Re: [PATCH v3 6/6] docs: add s390-pv documentation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jun 29, 2021 at 10:05:17AM +0200, Erik Skultety wrote:
> ...
> 
> > > +Example guest definition without launchSecurity
> > > +===============================================
> > > +
> > > +Minimal domain XML for a protected virtualization guest using the
> > > +``iommu='on'`` setting for each virtio device.
> > 
> > I don't know how s390-pv works but for example with AMD SEV it is
> > required to use `iommu='on'` otherwise the device is not visible inside
> > the VM so I would like to make sure there is no misunderstanding and
> > it is correct.
> 
> Can you elaborate on how is the device not visible in the VM? IIRC 'iommu=on'
> makes sure that the guest virtio driver is able to negotiate the
> VIRTIO_F_IOMMU_PLATFORM feature which in connection with the correct IOMMU model
> setting makes SEV work with virtio and IOMMU
> (AFAIR OVMF has a dedicated SEV iommu driver).
> 
> Therefore, that flag should have nothing to do with device visibility, in fact
> in x86_64's case it will be a PCI device, so you'll always be able to list
> those.

https://bugzilla.redhat.com/show_bug.cgi?id=1804227

We had a discussion about this BZ that someone tried to hot-plug device
into VM with AMD-SEV enabled and the device was not visible (or possibly
was visible but did not work) in the VM because iommu was not set.

Here is a QEMU commit message that enables iommu_platform if
confidential guest support is used:

commit 9f88a7a3df11a5aaa6212ea535d40d5f92561683
Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
Date:   Thu Jun 4 14:20:24 2020 +1000

    confidential guest support: Alter virtio default properties for protected guests

    The default behaviour for virtio devices is not to use the platforms normal
    DMA paths, but instead to use the fact that it's running in a hypervisor
    to directly access guest memory.  That doesn't work if the guest's memory
    is protected from hypervisor access, such as with AMD's SEV or POWER's PEF.

    So, if a confidential guest mechanism is enabled, then apply the
    iommu_platform=on option so it will go through normal DMA mechanisms.
    Those will presumably have some way of marking memory as shared with
    the hypervisor or hardware so that DMA will work.

Pavel

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux