Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
confidential guest support: Update documentation
Now that we've implemented a generic machine option for configuring various confidential guest support mechanisms: 1. Update docs/amd-memory-encryption.txt to reference this rather than the earlier SEV specific option 2. Add a docs/confidential-guest-support.txt to cover the generalities of the confidential guest support scheme Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Greg Kurz <groug@kaod.org>
- Loading branch information
Showing
2 changed files
with
44 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
Confidential Guest Support | ||
========================== | ||
|
||
Traditionally, hypervisors such as QEMU have complete access to a | ||
guest's memory and other state, meaning that a compromised hypervisor | ||
can compromise any of its guests. A number of platforms have added | ||
mechanisms in hardware and/or firmware which give guests at least some | ||
protection from a compromised hypervisor. This is obviously | ||
especially desirable for public cloud environments. | ||
|
||
These mechanisms have different names and different modes of | ||
operation, but are often referred to as Secure Guests or Confidential | ||
Guests. We use the term "Confidential Guest Support" to distinguish | ||
this from other aspects of guest security (such as security against | ||
attacks from other guests, or from network sources). | ||
|
||
Running a Confidential Guest | ||
---------------------------- | ||
|
||
To run a confidential guest you need to add two command line parameters: | ||
|
||
1. Use "-object" to create a "confidential guest support" object. The | ||
type and parameters will vary with the specific mechanism to be | ||
used | ||
2. Set the "confidential-guest-support" machine parameter to the ID of | ||
the object from (1). | ||
|
||
Example (for AMD SEV):: | ||
|
||
qemu-system-x86_64 \ | ||
<other parameters> \ | ||
-machine ...,confidential-guest-support=sev0 \ | ||
-object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1 | ||
|
||
Supported mechanisms | ||
-------------------- | ||
|
||
Currently supported confidential guest mechanisms are: | ||
|
||
AMD Secure Encrypted Virtualization (SEV) | ||
docs/amd-memory-encryption.txt | ||
|
||
Other mechanisms may be supported in future. |