Bug 1833442

Summary: [RFE][Test Only] AMD SEV-encrypted instances
Product: Red Hat OpenStack Reporter: Stephen Finucane <stephenfin>
Component: openstack-novaAssignee: OSP DFG:Compute <osp-dfg-compute>
Status: CLOSED CURRENTRELEASE QA Contact: OSP DFG:Compute <osp-dfg-compute>
Severity: medium Docs Contact:
Priority: medium    
Version: 17.0 (Wallaby)CC: amodi, coli, dasmith, egallen, eglynn, igallagh, jgrosso, jhakimra, jparker, kchamart, lyarwood, nlevinki, sbauza, sgordon, spower, vromanso, zhguo, zixchen
Target Milestone: AlphaKeywords: FutureFeature, TechPreview, TestOnly, Triaged
Target Release: 16.2 (Train on RHEL 8.4)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-nova-20.4.2-2.20201114104928 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-14 15:55:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1794216, 1954529, 1959360, 1967293    
Bug Blocks: 1913699    
Attachments:
Description Flags
Test results with rhel 8.4 guest image and puddle RHOS-16.2-RHEL-8-20210525.n.0 none

Description Stephen Finucane 2020-05-08 16:44:04 UTC 
Description of problem:
While data is typically encrypted today when stored on disk, it is stored in DRAM in the clear. This can leave the data vulnerable to snooping by unauthorized administrators or software, or by hardware probing. New non-volatile memory technology (NVDIMM) exacerbates this problem since an NVDIMM chip can be physically removed from a system with the data intact, similar to a hard drive. Without encryption any stored information such as sensitive data, passwords, or secret keys can be easily compromised.

AMD’s SEV offers a VM protection technology which transparently encrypts the memory of each VM with a unique key. It can also calculate a signature of the memory contents, which can be sent to the VM’s owner as an attestation that the memory was encrypted correctly by the firmware. SEV is particularly applicable to cloud computing since it can reduce the amount of trust VMs need to place in the hypervisor and administrator of their host system.

Use Cases
As a cloud administrator, in order that my users can have greater confidence in the security of their running instances, I want to provide a flavor containing an SEV-specific extra spec resource requirement which will allow users booting instances with that flavor to ensure that their instances run on an SEV-capable compute host with SEV encryption enabled.

As a cloud user, in order to not have to trust my cloud operator with my secrets, I want to be able to boot VM instances with SEV functionality enabled.
Comment 4 Lee Yarwood 2021-06-01 11:47:59 UTC 
*** Bug 1794216 has been marked as a duplicate of this bug. ***
Comment 6 James Parker 2021-06-02 14:18:00 UTC 
Created attachment 1788699 [details]
Test results with rhel 8.4 guest image and puddle RHOS-16.2-RHEL-8-20210525.n.0
Comment 9 Thierry Vignaud 2021-10-14 15:55:40 UTC 
According to our records, this should be resolved by openstack-nova-20.6.2-2.20210607104828.el8ost.4.  This build is available now.