nMarrG60pXKxxfpks5vHGV9gaJpZM4PtHbf> .

@jlarrew

If it is for me, then I talked about SME, not SEV.
I do not need encrypted memory for Guests.
I need encrypted memory for host system.

[M4GNV5]

The question wether SME (NOT SEV, just SME!) is supported on all Zen based processors including Ryzen/Threadrippers doesn't seem to be answered? Could someone clarify, @jlarrew @HardHub?

From press release:

Ryzen Pro CPUs offers built-in hardware-based AES 128-bit encryption. The encryption offers two features, Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV). SME and SEV are also found on EPYC CPUs, and they provide real hardware based security. For SME a key is generated on boot up and isn't visible to the OS or software applications, and it can be used to secure a portion or all of the memory.

So I do not know if we have Transparent SME on regular desktop CPU.

Can anybody check SME in /proc/cpuinfo?

[M4GNV5]

Alright, I asked a friend who has a Ryzen (Ryzen 7 1800X) for lscpu and cat /proc/cpuinfo. This is the output: https://pastebin.com/raw/YdXqbqUu

The CPU flags contain smep is this the correct one? I know two more people with 1700X but noone with 2xxx or even 3xxx.

EDIT: according to https://ctf-wiki.github.io/ctf-wiki/pwn/linux/kernel/bypass_smep/ smep means Supervisor Mode Execution Protection, so it seems SME is not supported on Ryzens

[tlendacky]

Ryzen processors should support SME. However, the BIOS is needed to set the SMEE bit (23) of the SYS_CFG MSR (0xc0010010). Please see:

https://elixir.bootlin.com/linux/latest/source/arch/x86/kernel/cpu/amd.c#L574

to see how the SME feature will not be reported even if the CPUID instruction indicates support.

Transparent SME (TSME) is also supported by Ryzen, but requires the BIOS to support the configuration option for it. Without the support from BIOS you can't enable TSME.