From nobody Sun May  5 16:14:44 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 205.139.110.61 as permitted sender) client-ip=205.139.110.61;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1596799620; cv=none;
	d=zohomail.com; s=zohoarc;
	b=OxoN4MueiUtUW5MSQmoL4Yc159ySocSoPVJIV1F+cB0eF1QAycIZ98iUbdr0d5o+og3GzF7L5RyP0otKba34U+SUGZ5pU+SyihMIGbVzYaVMqiVODok1Cy915/9XA/1YaG/uKwGmzjmLoM6yZGKHA4YaIQVZyK5KdEFi1u3qJyI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1596799620;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=ztQ33BnY8MmeN46WvJQKYAi0ObqJC1w1NyP9S3X8G50=;
	b=ESPyytr4HFPy30MFYWerRY59RIuOW3erXEYL/zrClK6coNDbXyx2yEleyMzC34UAyQ20ByD9DTbHfQAfQCOmbBp7grF+e5ndB63p3D1Juf8CSpuURzlRLdaULj5siCDJO7t0F5SU7hnHbaZRTvgikkJb+9AwWjbbDqeH5gmoUKM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<eskultet@redhat.com> (p=none dis=none)
 header.from=<eskultet@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com
 [205.139.110.61]) by mx.zohomail.com
	with SMTPS id 1596799620540159.63986275678883;
 Fri, 7 Aug 2020 04:27:00 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-482-7EejJEwmO0eUhC6XXUX-Xw-1; Fri, 07 Aug 2020 07:26:57 -0400
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
 [10.5.11.22])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E575C19067E1;
	Fri,  7 Aug 2020 11:26:50 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id EBF1B1001901;
	Fri,  7 Aug 2020 11:26:48 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id B751995467;
	Fri,  7 Aug 2020 11:26:44 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
	[10.5.11.11])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 077BL7WY020209 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 7 Aug 2020 07:21:07 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 283F687A76; Fri,  7 Aug 2020 11:21:07 +0000 (UTC)
Received: from nautilus.redhat.com (unknown [10.40.193.78])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 1C3A787A7A;
	Fri,  7 Aug 2020 11:21:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1596799619;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=ztQ33BnY8MmeN46WvJQKYAi0ObqJC1w1NyP9S3X8G50=;
	b=AXFBMgWhw3xL3GHqRQ4179rB4MXYtS7IYNEjbJd9egmOL7g/K/73cuz/U7R6aXUtEeRP0K
	1o802EA5P8yhY368c+g2HntoI3L+q90TRBW+lmkS2BQ9pIUNXmDCxPd/1K53R8Tlv0Xv4r
	E2ZCTZX/4R/DdMjzt35/zx5X4GWTdz4=
X-MC-Unique: 7EejJEwmO0eUhC6XXUX-Xw-1
From: Erik Skultety <eskultet@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH] kbase: sev: Provide more details on virtio-net
	configuration
Date: Fri,  7 Aug 2020 13:21:02 +0200
Message-Id: 
 <91b2c0ec3cf8152941e2650df397ed599d28855a.1596799189.git.eskultet@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-loop: libvir-list@redhat.com
Cc: lersek@redhat.com, "Dr . David Alan Gilbert" <dgilbert@redhat.com>,
	Erik Skultety <eskultet@redhat.com>
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

With virtio-net further configuration settings are required, so document
them and while at it, fix the Q35 machine XML example which wouldn't
work with SEV because of not disabling vhost and the option boot ROM.

Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Erik Skultety <eskultet@redhat.com>
---
 docs/kbase/launch_security_sev.rst | 28 +++++++++++++++++++++++++---
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/docs/kbase/launch_security_sev.rst b/docs/kbase/launch_securit=
y_sev.rst
index cfdc2a6120..9df4178aac 100644
--- a/docs/kbase/launch_security_sev.rst
+++ b/docs/kbase/launch_security_sev.rst
@@ -291,8 +291,9 @@ can still perform DoS on each other.
 Virtio
 ------
=20
-In order to make virtio devices work, we need to enable emulated IOMMU
-on the devices so that virtual DMA can work.
+In order to make virtio devices work, we need to use
+``<driver iommu=3D'on'/>`` inside the given device XML element in order
+to enable DMA API in the virtio driver.
=20
 ::
=20
@@ -337,6 +338,26 @@ model, which means that virtio GPU cannot be used.
      ...
    </domain>
=20
+Virtio-net
+~~~~~~~~~~
+With virtio-net it's also necessary to disable the iPXE option ROM on the
+device as well as disable the vhost protocol as SEV doesn't support either
+(at the time of this writing). This translates to the following XML:
+
+::
+
+   <domain>
+     ...
+     <interface type=3D'network'>
+        ...
+       <model type=3D'virtio'/>
+       <driver name=3D'qemu' iommu=3D'on'/>
+       <rom enabled=3D'no'/>
+     </interface>
+     ...
+   <domain>
+
+
 Checking SEV from within the guest
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=20
@@ -423,7 +444,8 @@ Q35 machine
          <mac address=3D'52:54:00:cc:56:90'/>
          <source network=3D'default'/>
          <model type=3D'virtio'/>
-         <driver iommu=3D'on'/>
+         <driver name=3D'qemu' iommu=3D'on'/>
+         <rom enabled=3D'no'/>
        </interface>
        <graphics type=3D'spice' autoport=3D'yes'>
          <listen type=3D'address'/>
--=20
2.26.2