... > > +Example guest definition without launchSecurity > > +=============================================== > > + > > +Minimal domain XML for a protected virtualization guest using the > > +``iommu='on'`` setting for each virtio device. > > I don't know how s390-pv works but for example with AMD SEV it is > required to use `iommu='on'` otherwise the device is not visible inside > the VM so I would like to make sure there is no misunderstanding and > it is correct. Can you elaborate on how is the device not visible in the VM? IIRC 'iommu=on' makes sure that the guest virtio driver is able to negotiate the VIRTIO_F_IOMMU_PLATFORM feature which in connection with the correct IOMMU model setting makes SEV work with virtio and IOMMU (AFAIR OVMF has a dedicated SEV iommu driver). Therefore, that flag should have nothing to do with device visibility, in fact in x86_64's case it will be a PCI device, so you'll always be able to list those. Regards, Erik
