Re: [PATCH v3 6/6] docs: add s390-pv documentation

[Boris Fiuczynski <fiuczy@xxxxxxxxxxxxx>]

On 6/25/21 12:11 PM, Pavel Hrdina wrote:
> > @@ -158,8 +163,42 @@ allocated 2K entries. A commonly used value for swiotlb is 262144.
> >   Example guest definition
> >   ========================
> >   
> > -Minimal domain XML for a protected virtualization guest, essentially
> > -it's mostly about the ``iommu`` property
> > +Minimal domain XML for a protected virtualization guest with
> > +the ``launchSecurity`` element of type ``s390-pv``
> > +
> > +::
> > +
> > +   <domain type='kvm'>
> > +     <name>protected</name>
> > +     <memory unit='KiB'>2048000</memory>
> > +     <currentMemory unit='KiB'>2048000</currentMemory>
> > +     <vcpu>1</vcpu>
> > +     <os>
> > +       <type arch='s390x'>hvm</type>
> > +     </os>
> > +     <cpu mode='host-model'/>
> > +     <devices>
> > +       <disk type='file' device='disk'>
> > +         <driver name='qemu' type='qcow2' cache='none' io='native'>
> > +         <source file='/var/lib/libvirt/images/protected.qcow2'/>
> > +         <target dev='vda' bus='virtio'/>
> > +       </disk>
> > +       <interface type='network'>
> > +         <source network='default'/>
> > +         <model type='virtio'/>
> > +       </interface>
> > +       <console type='pty'/>
> > +       <memballoon model='none'/>
> > +     </devices>
> > +     <launchSecurity type='s390-pv'/>
> > +   </domain>
> > +
> > +
> > +Example guest definition without launchSecurity
> > +===============================================
> > +
> > +Minimal domain XML for a protected virtualization guest using the
> > +``iommu='on'`` setting for each virtio device.
> I don't know how s390-pv works but for example with AMD SEV it is
> required to use `iommu='on'` otherwise the device is not visible inside
> the VM so I would like to make sure there is no misunderstanding and
> it is correct.
>
> Pavel

Using IBM Secure Execution you have to use `iommu='on'` on each virtio 
device. If you do not do so the devices will be available in the guest 
but it is very likely that once some tries to use these devices the 
guest very likely is going to crash.
BUT when specifying launchSecurity with type 's390-pv' one does not have 
to use `iommu='on'` on each virtio device any longer!

I tried to cover that with this change in the docs:
+Since libvirt 7.5.0 the
+`<launchSecurity> <https://libvirt.org/formatdomain.html#launchSecurity>`__
+element with type ``s390-pv`` should be used on protected 
virtualization guests.
+Without ``launchSecurity`` you must enable all virtio devices to use shared
+buffers by configuring them with platform_iommu enabled.

--
Mit freundlichen Grüßen/Kind regards
   Boris Fiuczynski

IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294