diff options
| author | David Gibson <david@gibson.dropbear.id.au> | 2020-07-23 14:36:45 +1000 |
|---|---|---|
| committer | David Gibson <david@gibson.dropbear.id.au> | 2021-02-08 16:57:38 +1100 |
| commit | 651615d92d244a6dfd7c81ab97bd3369fbe41d06 (patch) | |
| tree | 411fe2e3ff602f0ee3c20be0dbfaf46c1a28e866 /docs | |
| parent | 9f88a7a3df11a5aaa6212ea535d40d5f92561683 (diff) | |
s390: Recognize confidential-guest-support option
At least some s390 cpu models support "Protected Virtualization" (PV),
a mechanism to protect guests from eavesdropping by a compromised
hypervisor.
This is similar in function to other mechanisms like AMD's SEV and
POWER's PEF, which are controlled by the "confidential-guest-support"
machine option. s390 is a slightly special case, because we already
supported PV, simply by using a CPU model with the required feature
(S390_FEAT_UNPACK).
To integrate this with the option used by other platforms, we
implement the following compromise:
- When the confidential-guest-support option is set, s390 will
recognize it, verify that the CPU can support PV (failing if not)
and set virtio default options necessary for encrypted or protected
guests, as on other platforms. i.e. if confidential-guest-support
is set, we will either create a guest capable of entering PV mode,
or fail outright.
- If confidential-guest-support is not set, guests might still be
able to enter PV mode, if the CPU has the right model. This may be
a little surprising, but shouldn't actually be harmful.
To start a guest supporting Protected Virtualization using the new
option use the command line arguments:
-object s390-pv-guest,id=pv0 -machine confidential-guest-support=pv0
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/confidential-guest-support.txt | 3 | ||||
| -rw-r--r-- | docs/system/s390x/protvirt.rst | 19 |
2 files changed, 16 insertions, 6 deletions
diff --git a/docs/confidential-guest-support.txt b/docs/confidential-guest-support.txt index 4da4c91bd3..71d07ba57a 100644 --- a/docs/confidential-guest-support.txt +++ b/docs/confidential-guest-support.txt @@ -43,4 +43,7 @@ AMD Secure Encrypted Virtualization (SEV) POWER Protected Execution Facility (PEF) docs/papr-pef.txt +s390x Protected Virtualization (PV) + docs/system/s390x/protvirt.rst + Other mechanisms may be supported in future. diff --git a/docs/system/s390x/protvirt.rst b/docs/system/s390x/protvirt.rst index 712974ad87..0f481043d9 100644 --- a/docs/system/s390x/protvirt.rst +++ b/docs/system/s390x/protvirt.rst @@ -22,15 +22,22 @@ If those requirements are met, the capability `KVM_CAP_S390_PROTECTED` will indicate that KVM can support PVMs on that LPAR. -QEMU Settings -------------- +Running a Protected Virtual Machine +----------------------------------- -To indicate to the VM that it can transition into protected mode, the +To run a PVM you will need to select a CPU model which includes the `Unpack facility` (stfle bit 161 represented by the feature -`unpack`/`S390_FEAT_UNPACK`) needs to be part of the cpu model of -the VM. +`unpack`/`S390_FEAT_UNPACK`), and add these options to the command line:: + + -object s390-pv-guest,id=pv0 \ + -machine confidential-guest-support=pv0 + +Adding these options will: + +* Ensure the `unpack` facility is available +* Enable the IOMMU by default for all I/O devices +* Initialize the PV mechanism -All I/O devices need to use the IOMMU. Passthrough (vfio) devices are currently not supported. Host huge page backings are not supported. However guests can use huge |