On 08/11/20 14:12, Erik Skultety wrote: > With virtio-net we also need to disable the iPXE option ROM otherwise > a SEV-enabled guest would not boot. While at it, fix the full machine > XML examples accordingly. > > Reported-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx> > Signed-off-by: Erik Skultety <eskultet@xxxxxxxxxx> > --- > since v1: > - ditched any mentions of vhost, since we can assume all the supported > distros to have the latest QEMU-2.12 build containing the bugfix to make > vhost work with SEV > > > docs/kbase/launch_security_sev.rst | 28 ++++++++++++++++++++++++++-- > 1 file changed, 26 insertions(+), 2 deletions(-) > > diff --git a/docs/kbase/launch_security_sev.rst b/docs/kbase/launch_security_sev.rst > index cfdc2a6120..4a37c0c379 100644 > --- a/docs/kbase/launch_security_sev.rst > +++ b/docs/kbase/launch_security_sev.rst > @@ -291,8 +291,9 @@ can still perform DoS on each other. > Virtio > ------ > > -In order to make virtio devices work, we need to enable emulated IOMMU > -on the devices so that virtual DMA can work. > +In order to make virtio devices work, we need to use > +``<driver iommu='on'/>`` inside the given device XML element in order > +to enable DMA API in the virtio driver. > > :: > > @@ -337,6 +338,26 @@ model, which means that virtio GPU cannot be used. > ... > </domain> > > +Virtio-net > +~~~~~~~~~~ > +With virtio-net it's also necessary to disable the iPXE option ROM as > +iPXE is not aware of SEV (at the time of this writing). This translates to the > +following XML: > + > +:: > + > + <domain> > + ... > + <interface type='network'> > + ... > + <model type='virtio'/> > + <driver iommu='on'/> > + <rom enabled='no'/> > + </interface> > + ... > + <domain> > + > + > Checking SEV from within the guest > ================================== > > @@ -424,6 +445,7 @@ Q35 machine > <source network='default'/> > <model type='virtio'/> > <driver iommu='on'/> > + <rom enabled='no'/> > </interface> > <graphics type='spice' autoport='yes'> > <listen type='address'/> > @@ -496,6 +518,8 @@ PC-i440fx machine > <mac address='52:54:00:d8:96:c8'/> > <source network='default'/> > <model type='virtio-non-transitional'/> > + <driver iommu='on'/> > + <rom enabled='no'/> > </interface> > <serial type='pty'> > <target type='isa-serial' port='0'> > -- > 2.26.2 > Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
