Commit Graph

12 Commits

Author SHA1 Message Date
Daniel P. Berrangé
330036a897 docs/kbase: describe attestation for SEV guests
Expand the SEV guest kbase guide with information about how to configure
a SEV/SEV-ES guest when attestation is required, and mention the use of
virt-qemu-sev-validate as a way to confirm it.

Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2022-11-15 11:09:30 +00:00
Peter Krempa
f5c5b16d5d kbase: launch_security_sev: Break up overly long line
Standard text is aligned to 80 colums in all .rst files.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2022-06-13 16:09:32 +02:00
Cole Robinson
d823f27597 docs: kbase/launch_security_sev: QEMU 6.0+ sets iommu=on for us
Reviewed-by: Erik Skultety <eskultet@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2022-06-13 09:12:35 -04:00
Peter Krempa
a781f7980c docs: formatdomain: Remove 'launchSecurity' anchor
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2022-06-01 12:27:10 +02:00
Peter Krempa
ffef3fcd7b docs: kbase/launch_security_sev: Fix local anchor links
Original conversion didn't properly convert local links. Fix them by
pointing to the section name. In certain cases this requires
reformulation of the text.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2022-04-19 16:19:48 +02:00
Tim Wiederhake
5729d94917 Fix spelling
Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2021-04-15 15:42:21 +02:00
Erik Skultety
b44f35e2cf docs: kbase: sev: Adjust the claims that virtio-blk doesn't work
Using virtio-blk with SEV on host kernels prior to 5.1 didn't work
because of SWIOTLB limitations and the way virtio has to use it over
DMA-API for SEV (see [1] for detailed info). That is no longer true, so
reword the kbase article accordingly.

For reference, these are the upstream kernel commits lifting the
virtio-blk limitation:
abe420bfae528c92bd8cc5ecb62dc95672b1fd6f
492366f7b4237257ef50ca9c431a6a0d50225aca
133d624b1cee16906134e92d5befb843b58bcf31
e6d6dd6c875eb3c9b69bb640419405726e6e0bbe
fd1068e1860e44aaaa337b516df4518d1ce98da1

[1] https://lore.kernel.org/linux-block/20190110134433.15672-1-joro@8bytes.org/

Signed-off-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
2021-01-11 14:44:15 +01:00
Erik Skultety
c7228e4a9c docs: kbase: Tune how CPU support for SEV should be queried
#useless_use_of_cat + avoid accidental substring matches.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2020-09-10 15:42:40 +02:00
Erik Skultety
61e56729ff kbase: sev: Provide more details on virtio-net configuration
With virtio-net we also need to disable the iPXE option ROM otherwise
a SEV-enabled guest would not boot. While at it, fix the full machine
XML examples accordingly.

Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2020-08-12 09:10:36 +02:00
Erik Skultety
70bb493efc docs: kbase: Fix the libvirt-host-validate typo
I overlooked this typo during review of 2c3ffa37.

Reported-by: Yalan Zhang <yalzhang@redhat.com>
Signed-off-by: Erik Skultety <eskultet@redhat.com>
2020-07-08 13:04:01 +02:00
Boris Fiuczynski
2c3ffa3728 docs: Update AMD launch secure description
Update document with changes in qemu capability caching and the added
secure guest support checking for AMD SEV in virt-host-validate.

Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2020-06-16 09:43:45 +02:00
Daniel P. Berrangé
f0bfb1b892 docs: convert kbase/launch_security_sev.html.in to RST
This is a semi-automated conversion. The first conversion is done using
"pandoc -f html -t rst". The result is then editted manually to apply
the desired heading markup, and fix a few things that pandoc gets wrong.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-12-04 16:10:21 +00:00