[virt-install PATCH v2 6/6] man: Provide a documentation for the SEV feature

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Signed-off-by: Erik Skultety <eskultet@xxxxxxxxxx>
---
 man/virt-install.pod | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/man/virt-install.pod b/man/virt-install.pod
index 51e1e159..b6b31f5f 100644
--- a/man/virt-install.pod
+++ b/man/virt-install.pod
@@ -386,7 +386,26 @@ Configure guest power management features. Example:
 
 Use --pm=? to see a list of all available sub options. Complete details at L<https://libvirt.org/formatdomain.html#elementsPowerManagement>
 
+=item B<--launch-security> TYPE[,OPTS]
 
+Enable launch security for the guest, e.g. AMD SEV.
+
+Use --launch-security=? to see a list of all available sub options. Complete
+details at L<https://libvirt.org/formatdomain.html#launchSecurity>. Example
+invocations:
+    # This will use a default policy 0x03
+    # No dhCert provided, so no data can be exchanged with the SEV firmware
+    --launchSecurity sev
+
+    # Explicit policy 0x01 - disables debugging, allows guest key sharing
+    --launchSecurity sev,policy=0x01
+
+    # Provide the session blob obtained from the SEV firmware
+    # Provide dhCert to open a secure communication channel with SEV firmware
+    --launchSecurity sev,session=BASE64SESSIONSTRING,dhCert=BASE64DHCERTSTRING
+
+SEV has further implications on usage of virtio devices, so refer to EXAMPLES
+section to see a full invocation of virt-install with --launchSecurity.
 
 =back
 
@@ -1764,6 +1783,28 @@ Start serial QEMU ARM VM, which requires specifying a manual kernel.
        --boot kernel=/tmp/my-arm-kernel,initrd=/tmp/my-arm-initrd,dtb=/tmp/my-arm-dtb,kernel_args="console=ttyAMA0 rw root=/dev/mmcblk0p3" \
        --graphics none
 
+Start an SEV launch security VM with 4GB RAM, 4GB+256MiB of hard_limit, with a
+couple of virtio devices:
+
+Note: The IOMMU flag needs to be turned on with driver.iommu for virtio
+devices. Usage of --memtune is currently required because of SEV limitations,
+refer to libvirt docs for a detailed explanation.
+
+  # virt-install \
+       --name foo \
+       --memory 4096 \
+       --boot uefi \
+       --machine q35 \
+       --memtune hard_limit=4563402 \
+       --disk size=15,target.bus=scsi \
+       --import \
+       --controller type=scsi,model=virtio-scsi,driver.iommu=on \
+       --controller type=virtio-serial,driver.iommu=on \
+       --network network=default,model=virtio,driver.iommu=on \
+       --rng driver,iommu=on \
+       --memballoon driver.iommu=on \
+       --launchSecurity sev
+
 =head1 BUGS
 
 Please see L<https://virt-manager.org/bugs>
-- 
2.21.0

_______________________________________________
virt-tools-list mailing list
virt-tools-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/virt-tools-list
[Index of Archives]     [Linux Virtualization]     [KVM Development]     [CentOS Virtualization]     [Netdev]     [Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]     [Video 4 Linux]

  Powered by Linux