External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-07-11 12:25:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: kbase: sev: Adjust the claims that virtio-blk doesn't work

Browse Source 
Using virtio-blk with SEV on host kernels prior to 5.1 didn't work
because of SWIOTLB limitations and the way virtio has to use it over
DMA-API for SEV (see [1] for detailed info). That is no longer true, so
reword the kbase article accordingly.

For reference, these are the upstream kernel commits lifting the
virtio-blk limitation:
abe420bfae528c92bd8cc5ecb62dc95672b1fd6f
492366f7b4237257ef50ca9c431a6a0d50225aca
133d624b1cee16906134e92d5befb843b58bcf31
e6d6dd6c875eb3c9b69bb640419405726e6e0bbe
fd1068e1860e44aaaa337b516df4518d1ce98da1

[1] https://lore.kernel.org/linux-block/20190110134433.15672-1-joro@8bytes.org/

Signed-off-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
This commit is contained in:
Erik Skultety 2021-01-08 17:23:32 +01:00
parent e41b5cfc7f
commit b44f35e2cf
1 changed files with 9 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
docs/kbase/launch_security_sev.rst
View File

@ -374,16 +374,15 @@ running:
Limitations
===========
Currently, the boot disk cannot be of type virtio-blk, instead,
virtio-scsi needs to be used if virtio is desired. This limitation is
expected to be lifted with future releases of kernel (the kernel used at
the time of writing the article is 5.0.14). If you still cannot start an
SEV VM, it could be because of wrong SELinux label on the ``/dev/sev``
device with selinux-policy <3.14.2.40 which prevents QEMU from touching
the device. This can be resolved by upgrading the package, tuning the
selinux policy rules manually to allow svirt_t to access the device (see
``audit2allow`` on how to do that) or putting SELinux into permissive
mode (discouraged).
With older kernels (kernel <5.1) the boot disk cannot not be of type
virtio-blk, instead, virtio-scsi needs to be used if virtio is desired.
If you still cannot start an SEV VM, it could be because of wrong SELinux label
on the ``/dev/sev`` device with selinux-policy <3.14.2.40 which prevents QEMU
from touching the device. This can be resolved by upgrading the package, tuning
the selinux policy rules manually to allow svirt_t to access the device (see
``audit2allow`` on how to do that) or putting SELinux into permissive mode
(discouraged).
Full domain XML examples
========================