Hi, I joined your daily meeting yesterday. Thanks for speaking with me! I wasn't able to find any documentation online about how to get started with any SME instances. IBM casually but vaguely mentioned earlier this month that they will start to support this, but I wasn't able to find more detailed information. Is it possible to access such instances via Red Hat services? Is SME only supported on Linux? I understand that you're developing an interface to help people make use of memory encryption. Do you have any documentation explaining what your product will support? Thanks again :)
@jmstoller_gitlab We aren't using AMD SME. We're using AMD SEV.
(There is currently a lot of confusion around these technologies.)
Ah thanks @npmccallum , I actually meant SME or SEV. We're interested in both!
SEV is basically a superset of SME plus other features.
@jmstoller_gitlab I can answer any questions you might have about IBM's solution announced earlier this month.
Thank you @joncmu, I'm wondering how to set up a python application to work with SEV. Is there some documentation on how this would work? I assume this isn't something that can be done entirely in Python but would require some OS level intervention. I'm not sure where to start, so I'd appreciate any guidance.
@jmstoller_gitlab As of today, there isn't a straightforward path to a fully attested and encrypted deployment of Python on SEV.
@npmccallum so if I were to boot a full VM in SEV, would the memory be encrypted/decrypted at the level of the VM? Is this something which is already supported by cloud providers?
@jmstoller_gitlab Yes. No.
@npmccallum so you would have to purchase a computer and set it up yourself? Is Red Hat close to releasing an online VM that will support this?
@jmstoller_gitlab Today you can get SEV-enabled hardware from various clouds. But Enarx has the only SEV-attestation code in the world (to my knowledge). This is required to turn on encryption. The Virtualization stacks are currently looking at implementing this, but nobody supports it yet.
So the problem is fundamentally a software problem.
Enarx is likely to be first to market, because even if the VM hypervisor supports turning on SEV and attesting it, you can't yet pass keys through the guest BIOS, EFI, bootloader and kernel.
The required support is roughly:
Host VMM (hypervisor)
Cloud Management Software
Tenant Deployment Software
Ok, thanks for the explanation @npmccallum!
Today we have (1) and (2). Enarx has working but not yet merged (3) and (7) [in Enarx architecture, 4-6 aren't needed]. We also plan to build (8) and (9).
That removes a significant blocker for Enarx on aarch64 :-)
In addition, Redox's aarch64 port has been updated by Robin R over here, which means there's a minimally booting aarch64 kernel. There's also work on the recursive paging approach used here (Robin would like to use linear paging if possible)
Almost to 100 stars on the repo!
@connorkuehl We crossed 50 stars only a few weeks ago!
kpouget on Freenode \join #enarx
kpouget on Freenode Hello, I'd like to join the Enarx call tomorrow, is 14:00-14:30 GMT the correct time?