The sev crate provides an implementation of the AMD Secure Encrypted
Virtualization (SEV) APIs and the SEV Secure Nested Paging
Firmware (SNP) ABIs.
The linux kernel exposes two technically distinct AMD SEV APIs:
- An API for managing the SEV platform itself
- An API for managing SEV-enabled KVM virtual machines
This crate implements both of those APIs and offers them to client. code through a flexible and type-safe high-level interface.
Like SEV, the linux kernel exposes another two different AMD SEV-SNP ABIs:
- An ABI for managing the SEV-SNP platform itself
- An ABI for managing SEV-SNP enabled KVM virtual machines
These new ABIs work only for SEV-SNP enabled hosts and guests.
This crate implements APIs for both SEV and SEV-SNP management.
By default, both the SEV and SEV-SNP libraries are compiled.
Because many modules provide support to both legacy SEV and SEV-SNP, they have been split into individual sub-modules sev.rs and snp.rs, isolating generation specific behavior.
If desired, you may opt to exclude either of the sub-modules by disabling its feature in your project's Cargo.toml
For example, to include the SEV APIs only:
sev = { version = "1.2.1", default-features = false, features = ["sev"] }
To include the SEV-SNP APIs only:
sev = { version = "1.2.1", default-features = false, features = ["snp"] }
Refer to the firmware module for more information.
Refer to the launch module for more information.
To enable the cryptographic verification of certificate chains and
attestation reports, either the openssl or crypto_nossl feature
has to be enabled manually. With openssl, OpenSSL is used for the
verification. With crypto_nossl, OpenSSL is not used for the
verification and instead pure-Rust libraries (e.g., p384, rsa,
etc.) are used. openssl and crypto_nossl are mutually exclusive,
and enabling both at the same time leads to a compiler error.
Note that the linux kernel provides access to these APIs through a set
of ioctls that are meant to be called on device nodes (/dev/kvm and
/dev/sev, to be specific). As a result, these ioctls form the substrate
of the sev crate. Binaries that result from consumers of this crate are
expected to run as a process with the necessary privileges to interact
with the device nodes.
Projects in C can take advantage of the C API for the SEV launch ioctls.
To install the C API, users can use cargo-c with the features they would
like to produce and install a pkg-config file, a static library, a dynamic
library, and a C header:
cargo cinstall --prefix=/usr --libdir=/usr/lib64
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
