Skip to content

Provide the option to enable AMD SME and SEV #338

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
adrelanos merged 2 commits into from
Dec 3, 2025
Merged

Provide the option to enable AMD SME and SEV #338

adrelanos merged 2 commits into from
Dec 3, 2025

Conversation

@raja-grewal
Copy link
Contributor

@raja-grewal raja-grewal commented Nov 15, 2025

This pull request provides the options to enable AMD Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV).

For users running compatible AMD CPUs, SME allow them to enable hardware-based encryption of physical memory to protect against cold boot attacks. Then for users who also have SEV functionality, this also extend SME to VMs by encrypting the memory of each with a unique key for guest isolation.

These are both generally features of professional and server CPUs. Users of consumer-grade AMD CPUs can generally instead enable TSME in their BIOS/UEFI to achieve the same protection as SME.

Note that this was enabled by default prior to kernel 5.15 but was disabled due to issues relating to DMA masks and IOMMU this can cause boot failure on certain hardware. Hence, these are included here also disabled by default and require users to test themselves prior to enabling.

Please see references inside the commits and also the kernel docs.

Changes

There are no changes to the functionality of the codebase.

Provide the disabled by default options:

mem_encrypt=on
kvm_amd.sev=1

Mandatory Checklist

  • Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements:

Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

Optional Checklist

The following items are optional but might be requested in certain cases.

  • I have tested it locally
  • I have reviewed and updated any documentation if relevant
  • I am providing new code and test(s) for it

This was referenced Nov 20, 2025
Open
Merged
@ArrayBolt3
Copy link
Contributor

ArrayBolt3 commented Nov 28, 2025
edited
Loading

Looks good to me, merged into my arraybolt3/trixie branch. Should we also consider telling the user about kvm_amd.sev_es and kvm_amd.sev_snp? I note both of those exist in kernel 6.12's source code, in linux/arch/x86/kvm/svm/sev.c:

/* enable/disable SEV support */
static bool sev_enabled = true;
module_param_named(sev, sev_enabled, bool, 0444);

/* enable/disable SEV-ES support */
static bool sev_es_enabled = true;
module_param_named(sev_es, sev_es_enabled, bool, 0444);

/* enable/disable SEV-SNP support */
static bool sev_snp_enabled = true;
module_param_named(sev_snp, sev_snp_enabled, bool, 0444);

(There's also an option for SEV-ES DebugSwap, kvm_amd.debug_swap, but that's for exposing debugging features to the guest, and that probably (?) isn't something most users will need... maybe?)

@adrelanos adrelanos merged commit 7280d88 into Kicksecure:master Dec 3, 2025
@raja-grewal raja-grewal deleted the amd_encrypt_ram branch December 11, 2025 01:50
@raja-grewal raja-grewal mentioned this pull request Dec 11, 2025
Merged
4 tasks
@raja-grewal raja-grewal mentioned this pull request Dec 24, 2025
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@raja-grewal @ArrayBolt3 @adrelanos