[libvirt PATCH] kbase: sev: Provide more details on virtio-net configuration
Erik Skultety
eskultet at redhat.com
Tue Aug 11 08:46:45 UTC 2020
On Fri, Aug 07, 2020 at 07:05:22PM +0200, Laszlo Ersek wrote:
> On 08/07/20 13:21, Erik Skultety wrote:
> > With virtio-net further configuration settings are required, so document
> > them and while at it, fix the Q35 machine XML example which wouldn't
> > work with SEV because of not disabling vhost and the option boot ROM.
>
> (1) Please drop:
>
> not disabling vhost and
>
> (2) please replace
>
> the option boot ROM
>
> with
>
> the iPXE option ROM
>
> (more details below)
>
> >
> > Reported-by: Dr. David Alan Gilbert <dgilbert at redhat.com>
> > Signed-off-by: Erik Skultety <eskultet at redhat.com>
> > ---
> > docs/kbase/launch_security_sev.rst | 28 +++++++++++++++++++++++++---
> > 1 file changed, 25 insertions(+), 3 deletions(-)
> >
> > diff --git a/docs/kbase/launch_security_sev.rst b/docs/kbase/launch_security_sev.rst
> > index cfdc2a6120..9df4178aac 100644
> > --- a/docs/kbase/launch_security_sev.rst
> > +++ b/docs/kbase/launch_security_sev.rst
> > @@ -291,8 +291,9 @@ can still perform DoS on each other.
> > Virtio
> > ------
> >
> > -In order to make virtio devices work, we need to enable emulated IOMMU
> > -on the devices so that virtual DMA can work.
> > +In order to make virtio devices work, we need to use
> > +``<driver iommu='on'/>`` inside the given device XML element in order
> > +to enable DMA API in the virtio driver.
> >
> > ::
> >
>
> This hunk looks good.
>
> > @@ -337,6 +338,26 @@ model, which means that virtio GPU cannot be used.
> > ...
> > </domain>
> >
> > +Virtio-net
> > +~~~~~~~~~~
> > +With virtio-net it's also necessary to disable the iPXE option ROM on the
> > +device as well as disable the vhost protocol
>
> (3) Please break these items into separate sentences.
>
> (4) Please restrict the latter (the vhost disablement) to QEMU version
> v2.12.0 exactly.
>
> (Per another part in this document, SEV appeared in QEMU v2.12.0, so we
> need not consider anything earlier. And the vhost disablement is
> unneeded with both v3.0.0 and v2.12.1, due to QEMU commits d542800d1edc
> and 2f2b18923502, respectively. So the only QEMU version that needs the
> vhost disablement is v2.12.0.)
>
> > as SEV doesn't support either
> > +(at the time of this writing).
>
> (5) This statement is not correct:
>
> First, vhost does support SEV, only QEMU had a small bug (see the
> above-named commits) that prevented vhost from working with SEV. It's
> not a "total lack of support".
>
> Second, regarding iPXE, it's not that SEV doesn't support iPXE; it's
> iPXE that is unaware of SEV, at the time of this writing.
>
> > This translates to the following XML:
> > +
> > +::
> > +
> > + <domain>
> > + ...
> > + <interface type='network'>
> > + ...
> > + <model type='virtio'/>
> > + <driver name='qemu' iommu='on'/>
> > + <rom enabled='no'/>
> > + </interface>
> > + ...
> > + <domain>
> > +
> > +
> > Checking SEV from within the guest
> > ==================================
> >
>
> (6) So the @name='qemu' attribute for the <driver> element should be
> removed, assuming we intend to provide an example XML fragment only for
> the latest QEMU version (at the time of this writing).
>
> > @@ -423,7 +444,8 @@ Q35 machine
> > <mac address='52:54:00:cc:56:90'/>
> > <source network='default'/>
> > <model type='virtio'/>
> > - <driver iommu='on'/>
> > + <driver name='qemu' iommu='on'/>
> > + <rom enabled='no'/>
> > </interface>
> > <graphics type='spice' autoport='yes'>
> > <listen type='address'/>
> >
>
> (7) Same as (6).
>
>
> ... Ultimately, if any distro uses a v2.12-based QEMU, perhaps we can
> expect that distro to use the latest stable release in the v2.12
> "release stream". If we do have that expectation of distros, then we
> should simply drop all mentions of "vhost".
I double checked with repology.org, whether there's any distro mentioning qemu
2.12.0 and still falling into our platform support promise with CentOS-8 being
the only one. However, the module build available in CentOS-8 is
qemu-kvm-2.12.0-99.module_el8.2.0, while commit d542800d1edc
appeared in qemu-kvm-2.12.0-83.module+el8.1.0. Therefore, indeed, we can drop
the "vhost" mentions.
As usual, thanks Laszlo for your comments, I'll incorporate them and send a v2.
Erik
More information about the libvir-list
mailing list