diff options
author | David Gibson <david@gibson.dropbear.id.au> | 2020-04-08 15:10:03 +1000 |
---|---|---|
committer | David Gibson <david@gibson.dropbear.id.au> | 2021-02-08 16:57:38 +1100 |
commit | 6c8ebe30ea8055fce8b24730e970532b3c849fdb (patch) | |
tree | 177b5de9193d3ca1632d71a68696b8b11d24c676 /docs | |
parent | 64d19f333464a877f3ebe538510a10a514db0eb9 (diff) |
spapr: Add PEF based confidential guest support
Some upcoming POWER machines have a system called PEF (Protected
Execution Facility) which uses a small ultravisor to allow guests to
run in a way that they can't be eavesdropped by the hypervisor. The
effect is roughly similar to AMD SEV, although the mechanisms are
quite different.
Most of the work of this is done between the guest, KVM and the
ultravisor, with little need for involvement by qemu. However qemu
does need to tell KVM to allow secure VMs.
Because the availability of secure mode is a guest visible difference
which depends on having the right hardware and firmware, we don't
enable this by default. In order to run a secure guest you need to
create a "pef-guest" object and set the confidential-guest-support
property to point to it.
Note that this just *allows* secure guests, the architecture of PEF is
such that the guest still needs to talk to the ultravisor to enter
secure mode. Qemu has no direct way of knowing if the guest is in
secure mode, and certainly can't know until well after machine
creation time.
To start a PEF-capable guest, use the command line options:
-object pef-guest,id=pef0 -machine confidential-guest-support=pef0
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Greg Kurz <groug@kaod.org>
Diffstat (limited to 'docs')
-rw-r--r-- | docs/confidential-guest-support.txt | 3 | ||||
-rw-r--r-- | docs/papr-pef.txt | 30 |
2 files changed, 33 insertions, 0 deletions
diff --git a/docs/confidential-guest-support.txt b/docs/confidential-guest-support.txt index bd439ac800..4da4c91bd3 100644 --- a/docs/confidential-guest-support.txt +++ b/docs/confidential-guest-support.txt @@ -40,4 +40,7 @@ Currently supported confidential guest mechanisms are: AMD Secure Encrypted Virtualization (SEV) docs/amd-memory-encryption.txt +POWER Protected Execution Facility (PEF) + docs/papr-pef.txt + Other mechanisms may be supported in future. diff --git a/docs/papr-pef.txt b/docs/papr-pef.txt new file mode 100644 index 0000000000..72550e9bf8 --- /dev/null +++ b/docs/papr-pef.txt @@ -0,0 +1,30 @@ +POWER (PAPR) Protected Execution Facility (PEF) +=============================================== + +Protected Execution Facility (PEF), also known as Secure Guest support +is a feature found on IBM POWER9 and POWER10 processors. + +If a suitable firmware including an Ultravisor is installed, it adds +an extra memory protection mode to the CPU. The ultravisor manages a +pool of secure memory which cannot be accessed by the hypervisor. + +When this feature is enabled in QEMU, a guest can use ultracalls to +enter "secure mode". This transfers most of its memory to secure +memory, where it cannot be eavesdropped by a compromised hypervisor. + +Launching +--------- + +To launch a guest which will be permitted to enter PEF secure mode: + +# ${QEMU} \ + -object pef-guest,id=pef0 \ + -machine confidential-guest-support=pef0 \ + ... + +Live Migration +---------------- + +Live migration is not yet implemented for PEF guests. For +consistency, we currently prevent migration if the PEF feature is +enabled, whether or not the guest has actually entered secure mode. |