Description
Confidential computing is a family of techniques to enhance security
and confidentiality for data in use. One technical approach is strong
isolation for virtual machines.
AMDs Secure Encrypted Virtualization (SEV) offers several feature sets
for isolation of guest virtual machines from an non-trusted host hypervisor
and operating system. These feature sets include memory encryption,
encryption of guest state including CPU registers and an attestation
framework.
With OpenBSD 7.6 released in October 2024 we are now able to use the
memory encryption features of AMD SEV to run OpenBSD as both
- a confidential guest VM and
- as a hypervisor providing a confidential execution environment.
Now, thanks to memory encryption the hypervisor is not able to peek into a
guests memory and is not able to retrieve sensitive information. However,
the state of the CPU registers used by the guest is still visible to
the hypervisor.
Therefore, we implemented support of AMDs "Secure Encrypted Virtualization
with State Encryption" (SEV-ES) for OpenBSD guests and hypervisor. With
SEV-ES all CPU guest state is encrypted and hidden from the hypervisor.
In this talk we will explain the fundamentals of SEV and SEV-ES. Then we
explore the challenges imposed by SEV-ES for both guest and hypervisor.
Finally we will take a closer look into selected implementation details.
Hans-Jörg Höxer is employed at genua, a German firewall manufacturer, who
is using OpenBSD as a secure and stable base for its products.
| One-line summary | Confidential Computing with OpenBSD: Hiding sensitive CPU state using SEV-ES |
|---|
