From 61e56729ffdb1036cdc543add95009fc74f2a8d8 Mon Sep 17 00:00:00 2001 From: Erik Skultety Date: Fri, 7 Aug 2020 13:13:39 +0200 Subject: [PATCH] kbase: sev: Provide more details on virtio-net configuration With virtio-net we also need to disable the iPXE option ROM otherwise a SEV-enabled guest would not boot. While at it, fix the full machine XML examples accordingly. Reported-by: Dr. David Alan Gilbert Signed-off-by: Erik Skultety Reviewed-by: Laszlo Ersek --- docs/kbase/launch_security_sev.rst | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/docs/kbase/launch_security_sev.rst b/docs/kbase/launch_security_sev.rst index cfdc2a6120..4a37c0c379 100644 --- a/docs/kbase/launch_security_sev.rst +++ b/docs/kbase/launch_security_sev.rst @@ -291,8 +291,9 @@ can still perform DoS on each other. Virtio ------ -In order to make virtio devices work, we need to enable emulated IOMMU -on the devices so that virtual DMA can work. +In order to make virtio devices work, we need to use +```` inside the given device XML element in order +to enable DMA API in the virtio driver. :: @@ -337,6 +338,26 @@ model, which means that virtio GPU cannot be used. ... +Virtio-net +~~~~~~~~~~ +With virtio-net it's also necessary to disable the iPXE option ROM as +iPXE is not aware of SEV (at the time of this writing). This translates to the +following XML: + +:: + + + ... + + ... + + + + + ... + + + Checking SEV from within the guest ================================== @@ -424,6 +445,7 @@ Q35 machine + @@ -496,6 +518,8 @@ PC-i440fx machine + +