New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
AMD EPYC SEV Enabled!
Hello.....
I have a question, recently I started looking for encrypting a VPS and I stumbled upon few methods where we have to load our own ISO and encrypt disks there while setting up. But it was not efficient as decryption key remains in memory which can accessed by VPS provider if they want to.
Than I came across this AMD EPYC cpu feature called Secure Encrypted Virtualization (SEV); I tried looking for it on reddit and google but no helpful info! So, can someone help me with this?
I want to know how to set it up, how it works and basically anything which helps me understand it better!
Thank you,
Have a great day!
Comments
Are you looking how to use it or looking for a provider which offer such function?
Thanks for your reply! I am looking for both; As far as I know only google and aws offer this but I dont want to go with big players. So, if you know some providers, I will be happy to know. And I am also bit confused as how it works and how to set it up?
No generic provider will offer this out of the box because they use control panels with limited functionality. You better contact virtualizor and suggest them to implement that function support. That way it will be accessible to all and maybe you will get your encrypted vps one day.
Oracle cloud is the cheapest SEV offering, but pricing is still insane compared to the average LET provider
Considering all versions of SEV have known flaws, you are probably better off going with AWS t4g, which is also the cheapest confidential computing offering
Could you please spare some time to lay down what flaws it has? Thank you.
https://arxiv.org/abs/2108.04575 keys have been extracted for Zen 1-3 (NB paper misleadingly refers to a physical attack but it’s one and done - attack a single CPU and you’ve pwned them all)
For Zen 4 there’s CacheWarp
I don't think there's a way to really tell if a provider is leveraging SEV or other functions to increase VM security without taking their word for it. Oracle Cloud, Amazon Web Services, and Google Cloud are the only providers that I would trust for this sort of stuff. I believe they even have their own CPU models (EPYC SKU's) which probably has increased security functions for their confidential compute platforms.
It would be cheaper, better, and probably more secure if you just rent out a full dedicated server from a hosting provider, that way you'd have full bare metal access and it would definitely not be easy for a provider to read data from memory on bare metal.
It reports in dmesg when enabled
I assumed the same until I saw https://github.com/ufrisk/pcileech
Oracle is not accepting my cc, will try AWS!
Ohh did not knew about it!
I will consider this option! I will also dig bit deep into it, to find out which option is better!
This is cool. Did some searching. For software it involves using provided APIs to manage keys according to wikipedia. Specifically Proxmox mentions problems with SEV
There are many other problems with sev right now, for example any action that involves memory like snapshots & live-migration do not work right now or is attackable.Honestly, if you're running an up to date distro with IOMMU/VT-d enabled and an up to date kernel (for example, you can trivially install kernel 6.7.0 [at this second] which is the absolute latest mainline kernel on [openSUSE]( https://download.opensuse.org/repositories/Kernel:stable:Backport/standard/ ("openSUSE stable kernel backport")).
Doubt that? How about from the same page you linked:
The only plausible way I'd be really concerned with pcileech on a server I'm in charge of is the hacked HP iLO, on a dedi, and only because of future potential improvements. But of all my dedis from LET over the years, I think I've only had one HP. I always enable VT-d/IOMMU for unrelated reasons. And almost every device listed would show up in
lspciorlsusb. With judicious use ofusbauthand friends, you can even prevent many-to-most of the USB devices from working anyhow.Honestly, if you're running your stuff well, you will have to be very specifically targeted. The average low end host will not have the chops to get this going in the general case, let alone against a moderately hardened system. And if you're afraid of pissing off a nation-state actor, you have bigger concerns than pcileech.