[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v8 09/13] confidential guest support: Update documentation
|
From: |
David Gibson |
|
Subject: |
[PATCH v8 09/13] confidential guest support: Update documentation |
|
Date: |
Tue, 2 Feb 2021 15:13:11 +1100 |
Now that we've implemented a generic machine option for configuring various
confidential guest support mechanisms:
1. Update docs/amd-memory-encryption.txt to reference this rather than
the earlier SEV specific option
2. Add a docs/confidential-guest-support.txt to cover the generalities of
the confidential guest support scheme
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Greg Kurz <groug@kaod.org>
---
docs/amd-memory-encryption.txt | 2 +-
docs/confidential-guest-support.txt | 43 +++++++++++++++++++++++++++++
2 files changed, 44 insertions(+), 1 deletion(-)
create mode 100644 docs/confidential-guest-support.txt
diff --git a/docs/amd-memory-encryption.txt b/docs/amd-memory-encryption.txt
index 80b8eb00e9..145896aec7 100644
--- a/docs/amd-memory-encryption.txt
+++ b/docs/amd-memory-encryption.txt
@@ -73,7 +73,7 @@ complete flow chart.
To launch a SEV guest
# ${QEMU} \
- -machine ...,memory-encryption=sev0 \
+ -machine ...,confidential-guest-support=sev0 \
-object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1
Debugging
diff --git a/docs/confidential-guest-support.txt
b/docs/confidential-guest-support.txt
new file mode 100644
index 0000000000..bd439ac800
--- /dev/null
+++ b/docs/confidential-guest-support.txt
@@ -0,0 +1,43 @@
+Confidential Guest Support
+==========================
+
+Traditionally, hypervisors such as QEMU have complete access to a
+guest's memory and other state, meaning that a compromised hypervisor
+can compromise any of its guests. A number of platforms have added
+mechanisms in hardware and/or firmware which give guests at least some
+protection from a compromised hypervisor. This is obviously
+especially desirable for public cloud environments.
+
+These mechanisms have different names and different modes of
+operation, but are often referred to as Secure Guests or Confidential
+Guests. We use the term "Confidential Guest Support" to distinguish
+this from other aspects of guest security (such as security against
+attacks from other guests, or from network sources).
+
+Running a Confidential Guest
+----------------------------
+
+To run a confidential guest you need to add two command line parameters:
+
+1. Use "-object" to create a "confidential guest support" object. The
+ type and parameters will vary with the specific mechanism to be
+ used
+2. Set the "confidential-guest-support" machine parameter to the ID of
+ the object from (1).
+
+Example (for AMD SEV)::
+
+ qemu-system-x86_64 \
+ <other parameters> \
+ -machine ...,confidential-guest-support=sev0 \
+ -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1
+
+Supported mechanisms
+--------------------
+
+Currently supported confidential guest mechanisms are:
+
+AMD Secure Encrypted Virtualization (SEV)
+ docs/amd-memory-encryption.txt
+
+Other mechanisms may be supported in future.
--
2.29.2
- Re: [PATCH v8 07/13] confidential guest support: Introduce cgs "ready" flag, (continued)
- [PATCH v8 06/13] sev: Add Error ** to sev_kvm_init(), David Gibson, 2021/02/01
- [PATCH v8 05/13] confidential guest support: Rework the "memory-encryption" property, David Gibson, 2021/02/01
- [PATCH v8 11/13] spapr: PEF: prevent migration, David Gibson, 2021/02/01
- [PATCH v8 12/13] confidential guest support: Alter virtio default properties for protected guests, David Gibson, 2021/02/01
- [PATCH v8 09/13] confidential guest support: Update documentation,
David Gibson <=
- [PATCH v8 10/13] spapr: Add PEF based confidential guest support, David Gibson, 2021/02/01
- [PATCH v8 13/13] s390: Recognize confidential-guest-support option, David Gibson, 2021/02/01