1. Patchew
  2. Libvirt
  3. View series

[libvirt PATCH v2] kbase: sev: Provide more details on virtio-net configuration

Erik Skultety posted 1 patch 3 years, 8 months ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/cae1662ef4a3e74e027244878fbea626ef9a9fbe.1597147838.git.eskultet@redhat.com
docs/kbase/launch_security_sev.rst | 28 ++++++++++++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)
[libvirt PATCH v2] kbase: sev: Provide more details on virtio-net configuration
Posted by Erik Skultety 3 years, 8 months ago 
With virtio-net we also need to disable the iPXE option ROM otherwise
a SEV-enabled guest would not boot. While at it, fix the full machine
XML examples accordingly.

Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Erik Skultety <eskultet@redhat.com>
---
since v1:
    - ditched any mentions of vhost, since we can assume all the supported
      distros to have the latest QEMU-2.12 build containing the bugfix to make
      vhost work with SEV


 docs/kbase/launch_security_sev.rst | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/docs/kbase/launch_security_sev.rst b/docs/kbase/launch_security_sev.rst
index cfdc2a6120..4a37c0c379 100644
--- a/docs/kbase/launch_security_sev.rst
+++ b/docs/kbase/launch_security_sev.rst
@@ -291,8 +291,9 @@ can still perform DoS on each other.
 Virtio
 ------

-In order to make virtio devices work, we need to enable emulated IOMMU
-on the devices so that virtual DMA can work.
+In order to make virtio devices work, we need to use
+``<driver iommu='on'/>`` inside the given device XML element in order
+to enable DMA API in the virtio driver.

 ::

@@ -337,6 +338,26 @@ model, which means that virtio GPU cannot be used.
      ...
    </domain>

+Virtio-net
+~~~~~~~~~~
+With virtio-net it's also necessary to disable the iPXE option ROM as
+iPXE is not aware of SEV (at the time of this writing). This translates to the
+following XML:
+
+::
+
+   <domain>
+     ...
+     <interface type='network'>
+        ...
+       <model type='virtio'/>
+       <driver iommu='on'/>
+       <rom enabled='no'/>
+     </interface>
+     ...
+   <domain>
+
+
 Checking SEV from within the guest
 ==================================

@@ -424,6 +445,7 @@ Q35 machine
          <source network='default'/>
          <model type='virtio'/>
          <driver iommu='on'/>
+         <rom enabled='no'/>
        </interface>
        <graphics type='spice' autoport='yes'>
          <listen type='address'/>
@@ -496,6 +518,8 @@ PC-i440fx machine
          <mac address='52:54:00:d8:96:c8'/>
          <source network='default'/>
          <model type='virtio-non-transitional'/>
+         <driver iommu='on'/>
+         <rom enabled='no'/>
        </interface>
        <serial type='pty'>
          <target type='isa-serial' port='0'>
--
2.26.2
Re: [libvirt PATCH v2] kbase: sev: Provide more details on virtio-net configuration
Posted by Laszlo Ersek 3 years, 8 months ago 
On 08/11/20 14:12, Erik Skultety wrote:
> With virtio-net we also need to disable the iPXE option ROM otherwise
> a SEV-enabled guest would not boot. While at it, fix the full machine
> XML examples accordingly.
> 
> Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> Signed-off-by: Erik Skultety <eskultet@redhat.com>
> ---
> since v1:
>     - ditched any mentions of vhost, since we can assume all the supported
>       distros to have the latest QEMU-2.12 build containing the bugfix to make
>       vhost work with SEV
> 
> 
>  docs/kbase/launch_security_sev.rst | 28 ++++++++++++++++++++++++++--
>  1 file changed, 26 insertions(+), 2 deletions(-)
> 
> diff --git a/docs/kbase/launch_security_sev.rst b/docs/kbase/launch_security_sev.rst
> index cfdc2a6120..4a37c0c379 100644
> --- a/docs/kbase/launch_security_sev.rst
> +++ b/docs/kbase/launch_security_sev.rst
> @@ -291,8 +291,9 @@ can still perform DoS on each other.
>  Virtio
>  ------
> 
> -In order to make virtio devices work, we need to enable emulated IOMMU
> -on the devices so that virtual DMA can work.
> +In order to make virtio devices work, we need to use
> +``<driver iommu='on'/>`` inside the given device XML element in order
> +to enable DMA API in the virtio driver.
> 
>  ::
> 
> @@ -337,6 +338,26 @@ model, which means that virtio GPU cannot be used.
>       ...
>     </domain>
> 
> +Virtio-net
> +~~~~~~~~~~
> +With virtio-net it's also necessary to disable the iPXE option ROM as
> +iPXE is not aware of SEV (at the time of this writing). This translates to the
> +following XML:
> +
> +::
> +
> +   <domain>
> +     ...
> +     <interface type='network'>
> +        ...
> +       <model type='virtio'/>
> +       <driver iommu='on'/>
> +       <rom enabled='no'/>
> +     </interface>
> +     ...
> +   <domain>
> +
> +
>  Checking SEV from within the guest
>  ==================================
> 
> @@ -424,6 +445,7 @@ Q35 machine
>           <source network='default'/>
>           <model type='virtio'/>
>           <driver iommu='on'/>
> +         <rom enabled='no'/>
>         </interface>
>         <graphics type='spice' autoport='yes'>
>           <listen type='address'/>
> @@ -496,6 +518,8 @@ PC-i440fx machine
>           <mac address='52:54:00:d8:96:c8'/>
>           <source network='default'/>
>           <model type='virtio-non-transitional'/>
> +         <driver iommu='on'/>
> +         <rom enabled='no'/>
>         </interface>
>         <serial type='pty'>
>           <target type='isa-serial' port='0'>
> --
> 2.26.2
> 

Reviewed-by: Laszlo Ersek <lersek@redhat.com>

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.