[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [for-6.0 v5 13/13] s390: Recognize securable-guest-memory option
|
From: |
Cornelia Huck |
|
Subject: |
Re: [for-6.0 v5 13/13] s390: Recognize securable-guest-memory option |
|
Date: |
Tue, 15 Dec 2020 12:45:26 +0100 |
On Fri, 4 Dec 2020 16:44:15 +1100
David Gibson <david@gibson.dropbear.id.au> wrote:
> At least some s390 cpu models support "Protected Virtualization" (PV),
> a mechanism to protect guests from eavesdropping by a compromised
> hypervisor.
>
> This is similar in function to other mechanisms like AMD's SEV and
> POWER's PEF, which are controlled bythe "securable-guest-memory" machine
s/bythe/by the/
> option. s390 is a slightly special case, because we already supported
> PV, simply by using a CPU model with the required feature
> (S390_FEAT_UNPACK).
>
> To integrate this with the option used by other platforms, we
> implement the following compromise:
>
> - When the securable-guest-memory option is set, s390 will recognize it,
> verify that the CPU can support PV (failing if not) and set virtio
> default options necessary for encrypted or protected guests, as on
> other platforms. i.e. if securable-guest-memory is set, we will
> either create a guest capable of entering PV mode, or fail outright
s/outright/outright./
>
> - If securable-guest-memory is not set, guest's might still be able to
s/guest's/guests/
> enter PV mode, if the CPU has the right model. This may be a
> little surprising, but shouldn't actually be harmful.
>
> To start a guest supporting Protected Virtualization using the new
> option use the command line arguments:
> -object s390-pv-guest,id=pv0 -machine securable-guest-memory=pv0
>
> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> ---
> hw/s390x/pv.c | 58 +++++++++++++++++++++++++++++++++++++++++++
> include/hw/s390x/pv.h | 1 +
> target/s390x/kvm.c | 3 +++
> 3 files changed, 62 insertions(+)
>
Modulo any naming changes etc., I think this should work for s390. I
don't have the hardware to test this, however, and would appreciate
someone with a PV setup giving this a go.
- Re: [for-6.0 v5 12/13] securable guest memory: Alter virtio default properties for protected guests, (continued)
Re: [for-6.0 v5 12/13] securable guest memory: Alter virtio default properties for protected guests, Cornelia Huck, 2020/12/04
[for-6.0 v5 07/13] sev: Add Error ** to sev_kvm_init(), David Gibson, 2020/12/04
[for-6.0 v5 10/13] spapr: Add PEF based securable guest memory, David Gibson, 2020/12/04
[for-6.0 v5 05/13] securable guest memory: Rework the "memory-encryption" property, David Gibson, 2020/12/04
[for-6.0 v5 13/13] s390: Recognize securable-guest-memory option, David Gibson, 2020/12/04
- Re: [for-6.0 v5 13/13] s390: Recognize securable-guest-memory option,
Cornelia Huck <=
Re: [for-6.0 v5 00/13] Generalize memory encryption models, Christian Borntraeger, 2020/12/04
- Re: [for-6.0 v5 00/13] Generalize memory encryption models, Cornelia Huck, 2020/12/04
- Re: [for-6.0 v5 00/13] Generalize memory encryption models, Dr. David Alan Gilbert, 2020/12/04
- Re: [for-6.0 v5 00/13] Generalize memory encryption models, Cornelia Huck, 2020/12/04
- Re: [for-6.0 v5 00/13] Generalize memory encryption models, David Gibson, 2020/12/07
- Re: [for-6.0 v5 00/13] Generalize memory encryption models, Cornelia Huck, 2020/12/08
- Re: [for-6.0 v5 00/13] Generalize memory encryption models, David Gibson, 2020/12/17
- Re: [for-6.0 v5 00/13] Generalize memory encryption models, Cornelia Huck, 2020/12/17
Re: [for-6.0 v5 00/13] Generalize memory encryption models, Daniel P . Berrangé, 2020/12/04