diff options
author | David Gibson <david@gibson.dropbear.id.au> | 2021-01-08 13:23:09 +1100 |
---|---|---|
committer | David Gibson <david@gibson.dropbear.id.au> | 2021-02-08 16:57:38 +1100 |
commit | 64d19f333464a877f3ebe538510a10a514db0eb9 (patch) | |
tree | fc1766e903bdcd5a301cf701f73525894da00bfa /docs/confidential-guest-support.txt | |
parent | ec78e2cda3e006e0e01e2177caf3718db5600635 (diff) |
confidential guest support: Update documentation
Now that we've implemented a generic machine option for configuring various
confidential guest support mechanisms:
1. Update docs/amd-memory-encryption.txt to reference this rather than
the earlier SEV specific option
2. Add a docs/confidential-guest-support.txt to cover the generalities of
the confidential guest support scheme
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Greg Kurz <groug@kaod.org>
Diffstat (limited to 'docs/confidential-guest-support.txt')
-rw-r--r-- | docs/confidential-guest-support.txt | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/docs/confidential-guest-support.txt b/docs/confidential-guest-support.txt new file mode 100644 index 0000000000..bd439ac800 --- /dev/null +++ b/docs/confidential-guest-support.txt @@ -0,0 +1,43 @@ +Confidential Guest Support +========================== + +Traditionally, hypervisors such as QEMU have complete access to a +guest's memory and other state, meaning that a compromised hypervisor +can compromise any of its guests. A number of platforms have added +mechanisms in hardware and/or firmware which give guests at least some +protection from a compromised hypervisor. This is obviously +especially desirable for public cloud environments. + +These mechanisms have different names and different modes of +operation, but are often referred to as Secure Guests or Confidential +Guests. We use the term "Confidential Guest Support" to distinguish +this from other aspects of guest security (such as security against +attacks from other guests, or from network sources). + +Running a Confidential Guest +---------------------------- + +To run a confidential guest you need to add two command line parameters: + +1. Use "-object" to create a "confidential guest support" object. The + type and parameters will vary with the specific mechanism to be + used +2. Set the "confidential-guest-support" machine parameter to the ID of + the object from (1). + +Example (for AMD SEV):: + + qemu-system-x86_64 \ + <other parameters> \ + -machine ...,confidential-guest-support=sev0 \ + -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1 + +Supported mechanisms +-------------------- + +Currently supported confidential guest mechanisms are: + +AMD Secure Encrypted Virtualization (SEV) + docs/amd-memory-encryption.txt + +Other mechanisms may be supported in future. |