On 6/25/21 12:11 PM, Pavel Hrdina wrote:
> @@ -158,8 +163,42 @@ allocated 2K entries. A commonly used value
for swiotlb is 262144.
> Example guest definition
> ========================
>
> -Minimal domain XML for a protected virtualization guest, essentially
> -it's mostly about the ``iommu`` property
> +Minimal domain XML for a protected virtualization guest with
> +the ``launchSecurity`` element of type ``s390-pv``
> +
> +::
> +
> + <domain type='kvm'>
> + <name>protected</name>
> + <memory unit='KiB'>2048000</memory>
> + <currentMemory unit='KiB'>2048000</currentMemory>
> + <vcpu>1</vcpu>
> + <os>
> + <type arch='s390x'>hvm</type>
> + </os>
> + <cpu mode='host-model'/>
> + <devices>
> + <disk type='file' device='disk'>
> + <driver name='qemu' type='qcow2' cache='none'
io='native'>
> + <source file='/var/lib/libvirt/images/protected.qcow2'/>
> + <target dev='vda' bus='virtio'/>
> + </disk>
> + <interface type='network'>
> + <source network='default'/>
> + <model type='virtio'/>
> + </interface>
> + <console type='pty'/>
> + <memballoon model='none'/>
> + </devices>
> + <launchSecurity type='s390-pv'/>
> + </domain>
> +
> +
> +Example guest definition without launchSecurity
> +===============================================
> +
> +Minimal domain XML for a protected virtualization guest using the
> +``iommu='on'`` setting for each virtio device.
I don't know how s390-pv works but for example with AMD SEV it is
required to use `iommu='on'` otherwise the device is not visible inside
the VM so I would like to make sure there is no misunderstanding and
it is correct.
Pavel
Using IBM Secure Execution you have to use `iommu='on'` on each virtio
device. If you do not do so the devices will be available in the guest
but it is very likely that once some tries to use these devices the
guest very likely is going to crash.
BUT when specifying launchSecurity with type 's390-pv' one does not have
to use `iommu='on'` on each virtio device any longer!
I tried to cover that with this change in the docs:
+Since libvirt 7.5.0 the
+`<launchSecurity> <
https://libvirt.org/formatdomain.html#launchSecurity>`__
+element with type ``s390-pv`` should be used on protected
virtualization guests.
+Without ``launchSecurity`` you must enable all virtio devices to use shared
+buffers by configuring them with platform_iommu enabled.
--
Mit freundlichen Grüßen/Kind regards
Boris Fiuczynski
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294