[qubes-users] AMD Ryzen 7 PRO compatibility

mailinglist_bot · October 21, 2020, 3:04am

I'm not sure what thread you're referring to (re SEV).

Actually it was a discussion on GitHub qubes-issues:

github.com/QubesOS/qubes-issues

Consider support for AMD's SEV for Ryzen PRO (4750U) Laptop

opened 10:09AM - 06 Oct 20 UTC

dylangerdaly

T: enhancement C: Xen P: default hardware support

**The problem you're addressing (if any)** According to CPUID, my laptop's Ryze…n 7 4750U supports AMD's SEV. AMD's SEV encrypts memory per VM (appVM/domU) > Uses one key per virtual machine to isolate guests and the hypervisor from one another. The keys are managed by the AMD Secure Processor. SEV requires enablement in the guest operating system and hypervisor. The guest changes allow the VM to indicate which pages in memory should be encrypted. The hypervisor changes use hardware virtualization instructions and communication with the AMD Secure processor to manage the appropriate keys in the memory controller. Separating the all-powerful dom0 from just reaching into appVM's memory, this is greatly desirable. According to [this](https://www.kernel.org/doc/html/v5.6/x86/amd-memory-encryption.html) CPUID function the Ryzen 7 4750U supports SEV: ``` 0x8000001f[eax]: Bit[0] indicates support for SME Bit[1] indicates support for SEV 0x8000001f[ebx]: Bits[5:0] pagetable bit number used to activate memory encryption Bits[11:6] reduction in physical address space, in bits, when memory encryption is enabled (this only affects system physical addresses, not guest physical addresses) ``` ``` [user@dom0 ~]$ sudo cpuid -r -1 -l 0x8000001f CPU: 0x8000001f 0x00: eax=0x0001000f ebx=0x0000012f ecx=0x0000000e edx=0x00000001 ``` EAX is `0x0001000f` That's bit 0-3 and 16, meaning SEV is indeed supported. **Describe the solution you'd like** Either Xen or Qubes add support for SEV, this requires changes on both the Hypervisor (Xen) and Guest OS's **Where is the value to a user, and who might that user be?** I really don't think I need to answer this. **Describe alternatives you've considered** Nil **Additional context** Nil **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** https://developer.amd.com/sev/ https://www.kernel.org/doc/html/v5.6/x86/amd-memory-encryption.html https://www.cpu-monkey.com/en/cpu-amd_ryzen_7_pro_4750u-1356 **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues**

A few of us are
running Qubes 4.1 alpha on new Thinkpad Ryzen 7 PRO 4750U systems
because the older version of Xen used in Qubes 4.0 is incompatible.

The newer Xen in R4.1 alpha still has a bug that affects CPU scheduling,
so there is a trick to configuring it for a smooth running system.

Qubes reports that safety features (IOMMU etc) are working. What does
not currently work is S3 sleep.

Stability is already quite good if you avoid badly-behaved wifi drivers
(unfortunately the Thinkpad's Intel AX200 is in this category, so I use
a USB wifi device instead).

I'd say its not too much of a gamble if you're willing to run a new
alpha or beta of Qubes. But keep in mind your 4750G motherboard may have
significant differences vs Thinkpad laptops; IMO you need to go with a
high-quality brand, preferably a pre-built business system from the
traditional top-3 (Lenovo, Dell, HP).

Here is a relevant thread:
Qubes Support on AMD 4000 Series (Lenovo X13/T14)

That's encouraging, thank you very much for all the information. It indeed doesn't look like too much of a gamble then, besides I really don't mind waiting a bit. The current Qubes machine is just fine and will be for some time, the new machine is intended to become its successor. Thanks Chris.