Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does Firecracker support AMD Secure Encrypted Virtualization (SEV)? #2332

Closed
CodingYuanLiu opened this issue Dec 9, 2020 · 7 comments
Closed

Does Firecracker support AMD Secure Encrypted Virtualization (SEV)? #2332

CodingYuanLiu opened this issue Dec 9, 2020 · 7 comments

Comments

@CodingYuanLiu
Copy link

Why is this feature request important? What are the use cases? Please describe.

AMD Secure Encrypted Virtualization (SEV) is a hardware feature provided by AMD, designed to isolate virtual machines from the hypervisor.

Describe the desired solution

So far, we can use QEMU to start a VM with SEV enabled. If firecracker support SEV, we can use firecracker to replace QEMU and start a micro VM with SEV.

Describe possible alternatives

Without the feature, I can only use QEMU to start a VM with SEV, so that I can not take advantages of firecracker's feature

Additional context

No additional context

Checks

  • [y] Have you searched the Firecracker Issues database for similar requests?
  • [n] Have you read all the existing relevant Firecracker documentation?
  • [n] Have you read and understood Firecracker's core tenets?
@georgepisaltu
Copy link
Contributor

Hi @CodingYuanLiu,

Firecracker does not support AMD Secure Encrypted Virtualization. I don't think Firecracker can support SEV as of right now because we provide snapshot capabilities and any operations that involve saving and restoring the memory and state of the VM are unsupported by SEV. From my research, it seems that with hardware evolution this barrier might disappear and we could look into this feature.

@CodingYuanLiu
Copy link
Author

Thank you for your help. By the way, may I ask that how fast can firecracker start when restoring from a snapshot?

@georgepisaltu
Copy link
Contributor

As you can see in our integration tests here, we ensure we have a restore time of less than 8 ms in the tests, but we target 5 ms. The 8 ms value is only for testing purposes and comes from this issue.

@CodingYuanLiu
Copy link
Author

Wow that target is fantastic. Thank you a lot for your help.

@hpvd
Copy link

hpvd commented Dec 5, 2024
edited
Loading

Since we are also interested in this, I did a little research:

seems to be possible now using SEV Key Management

KVM implements the following commands to support common lifecycle events of SEV guests, such as launching, running, snapshotting, migrating and decommissioning.
https://www.kernel.org/doc/html/v5.6/virt/kvm/amd-memory-encryption.html#sev-key-management

@hpvd
Copy link

hpvd commented Dec 5, 2024

also interesting from firecracker roadmap planning:
#4894

The kata-containers initiative for confidential compute is interested in
including Firecracker GPU support.

-> Do they run their container already on fire cracker with confidential compute (and now "only want to add PCIe pass through)?

@hpvd
Copy link

hpvd commented Dec 5, 2024

Hi @CodingYuanLiu,

Firecracker does not support AMD Secure Encrypted Virtualization. I don't think Firecracker can support SEV as of right now because we provide snapshot capabilities and any operations that involve saving and restoring the memory and state of the VM are unsupported by SEV. From my research, it seems that with hardware evolution this barrier might disappear and we could look into this feature.

+1 on reopening this issue, or shall we create a new one?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hpvd @CodingYuanLiu @georgepisaltu