cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Server Processors

wooh
Journeyman III
‎05-25-2020 10:11 PM

How to share SEV keys between virtual machines?

As documented in the AMD SEV-KM API Specification, there is an option in guest policy named NOKS, which means "

Sharing keys with other guests is disallowed when set". If I don't set that bit, how can I share keys with other guests? I don't find any APIs related with sharing SEV keys between guests, except for that DBG_DECRYPT, which however is used for hypervisor to access encrypted memory without knowing the key.

0 Likes
1 Reply
Anonymous
Not applicable
‎06-01-2020 06:09 PM

Hello wooh‌,

AMD does not recommend using the SEV key sharing option in the SEV API as this would allow multiple guests direct access to the same encrypted memory space. The default setting in Linux is to set NOKS=1.  We would recommend that different SEV guests communicate with other using standard mechanisms (such as secure network connections) to authenticate and share sensitive information such as keys.  If multiple SEV guests on a single machine wish to share information they can also do so through unencrypted (C=0) memory pages.

0 Likes