-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does Firecracker support AMD Secure Encrypted Virtualization (SEV)? #2332
Comments
Hi @CodingYuanLiu, Firecracker does not support AMD Secure Encrypted Virtualization. I don't think Firecracker can support SEV as of right now because we provide snapshot capabilities and any operations that involve saving and restoring the memory and state of the VM are unsupported by SEV. From my research, it seems that with hardware evolution this barrier might disappear and we could look into this feature. |
Thank you for your help. By the way, may I ask that how fast can firecracker start when restoring from a snapshot? |
As you can see in our integration tests here, we ensure we have a restore time of less than 8 ms in the tests, but we target 5 ms. The 8 ms value is only for testing purposes and comes from this issue. |
Wow that target is fantastic. Thank you a lot for your help. |
Since we are also interested in this, I did a little research: seems to be possible now using KVM implements the following commands to support common lifecycle events of SEV guests, such as launching, running, snapshotting, migrating and decommissioning. |
also interesting from firecracker roadmap planning:
-> Do they run their container already on fire cracker with confidential compute (and now "only want to add PCIe pass through)? |
+1 on reopening this issue, or shall we create a new one? |
Why is this feature request important? What are the use cases? Please describe.
AMD Secure Encrypted Virtualization (SEV) is a hardware feature provided by AMD, designed to isolate virtual machines from the hypervisor.
Describe the desired solution
So far, we can use QEMU to start a VM with SEV enabled. If firecracker support SEV, we can use firecracker to replace QEMU and start a micro VM with SEV.
Describe possible alternatives
Without the feature, I can only use QEMU to start a VM with SEV, so that I can not take advantages of firecracker's feature
Additional context
No additional context
Checks
The text was updated successfully, but these errors were encountered: