From 6a17255307c1d3b397ad38ab8f3bb8a14a3c5ca5 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 11 Dec 2025 14:11:26 +0000 Subject: [PATCH] Provide option to enable AMD SEV-ES --- etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 33722f6..afe23b2 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -255,6 +255,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" ## Enable AMD Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV). ## SME encrypts memory with a single key at the kernel level to protect against cold boot attacks. ## SEV extends SME to VMs by encrypting the memory of each with a unique key for guest isolation. +## SEV-ES (Encrypted State) extends SEV by encrypting each guests virtual CPU register state during VM exits. ## This is hardware-based encryption managed by the proprietary and closed-source AMD Platform Security Processor (PSP). ## Both require a compatible AMD CPU and support for SME to first be enabled in the BIOS/UEFI. ## Likely unavailable in consumer-grade AMD CPUs where Transparent SME (TSME) can be enabled in the BIOS/UEFI to achieve SME. @@ -273,6 +274,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mem_encrypt=on" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev=1" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev_es=1" ## Prevent processes from writing to block devices that are mounted by filesystems. ## Enhances system stability and security by protecting against runaway privileged processes.