With virtio-net further configuration settings are required, so document them and while at it, fix the Q35 machine XML example which wouldn't work with SEV because of not disabling vhost and the option boot ROM. Reported-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx> Signed-off-by: Erik Skultety <eskultet@xxxxxxxxxx> --- docs/kbase/launch_security_sev.rst | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/docs/kbase/launch_security_sev.rst b/docs/kbase/launch_security_sev.rst index cfdc2a6120..9df4178aac 100644 --- a/docs/kbase/launch_security_sev.rst +++ b/docs/kbase/launch_security_sev.rst @@ -291,8 +291,9 @@ can still perform DoS on each other. Virtio ------ -In order to make virtio devices work, we need to enable emulated IOMMU -on the devices so that virtual DMA can work. +In order to make virtio devices work, we need to use +``<driver iommu='on'/>`` inside the given device XML element in order +to enable DMA API in the virtio driver. :: @@ -337,6 +338,26 @@ model, which means that virtio GPU cannot be used. ... </domain> +Virtio-net +~~~~~~~~~~ +With virtio-net it's also necessary to disable the iPXE option ROM on the +device as well as disable the vhost protocol as SEV doesn't support either +(at the time of this writing). This translates to the following XML: + +:: + + <domain> + ... + <interface type='network'> + ... + <model type='virtio'/> + <driver name='qemu' iommu='on'/> + <rom enabled='no'/> + </interface> + ... + <domain> + + Checking SEV from within the guest ================================== @@ -423,7 +444,8 @@ Q35 machine <mac address='52:54:00:cc:56:90'/> <source network='default'/> <model type='virtio'/> - <driver iommu='on'/> + <driver name='qemu' iommu='on'/> + <rom enabled='no'/> </interface> <graphics type='spice' autoport='yes'> <listen type='address'/> -- 2.26.2