[libvirt] [PATCH] docs: Provide documentation for SEV launch security (DO NOT PUSH)

Erik Skultety posted 1 patch 4 years, 10 months ago
Test syntax-check passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/b19c324406f3463d12e06c3834af458fde0973b3.1561649147.git.eskultet@redhat.com
docs/launch_security_sev.html.in | 536 +++++++++++++++++++++++++++++++
1 file changed, 536 insertions(+)
create mode 100644 docs/launch_security_sev.html.in
[libvirt] [PATCH] docs: Provide documentation for SEV launch security (DO NOT PUSH)
Posted by Erik Skultety 4 years, 10 months ago
---

I sent this as a patch to get a review on the contents itself, but I believe it
should live as an article on our wiki page afterwards.

 docs/launch_security_sev.html.in | 536 +++++++++++++++++++++++++++++++
 1 file changed, 536 insertions(+)
 create mode 100644 docs/launch_security_sev.html.in

diff --git a/docs/launch_security_sev.html.in b/docs/launch_security_sev.html.in
new file mode 100644
index 0000000000..42db10b33a
--- /dev/null
+++ b/docs/launch_security_sev.html.in
@@ -0,0 +1,536 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta charset="UTF-8"/>
+    <meta name="viewport" content="width=device-width, initial-scale=1"/>
+    <link rel="stylesheet" type="text/css" href="main.css"/>
+    <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png"/>
+    <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png"/>
+    <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png"/>
+    <link rel="manifest" href="/manifest.json"/>
+    <meta name="theme-color" content="#ffffff"/>
+    <title>libvirt: Launch security with AMD SEV</title>
+    <meta name="description" content="libvirt, virtualization, virtualization API"/>
+    <script type="text/javascript" src="js/main.js">
+      <!--// forces non-empty element-->
+    </script>
+  </head>
+  <body onload="pageload()">
+    <div id="body">
+      <div id="content">
+        <h1>Launch security with AMD SEV</h1>
+        <ul>
+          <li>
+            <a href="#Host">Enabling SEV on the host</a>
+          </li>
+          <li>
+            <a href="#Virt">Checking SEV support in the virt stack</a>
+          </li>
+          <li>
+            <a href="#Configuration">VM Configuration</a>
+          </li>
+          <li>
+            <a href="#Limitations">Limitations</a>
+          </li>
+          <li>
+            <a href="#Examples">Full domain XML examples</a>
+          </li>
+        </ul>
+      </div>
+      <p>
+          Storage encryption in modern public cloud computing is a common practice.
+          However, from the point of view of a user of these cloud workloads, a
+          significant amount of trust needs to be put in the cloud platform security as
+          well as integrity (was the hypervisor tampered?). For this reason there's ever
+          rising demand for securing data in use, i.e. memory encryption.
+          One of the solutions addressing this matter is AMD SEV.
+      </p>
+      <h2>AMD SEV</h2>
+      <p>
+          SEV (Secure Encrypted Virtualization) is a feature extension of AMD's SME (Secure
+          Memory Encryption) intended for KVM virtual machines which is supported
+          primarily on AMD's EPYC CPU line. In contrast to SME, SEV uses a unique memory encryption
+          key for each VM. The whole encryption of memory pages is completely transparent
+          to the hypervisor and happens in the AMD firmware.
+          For more details about the technology itself, you can visit
+        <a href="https://developer.amd.com/sev/">AMD's developer portal</a>.
+      </p>
+      <h3>
+        <a id="Host">Enabling SEV on the host</a>
+        <a class="headerlink" href="#Host" title="Permalink to this headline">¶</a>
+      </h3>
+      <p>
+          Before VMs can make use of the SEV feature you need to make sure your
+          AMD CPU does support SEV. You can check whether SEV is among the CPU
+          flags with:
+      </p>
+
+      <pre>
+$ cat /proc/cpuinfo | grep sev
+...
+sme ssbd sev ibpb</pre>
+
+      <p>
+          Next step is to enable SEV in the kernel, because it is disabled by default.
+          This is done by putting the following onto the kernel command line:
+      </p>
+      <pre>
+mem_encrypt=on kvm_amd.sev=1
+      </pre>
+
+      <p>
+          To make the changes persistent, append the above to the variable holding
+          parameters of the kernel command line in
+          <code>/etc/default/grub</code> to preserve SEV settings across reboots
+      </p>
+
+      <pre>
+$ cat /etc/default/grub
+...
+GRUB_CMDLINE_LINUX="... mem_encrypt=on kvm_amd.sev=1"
+$ grub2-mkconfig -o /boot/efi/EFI/&lt;distro&gt;/grub.cfg</pre>
+
+      <p>
+        <code>mem_encrypt=on</code> turns on the SME memory encryption feature on
+        the host which is required for SEV to work. The <code>kvm_amd.sev</code>
+        parameter actually enables SEV in the kvm module. It can be set on the
+        command line alongside <code>mem_encrypt</code> like shown above, or it
+        can be put into a module config under <code>/etc/modprobe.d/</code>
+      </p>
+      <pre>
+$ cat /etc/modprobe.d/sev.conf
+options kvm_amd sev=1
+      </pre>
+      <p>
+          After rebooting the host, you should see SEV being enabled in the kernel:
+      </p>
+      <pre>
+$ cat /sys/module/kvm_amd/parameters/sev
+1
+      </pre>
+
+      <h2>
+        <a id="Virt">Checking SEV support in the virt stack</a>
+        <a class="headerlink" href="#Virt" title="Permalink to this headline">¶</a>
+      </h2>
+      <p>
+        <b>Note: All of the commands bellow need to be run with root privileges.</b>
+      </p>
+      <p>
+          First make sure you have the following packages in the specified versions:
+      </p>
+      <ul>
+        <li>
+            libvirt >= 4.5.0 (>5.1.0 recommended due to additional SEV bugfixes)
+        </li>
+        <li>
+            QEMU >= 2.12.0
+        </li>
+      </ul>
+      <p>
+          To confirm that the virtualization stack supports SEV, run the following:
+      </p>
+      <pre>
+# virsh domcapabilities
+&lt;domainCapabilities&gt;
+...
+  &lt;features&gt;
+    ...
+    &lt;sev supported='yes'&gt;
+      &lt;cbitpos&gt;47&lt;/cbitpos&gt;
+      &lt;reducedPhysBits&gt;1&lt;/reducedPhysBits&gt;
+    &lt;/sev&gt;
+    ...
+  &lt;/features&gt;
+&lt;/domainCapabilities&gt;</pre>
+      <p>
+          Note that if libvirt was already installed and libvirtd running before enabling SEV in the kernel followed by the host reboot you need to force libvirtd
+          to re-probe both the host and QEMU capabilities. First stop libvirtd:
+      </p>
+      <pre>
+# systemctl stop libvirtd.service
+      </pre>
+      <p>
+          Now you need to clean the capabilities cache:
+      </p>
+      <pre>
+# rm -f /var/cache/libvirt/qemu/capabilities/*
+      </pre>
+      <p>
+          If you now restart libvirtd, it will re-probe the capabilities and if
+          you now run:
+      </p>
+      <pre>
+# virsh domcapabilities
+      </pre>
+      <p>
+          SEV should be listed as supported. If you still see:
+      </p>
+      <pre>
+&lt;sev supported='no'/&gt;
+      </pre>
+      <p>
+          it means one of two things:
+        <ol>
+          <li>
+              libvirt does support SEV, but either QEMU or the host does not
+          </li>
+          <li>
+            you have libvirt &lt;=5.1.0 which suffered from getting a
+            <code>'Permission denied'</code> on <code>/dev/sev</code> because
+            of the default permissions on the character device which prevented
+            QEMU from opening it during capabilities probing - you can either
+            manually tweak the permissions so that QEMU has access to it or
+            preferably install libvirt 5.1.0 or higher
+          </li>
+        </ol>
+    </p>
+    <h2>
+      <a id="Configuration">VM Configuration</a>
+      <a class="headerlink" href="#Configuration" title="Permalink to this headline">¶</a>
+    </h2>
+    <p>
+        SEV is enabled in the XML by specifying the
+      <a href="https://libvirt.org/formatdomain.html#launchSecurity">&lt;launchSecurity&gt; </a> element. However, specifying <code>launchSecurity</code> isn't
+        enough to boot an SEV VM. Further configuration requirements are discussed
+          below.
+      </p>
+
+      <h3>Machine type</h3>
+      <p>
+          Even though both Q35 and legacy PC machine types (for PC see also
+          "virtio") can be used with SEV, usage of the legacy PC machine type is
+          strongly discouraged, since depending on how your OVMF package was
+          built (e.g. including features like SecureBoot or SMM) Q35 may even be
+          required.
+      </p>
+
+      <h5>Q35</h5>
+<pre>
+...
+&lt;os&gt;
+  &lt;type arch='x86_64' machine='pc-q35-3.0'&gt;hvm&lt;/type&gt;
+  ...
+&lt;/os&gt;
+...</pre>
+
+      <h5>i440fx (discouraged)</h5>
+      <pre>
+...
+&lt;os&gt;
+  &lt;type arch='x86_64' machine='pc-i440fx-3.0'&gt;hvm&lt;/type&gt;
+  ...
+&lt;/os&gt;
+...
+      </pre>
+
+      <h3>Boot loader</h3>
+      <p>
+          SEV is only going to work with OVMF (UEFI), so you'll need to point libvirt to
+          the correct OVMF binary.
+      </p>
+      <pre>
+...
+&lt;os&gt;
+  &lt;type arch='x86_64' machine='pc-q35-3.0'&gt;hvm&lt;/type&gt;
+  &lt;loader readonly='yes' type='pflash'&gt;/usr/share/edk2/ovmf/OVMF_CODE.fd&lt;/loader&gt;
+&lt;/os&gt;
+...</pre>
+
+      <h3>Memory</h3>
+      <p>
+          Internally, SEV expects that the encrypted memory pages won't be swapped out or move
+          around so the VM memory needs to be pinned in physical RAM which will be
+          handled by QEMU. Apart from that, certain memory regions allocated by QEMU
+          itself (UEFI pflash, device ROMs, video RAM, etc.) have to be encrypted as
+          well. This causes a conflict in how libvirt tries to protect the host.
+          By default, libvirt enforces a memory hard limit on each VM's cgroup in order
+          to protect the host from malicious QEMU to allocate and lock all the available
+          memory. This limit corresponds to the total memory allocation for the VM given
+          by <code>&lt;currentMemory&gt;</code> element. However, trying to account for the additional
+          memory regions QEMU allocates when calculating the limit in an automated manner
+          is non-deterministic. One way to resolve this is to set the hard limit manually.
+
+        <p>
+          Note: Figuring out the right number so that your guest boots and isn't killed is
+          challenging, but 256MiB extra memory over the total guest RAM should suffice for
+          most workloads and may serve as a good starting point.
+
+          For example, a domain with 4GB memory with a 256MiB extra hard limit would look
+          like this:
+        </p>
+      </p>
+      <pre>
+# virsh edit &lt;domain&gt;
+&lt;domain&gt;
+  ...
+  &lt;currentMemory unit='KiB'&gt;4194304&lt;/currentMemory&gt;
+  &lt;memtune&gt;
+    &lt;hard_limit unit='KiB'&gt;4456448&lt;/hard_limit&gt;
+  &lt;/memtune&gt;
+  ...
+&lt;/domain&gt;</pre>
+      <p>
+          There's another, preferred method of taking care of the limits by
+          using the<code>&lt;memoryBacking&gt;</code> element along with the
+          <code>&lt;locked/&gt;</code> subelement:
+      </p>
+      <pre>
+&lt;domain&gt;
+  ...
+  &lt;memoryBacking&gt;
+    &lt;locked/&gt;
+  &lt;/memoryBacking&gt;
+  ...
+&lt;/domain&gt;</pre>
+      <p>
+          What that does is that it tells libvirt not to force any hard limit (well,
+          unlimited) upon the VM cgroup. The obvious advantage is that one doesn't need
+          to determine the hard limit for every single SEV-enabled VM. However, there is
+          a significant security-related drawback to this approach. Since no hard limit
+          is applied, a malicious QEMU could perform a DoS attack by locking all of the
+          host's available memory. The way to avoid this issue and to protect the host is
+          to enforce a bigger hard limit on the master cgroup containing all of the VMs
+          - on systemd this is <code>machine.slice</code>.
+      </p>
+      <pre>
+# systemctl set-property machine.slice MemoryHigh=&lt;value&gt;</pre>
+      <p>
+          To put even stricter measures in place which would involve the OOM killer, use
+        <pre>
+# systemctl set-property machine.slice MemoryMax=&lt;value&gt;</pre>
+          instead. Alternatively, you can create a systemd config (don't forget
+          to reload systemd configuration in this case):
+        <pre>
+# cat &lt;&lt; EOF &gt; /etc/systemd/system.control/machine.slice.d/90-MemoryMax.conf
+MemoryMax=&lt;value&gt;
+EOF</pre>
+          The trade-off to keep in mind with the second approach is that the VMs
+          can still perform DoS on each other.
+      </p>
+      <h3>Virtio</h3>
+      <p>
+          In order to make virtio devices work, we need to enable emulated IOMMU
+          on the devices so that virtual DMA can work.
+      </p>
+      <pre>
+# virsh edit &lt;domain&gt;
+&lt;domain&gt;
+  ...
+  &lt;controller type='virtio-serial' index='0'&gt;
+    &lt;driver iommu='on'/&gt;
+  &lt;/controller&gt;
+  &lt;controller type='scsi' index='0' model='virtio-scsi'&gt;
+    &lt;driver iommu='on'/&gt;
+  &lt;/controller&gt;
+  ...
+  &lt;memballoon model='virtio'&gt;
+    &lt;driver iommu='on'/&gt;
+  &lt;/memballoon&gt;
+  &lt;rng model='virtio'&gt;
+    &lt;backend model='random'&gt;/dev/urandom&lt;/backend&gt;
+    &lt;driver iommu='on'/&gt;
+  &lt;/rng&gt;
+  ...
+&lt;domain&gt;</pre>
+    <p>
+        If you for some reason want to use the legacy PC machine type, further changes
+        to the virtio
+        configuration is required, because SEV will not work with Virtio &lt;1.0. In
+        libvirt, this is handled by using the virtio-non-transitional device model
+        (libvirt &gt;= 5.2.0 required).
+
+      <p>
+        Note: some devices like video devices don't
+          support non-transitional model, which means that virtio GPU cannot be used.
+      </p>
+    </p>
+    <pre>
+&lt;domain&gt;
+  ...
+  &lt;devices&gt;
+    ...
+    &lt;memballoon model='virtio-non-transitional'&gt;
+      &lt;driver iommu='on'/&gt;
+    &lt;/memballoon&gt;
+  &lt;/devices&gt;
+  ...
+&lt;/domain&gt;</pre>
+
+
+    <h2>
+      <a id="Limitations">Limitations</a>
+      <a class="headerlink" href="#Limitations" title="Permalink to this headline">¶</a>
+    </h2>
+    <p>
+        Currently, the boot disk cannot be of type virtio-blk, instead, virtio-scsi
+        needs to be used if virtio is desired. This limitation is expected to be lifted
+        with future releases of kernel (the kernel used at the time of writing the
+        article is 5.0.14).
+        If you still cannot start an SEV VM, it could be because of wrong SELinux label on the <code>/dev/sev</code> device with selinux-policy &lt;3.14.2.40 which prevents QEMU from touching the device. This can be resolved by upgrading the package, tuning the selinux policy rules manually to allow svirt_t to access the device (see <code>audit2allow</code> on how to do that) or putting SELinux into permissive mode (discouraged).
+    </p>
+    <h2>
+      <a id="Examples">Full domain XML examples</a>
+      <a class="headerlink" href="#Examples" title="Permalink to this headline">¶</a>
+    </h2>
+    <h5>Q35 machine</h5>
+    <pre>
+&lt;domain type='kvm'&gt;
+  &lt;name&gt;sev-dummy&lt;/name&gt;
+  &lt;memory unit='KiB'&gt;4194304&lt;/memory&gt;
+  &lt;currentMemory unit='KiB'&gt;4194304&lt;/currentMemory&gt;
+  &lt;memoryBacking&gt;
+    &lt;locked/&gt;
+  &lt;/memoryBacking&gt;
+  &lt;vcpu placement='static'&gt;4&lt;/vcpu&gt;
+  &lt;os&gt;
+    &lt;type arch='x86_64' machine='pc-q35-3.0'&gt;hvm&lt;/type&gt;
+    &lt;loader readonly='yes' type='pflash'&gt;/usr/share/edk2/ovmf/OVMF_CODE.fd&lt;/loader&gt;
+    &lt;nvram&gt;/var/lib/libvirt/qemu/nvram/sev-dummy_VARS.fd&lt;/nvram&gt;
+  &lt;/os&gt;
+  &lt;features&gt;
+    &lt;acpi/&gt;
+    &lt;apic/&gt;
+    &lt;vmport state='off'/&gt;
+  &lt;/features&gt;
+  &lt;cpu mode='host-model' check='partial'&gt;
+    &lt;model fallback='allow'/&gt;
+  &lt;/cpu&gt;
+  &lt;clock offset='utc'&gt;
+    &lt;timer name='rtc' tickpolicy='catchup'/&gt;
+    &lt;timer name='pit' tickpolicy='delay'/&gt;
+    &lt;timer name='hpet' present='no'/&gt;
+  &lt;/clock&gt;
+  &lt;on_poweroff&gt;destroy&lt;/on_poweroff&gt;
+  &lt;on_reboot&gt;restart&lt;/on_reboot&gt;
+  &lt;on_crash&gt;destroy&lt;/on_crash&gt;
+  &lt;pm&gt;
+    &lt;suspend-to-mem enabled='no'/&gt;
+    &lt;suspend-to-disk enabled='no'/&gt;
+  &lt;/pm&gt;
+  &lt;devices&gt;
+    &lt;emulator&gt;/usr/bin/qemu-kvm&lt;/emulator&gt;
+    &lt;disk type='file' device='disk'&gt;
+      &lt;driver name='qemu' type='qcow2'/&gt;
+      &lt;source file='/var/lib/libvirt/images/sev-dummy.qcow2'/&gt;
+      &lt;target dev='sda' bus='scsi'/&gt;
+      &lt;boot order='1'/&gt;
+    &lt;/disk&gt;
+    &lt;controller type='virtio-serial' index='0'&gt;
+      &lt;driver iommu='on'/&gt;
+    &lt;/controller&gt;
+    &lt;controller type='scsi' index='0' model='virtio-scsi'&gt;
+      &lt;driver iommu='on'/&gt;
+    &lt;/controller&gt;
+    &lt;interface type='network'&gt;
+      &lt;mac address='52:54:00:cc:56:90'/&gt;
+      &lt;source network='default'/&gt;
+      &lt;model type='virtio'/&gt;
+      &lt;driver iommu='on'/&gt;
+    &lt;/interface&gt;
+    &lt;graphics type='spice' autoport='yes'&gt;
+      &lt;listen type='address'/&gt;
+      &lt;gl enable='no'/&gt;
+    &lt;/graphics&gt;
+    &lt;video&gt;
+      &lt;model type='qxl'/&gt;
+    &lt;/video&gt;
+    &lt;memballoon model='virtio'&gt;
+      &lt;driver iommu='on'/&gt;
+    &lt;/memballoon&gt;
+    &lt;rng model='virtio'&gt;
+      &lt;driver iommu='on'/&gt;
+    &lt;/rng&gt;
+  &lt;/devices&gt;
+  &lt;launchSecurity type='sev'&gt;
+    &lt;cbitpos&gt;47&lt;/cbitpos&gt;
+    &lt;reducedPhysBits&gt;1&lt;/reducedPhysBits&gt;
+    &lt;policy&gt;0x0003&lt;/policy&gt;
+  &lt;/launchSecurity&gt;
+&lt;/domain&gt;</pre>
+
+    <h5>PC-i440fx machine:</h5>
+    <pre>
+&lt;domain type='kvm'&gt;
+  &lt;name&gt;sev-dummy-legacy&lt;/name&gt;
+  &lt;memory unit='KiB'&gt;4194304&lt;/memory&gt;
+  &lt;currentMemory unit='KiB'&gt;4194304&lt;/currentMemory&gt;
+  &lt;memtune&gt;
+    &lt;hard_limit unit='KiB'&gt;5242880&lt;/hard_limit&gt;
+  &lt;/memtune&gt;
+  &lt;vcpu placement='static'&gt;4&lt;/vcpu&gt;
+  &lt;os&gt;
+    &lt;type arch='x86_64' machine='pc-i440fx-3.0'&gt;hvm&lt;/type&gt;
+    &lt;loader readonly='yes' type='pflash'&gt;/usr/share/edk2/ovmf/OVMF_CODE.fd&lt;/loader&gt;
+    &lt;nvram&gt;/var/lib/libvirt/qemu/nvram/sev-dummy_VARS.fd&lt;/nvram&gt;
+    &lt;boot dev='hd'/&gt;
+  &lt;/os&gt;
+  &lt;features&gt;
+  &lt;acpi/&gt;
+  &lt;apic/&gt;
+  &lt;vmport state='off'/&gt;
+  &lt;/features&gt;
+  &lt;cpu mode='host-model' check='partial'&gt;
+    &lt;model fallback='allow'/&gt;
+  &lt;/cpu&gt;
+  &lt;clock offset='utc'&gt;
+    &lt;timer name='rtc' tickpolicy='catchup'/&gt;
+    &lt;timer name='pit' tickpolicy='delay'/&gt;
+    &lt;timer name='hpet' present='no'/&gt;
+  &lt;/clock&gt;
+  &lt;on_poweroff&gt;destroy&lt;/on_poweroff&gt;
+  &lt;on_reboot&gt;restart&lt;/on_reboot&gt;
+  &lt;on_crash&gt;destroy&lt;/on_crash&gt;
+  &lt;pm&gt;
+    &lt;suspend-to-mem enabled='no'/&gt;
+    &lt;suspend-to-disk enabled='no'/&gt;
+  &lt;/pm&gt;
+  &lt;devices&gt;
+    &lt;emulator&gt;/usr/bin/qemu-kvm&lt;/emulator&gt;
+    &lt;disk type='file' device='disk'&gt;
+      &lt;driver name='qemu' type='qcow2'/&gt;
+      &lt;source file='/var/lib/libvirt/images/sev-dummy-seabios.qcow2'/&gt;
+      &lt;target dev='sda' bus='sata'/&gt;
+    &lt;/disk&gt;
+    &lt;interface type='network'&gt;
+      &lt;mac address='52:54:00:d8:96:c8'/&gt;
+      &lt;source network='default'/&gt;
+      &lt;model type='virtio-non-transitional'/&gt;
+    &lt;/interface&gt;
+    &lt;serial type='pty'&gt;
+      &lt;target type='isa-serial' port='0'&gt;
+        &lt;model name='isa-serial'/&gt;
+      &lt;/target&gt;
+    &lt;/serial&gt;
+    &lt;console type='pty'&gt;
+      &lt;target type='serial' port='0'/&gt;
+    &lt;/console&gt;
+    &lt;input type='tablet' bus='usb'&gt;
+      &lt;address type='usb' bus='0' port='1'/&gt;
+    &lt;/input&gt;
+    &lt;input type='mouse' bus='ps2'/&gt;
+    &lt;input type='keyboard' bus='ps2'/&gt;
+    &lt;graphics type='spice' autoport='yes'&gt;
+      &lt;listen type='address'/&gt;
+      &lt;gl enable='no'/&gt;
+    &lt;/graphics&gt;
+    &lt;video&gt;
+      &lt;model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/&gt;
+    &lt;/video&gt;
+    &lt;memballoon model='virtio-non-transitional'&gt;
+      &lt;driver iommu='on'/&gt;
+    &lt;/memballoon&gt;
+      &lt;rng model='virtio-non-transitional'&gt;
+    &lt;driver iommu='on'/&gt;
+    &lt;/rng&gt;
+  &lt;/devices&gt;
+  &lt;launchSecurity type='sev'&gt;
+    &lt;cbitpos&gt;47&lt;/cbitpos&gt;
+    &lt;reducedPhysBits&gt;1&lt;/reducedPhysBits&gt;
+    &lt;policy&gt;0x0003&lt;/policy&gt;
+  &lt;/launchSecurity&gt;
+&lt;/domain&gt;</pre>
+  </div>
+</body>
+</html>
--
2.21.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] docs: Provide documentation for SEV launch security (DO NOT PUSH)
Posted by Andrea Bolognani 4 years, 10 months ago
On Thu, 2019-06-27 at 17:27 +0200, Erik Skultety wrote:
> +<?xml version="1.0" encoding="UTF-8"?>
> +<!DOCTYPE html>
> +<html xmlns="http://www.w3.org/1999/xhtml">
> +  <head>
> +    <meta charset="UTF-8"/>
> +    <meta name="viewport" content="width=device-width, initial-scale=1"/>
> +    <link rel="stylesheet" type="text/css" href="main.css"/>
> +    <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png"/>
> +    <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png"/>
> +    <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png"/>
> +    <link rel="manifest" href="/manifest.json"/>
> +    <meta name="theme-color" content="#ffffff"/>
> +    <title>libvirt: Launch security with AMD SEV</title>
> +    <meta name="description" content="libvirt, virtualization, virtualization API"/>
> +    <script type="text/javascript" src="js/main.js">
> +      <!--// forces non-empty element-->
> +    </script>
> +  </head>
> +  <body onload="pageload()">
> +    <div id="body">
> +      <div id="content">
> +        <h1>Launch security with AMD SEV</h1>
> +        <ul>
> +          <li>
> +            <a href="#Host">Enabling SEV on the host</a>
> +          </li>
> +          <li>
> +            <a href="#Virt">Checking SEV support in the virt stack</a>
> +          </li>
> +          <li>
> +            <a href="#Configuration">VM Configuration</a>
> +          </li>
> +          <li>
> +            <a href="#Limitations">Limitations</a>
> +          </li>
> +          <li>
> +            <a href="#Examples">Full domain XML examples</a>
> +          </li>
> +        </ul>
> +      </div>

Did you accidentally commit the generated HTML page instead of the
source file, or some sort of weird hybrid of the two? Because almost
none of the above is supposed to be there.

-- 
Andrea Bolognani / Red Hat / Virtualization

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] docs: Provide documentation for SEV launch security (DO NOT PUSH)
Posted by Erik Skultety 4 years, 10 months ago
On Fri, Jun 28, 2019 at 03:52:13PM +0200, Andrea Bolognani wrote:
> On Thu, 2019-06-27 at 17:27 +0200, Erik Skultety wrote:
> > +<?xml version="1.0" encoding="UTF-8"?>
> > +<!DOCTYPE html>
> > +<html xmlns="http://www.w3.org/1999/xhtml">
> > +  <head>
> > +    <meta charset="UTF-8"/>
> > +    <meta name="viewport" content="width=device-width, initial-scale=1"/>
> > +    <link rel="stylesheet" type="text/css" href="main.css"/>
> > +    <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png"/>
> > +    <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png"/>
> > +    <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png"/>
> > +    <link rel="manifest" href="/manifest.json"/>
> > +    <meta name="theme-color" content="#ffffff"/>
> > +    <title>libvirt: Launch security with AMD SEV</title>
> > +    <meta name="description" content="libvirt, virtualization, virtualization API"/>
> > +    <script type="text/javascript" src="js/main.js">
> > +      <!--// forces non-empty element-->
> > +    </script>
> > +  </head>
> > +  <body onload="pageload()">
> > +    <div id="body">
> > +      <div id="content">
> > +        <h1>Launch security with AMD SEV</h1>
> > +        <ul>
> > +          <li>
> > +            <a href="#Host">Enabling SEV on the host</a>
> > +          </li>
> > +          <li>
> > +            <a href="#Virt">Checking SEV support in the virt stack</a>
> > +          </li>
> > +          <li>
> > +            <a href="#Configuration">VM Configuration</a>
> > +          </li>
> > +          <li>
> > +            <a href="#Limitations">Limitations</a>
> > +          </li>
> > +          <li>
> > +            <a href="#Examples">Full domain XML examples</a>
> > +          </li>
> > +        </ul>
> > +      </div>
>
> Did you accidentally commit the generated HTML page instead of the
> source file, or some sort of weird hybrid of the two? Because almost
> none of the above is supposed to be there.

Yeah, an honest copy-paste error, if we decide that this should indeed be
merged and therefore available on the main webpage (as opposed to wiki), I'll
fix it of course.

Thanks,
Erik

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] docs: Provide documentation for SEV launch security (DO NOT PUSH)
Posted by Andrea Bolognani 4 years, 10 months ago
On Thu, 2019-06-27 at 17:27 +0200, Erik Skultety wrote:
> ---
> 
> I sent this as a patch to get a review on the contents itself, but I believe it
> should live as an article on our wiki page afterwards.

I'll also point out that I see no reason why this should be a wiki
page rather than part of the website / installed documentation.

But then again I'm not a fan of having two separate places where
documentation can potentially live, especially when there are (to
the best of my knowledge) no clear guidelines about which kind of
content belongs to each...

-- 
Andrea Bolognani / Red Hat / Virtualization

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] docs: Provide documentation for SEV launch security (DO NOT PUSH)
Posted by Erik Skultety 4 years, 10 months ago
On Fri, Jun 28, 2019 at 04:18:23PM +0200, Andrea Bolognani wrote:
> On Thu, 2019-06-27 at 17:27 +0200, Erik Skultety wrote:
> > ---
> >
> > I sent this as a patch to get a review on the contents itself, but I believe it
> > should live as an article on our wiki page afterwards.
>
> I'll also point out that I see no reason why this should be a wiki
> page rather than part of the website / installed documentation.
>
> But then again I'm not a fan of having two separate places where
> documentation can potentially live, especially when there are (to
> the best of my knowledge) no clear guidelines about which kind of
> content belongs to each...

Exactly, for example, NSS is treated as installed documentation, but NPIV is on
the wiki. Maybe this is a good time to decide and formulate the decision into
the guideline so we can start following it and bring some order into the chaos.
Nevertheless, I believe that (also after the recent JS changes) we should
think about how our docs can be improved, potentially separated to an
acceptable degree, IOW only host stuff related to generating docs from sources
and move the rest to something like readthedocs.io, since the navigation bars
has some issues and often I find myself using google to find a specific
resource rather than look at the nav bar, I didn't have that problem with
pykickstart and ansible, but then again, that is personal preference and
perception.

Thanks,
Erik

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] docs: Provide documentation for SEV launch security (DO NOT PUSH)
Posted by Daniel P. Berrangé 4 years, 10 months ago
On Thu, Jun 27, 2019 at 05:27:56PM +0200, Erik Skultety wrote:
> ---
> 
> I sent this as a patch to get a review on the contents itself, but I believe it
> should live as an article on our wiki page afterwards.

I don't think this should live in the wiki. The wiki is free to be changed
by anyone at any time with no review. It is also rather a black hole of
unlinked information.

We need to have a place for what I term task oriented docs on the main
website. Perhaps call it the "knowledge base"...

>  docs/launch_security_sev.html.in | 536 +++++++++++++++++++++++++++++++
>  1 file changed, 536 insertions(+)
>  create mode 100644 docs/launch_security_sev.html.in

...thus I'd suggest we create a 'docs/kbase/' subdirectory and use it for
this kind of documentation. A "docs/kbase/index.html" page can provide the
overall list of the pages.

Alot of stuff I've previously had on my personal blog could go here,
with some cleanup/modernization. Some stuff on the wiki currently
could usefully be moved & updated too.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] docs: Provide documentation for SEV launch security (DO NOT PUSH)
Posted by Erik Skultety 4 years, 9 months ago
On Fri, Jun 28, 2019 at 04:05:58PM +0100, Daniel P. Berrangé wrote:
> On Thu, Jun 27, 2019 at 05:27:56PM +0200, Erik Skultety wrote:
> > ---
> >
> > I sent this as a patch to get a review on the contents itself, but I believe it
> > should live as an article on our wiki page afterwards.
>
> I don't think this should live in the wiki. The wiki is free to be changed
> by anyone at any time with no review. It is also rather a black hole of
> unlinked information.
>
> We need to have a place for what I term task oriented docs on the main
> website. Perhaps call it the "knowledge base"...

Okay, I'll resend the patch with Andrea's suggestions applied.

>
> >  docs/launch_security_sev.html.in | 536 +++++++++++++++++++++++++++++++
> >  1 file changed, 536 insertions(+)
> >  create mode 100644 docs/launch_security_sev.html.in
>
> ...thus I'd suggest we create a 'docs/kbase/' subdirectory and use it for
> this kind of documentation. A "docs/kbase/index.html" page can provide the
> overall list of the pages.

I'll leave this for another day.

Thanks,
Erik

>
> Alot of stuff I've previously had on my personal blog could go here,
> with some cleanup/modernization. Some stuff on the wiki currently
> could usefully be moved & updated too.
>
> Regards,
> Daniel
> --
> |: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-            https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
>
> --
> libvir-list mailing list
> libvir-list@redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list