On Tue, Dec 15, 2020 at 12:45:26PM +0100, Cornelia Huck wrote: > On Fri, 4 Dec 2020 16:44:15 +1100 > David Gibson <david@xxxxxxxxxxxxxxxxxxxxx> wrote: > > > At least some s390 cpu models support "Protected Virtualization" (PV), > > a mechanism to protect guests from eavesdropping by a compromised > > hypervisor. > > > > This is similar in function to other mechanisms like AMD's SEV and > > POWER's PEF, which are controlled bythe "securable-guest-memory" machine > > s/bythe/by the/ > > > option. s390 is a slightly special case, because we already supported > > PV, simply by using a CPU model with the required feature > > (S390_FEAT_UNPACK). > > > > To integrate this with the option used by other platforms, we > > implement the following compromise: > > > > - When the securable-guest-memory option is set, s390 will recognize it, > > verify that the CPU can support PV (failing if not) and set virtio > > default options necessary for encrypted or protected guests, as on > > other platforms. i.e. if securable-guest-memory is set, we will > > either create a guest capable of entering PV mode, or fail outright > > s/outright/outright./ > > > > > - If securable-guest-memory is not set, guest's might still be able to > > s/guest's/guests/ All those corrected, thanks. > > enter PV mode, if the CPU has the right model. This may be a > > little surprising, but shouldn't actually be harmful. > > > > To start a guest supporting Protected Virtualization using the new > > option use the command line arguments: > > -object s390-pv-guest,id=pv0 -machine securable-guest-memory=pv0 > > > > Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx> > > --- > > hw/s390x/pv.c | 58 +++++++++++++++++++++++++++++++++++++++++++ > > include/hw/s390x/pv.h | 1 + > > target/s390x/kvm.c | 3 +++ > > 3 files changed, 62 insertions(+) > > > > Modulo any naming changes etc., I think this should work for s390. I > don't have the hardware to test this, however, and would appreciate > someone with a PV setup giving this a go. Makes sense. -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson
Attachment:
signature.asc
Description: PGP signature