Going back to January 2023 were patches for enabling Secure TSC support for use by SEV-SNP guests with AMD EPYC 7003 “Milan” and newer processors… Two years later and after sixteen rounds of revising the Linux kernel patches, it looks like the AMD Secure TSC support is finally ready for landing in the mainline Linux kernel.
Secure TSC is a feature with SEV-SNP-enabled EPYC server processors for allowing VMs/guests to securely use the RDTSC and RDTSCP instructions for secure timestamp counter access. The secured aspect is ensuring that the hypervisor cannot alter the RDTSC/RDTSCP parameters have the guest is launched. During boot of the VMs, the Secure TSC active guests query the timestamp counter information from the AMD PSP security processor in an encrypted manner.
“Add support for Secure TSC in SNP-enabled guests. Secure TSC allows guests to securely use RDTSC/RDTSCP instructions, ensuring that the parameters used cannot be altered by the hypervisor once the guest is launched.
Secure TSC-enabled guests need to query TSC information from the AMD Security Processor. This communication channel is encrypted between the AMD Security Processor and the guest, with the hypervisor acting merely as a conduit to deliver the guest messages to the AMD Security Processor. Each message is protected with AEAD (AES-256 GCM).”
Earlier this week marked the v16 patches for implementing Secure TSC support for SEV-SNP guests. This requires Linux KVM patches too as well as QEMU changes that have yet to be upstreamed.
It’s looking like these v16 patches are in good enough shape for potentially mainlining as those patches have now been queued up within tip/tip.git’s x86/sev branch. With these patches now in a TIP branch, it’s possible and likely the code will be sent in as part of the upcoming Linux 6.14 merge window happening later this month.
So here’s to hoping that the AMD Secure TSC support will be able to make it into the Linux 6.14 upstream kernel and that the KVM and QEMU patches for it also won’t be too far behind.
