AMD SEV with Anjuna
AMD SEV is a powerful technology that provides an unprecedented level of security for confidential workloads. Anjuna abstracts the low-level details and further leverages SEV to provide a hardware-grade security perimeter around the application itself, eliminating concerns about the security of the host itself, and potential attackers that obtain full control of the host OS or hypervisor.
Deploying on Equinix Metal
From the deploy screen, ensure you are selecting c2.med as this is the only device where AMD is found.
Hostname: (any name, this is an internal name used only to identify your Equinix Metal instance).
Location: any location (preferably one that is geographically close to you) that offers the c2.medium host type (see below).
Type: You MUST select c3.medium as it uses an AMD EPYC processor that supports SEV.
OS: Ubuntu 18.04 LTS.
Provide some extra data to provision the newly created host. Select the SSH & USER DATA option and add the following user data (this will automatically provision some users when the host is provisioned):
users: - name: "sev" sudo: ALL=(ALL) NOPASSWD:ALL groups: "sudo" package_update: true packages: - git - flex - apt-utils write_files: - path: /tmp/debconf.cfg permissions: 0644 content: | debconf debconf/frontend select Noninteractive runcmd: - [debconf, /tmp/debconf.cfg] - [cd, /home/sev] - [git, clone, --single-branch, -b, master, "https://github.com/AMDESE/AMDSEV.git"] - [cd, AMDSEV/distros/ubuntu-18.04] - [./build.sh] ``` Follow the build process by coonnecting to the SOS Console. Building SEV can take ~20 minutes. When the build completes and to activate the SEV kernel a you must upgrade to 4.16.x kernel.
cd /tmp/ wget -c http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.16/linux-headers-4.16.0-041600_4.16.0-041600.201804012230_all.deb wget -c http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.16/linux-headers-4.16.0-041600-generic_4.16.0-041600.201804012230_amd64.deb wget -c http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.16/linux-image-4.16.0-041600-generic_4.16.0-041600.201804012230_amd64.deb sudo dpkg -i *.deb
Once the kernel is installed, a system reboot will be required to active the support 4.16.x kernel.
shutdown -r now
When access is restored, verify
$ ls -l /dev/sev crw------- 1 root root 10, 55 Oct 21 15:06 /dev/sev
Also verify SEV is active in KVM:
$ dmesg | grep SEV [ 5.563511] ccp 0000:02:00.2: SEV API:0.17 build:1 [ 6.021164] SVM: SEV supported