diff options
| author | Cornelia Huck | 2022-02-09 09:08:56 +0100 |
|---|---|---|
| committer | Cédric Le Goater | 2022-02-09 09:08:56 +0100 |
| commit | 96a46def58b3b7938d200fca6bd4916c3640d2f3 (patch) | |
| tree | faa69a99ef05c970a0ce6369f98e6dc4957e3e38 /docs/system/confidential-guest-support.rst | |
| parent | target/ppc: Change VSX instructions behavior to fill with zeros (diff) | |
| download | qemu-96a46def58b3b7938d200fca6bd4916c3640d2f3.tar.gz qemu-96a46def58b3b7938d200fca6bd4916c3640d2f3.tar.xz qemu-96a46def58b3b7938d200fca6bd4916c3640d2f3.zip | |
docs: rstfy confidential guest documentation
Also rstfy the documentation for AMD SEV, and link it.
The documentation for PEF had been merged into the pseries doc,
fix the reference.
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <20220204161251.241877-1-cohuck@redhat.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Diffstat (limited to 'docs/system/confidential-guest-support.rst')
| -rw-r--r-- | docs/system/confidential-guest-support.rst | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/docs/system/confidential-guest-support.rst b/docs/system/confidential-guest-support.rst new file mode 100644 index 0000000000..0c490dbda2 --- /dev/null +++ b/docs/system/confidential-guest-support.rst @@ -0,0 +1,44 @@ +Confidential Guest Support +========================== + +Traditionally, hypervisors such as QEMU have complete access to a +guest's memory and other state, meaning that a compromised hypervisor +can compromise any of its guests. A number of platforms have added +mechanisms in hardware and/or firmware which give guests at least some +protection from a compromised hypervisor. This is obviously +especially desirable for public cloud environments. + +These mechanisms have different names and different modes of +operation, but are often referred to as Secure Guests or Confidential +Guests. We use the term "Confidential Guest Support" to distinguish +this from other aspects of guest security (such as security against +attacks from other guests, or from network sources). + +Running a Confidential Guest +---------------------------- + +To run a confidential guest you need to add two command line parameters: + +1. Use ``-object`` to create a "confidential guest support" object. The + type and parameters will vary with the specific mechanism to be + used +2. Set the ``confidential-guest-support`` machine parameter to the ID of + the object from (1). + +Example (for AMD SEV):: + + qemu-system-x86_64 \ + <other parameters> \ + -machine ...,confidential-guest-support=sev0 \ + -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1 + +Supported mechanisms +-------------------- + +Currently supported confidential guest mechanisms are: + +* AMD Secure Encrypted Virtualization (SEV) (see :doc:`i386/amd-memory-encryption`) +* POWER Protected Execution Facility (PEF) (see :ref:`power-papr-protected-execution-facility-pef`) +* s390x Protected Virtualization (PV) (see :doc:`s390x/protvirt`) + +Other mechanisms may be supported in future. |