cancel
Showing results for 
Search instead for 
Did you mean: 

Server Processors

wooh
Journeyman III

How to share SEV keys between virtual machines?

As documented in the AMD SEV-KM API Specification, there is an option in guest policy named NOKS, which means "

Sharing keys with other guests is disallowed when set". If I don't set that bit, how can I share keys with other guests? I don't find any APIs related with sharing SEV keys between guests, except for that DBG_DECRYPT, which however is used for hypervisor to access encrypted memory without knowing the key.

0 Likes
1 Reply
Anonymous
Not applicable

Hello wooh‌,

AMD does not recommend using the SEV key sharing option in the SEV API as this would allow multiple guests direct access to the same encrypted memory space. The default setting in Linux is to set NOKS=1.  We would recommend that different SEV guests communicate with other using standard mechanisms (such as secure network connections) to authenticate and share sensitive information such as keys.  If multiple SEV guests on a single machine wish to share information they can also do so through unencrypted (C=0) memory pages.

0 Likes