From: Erik Skultety Date: Fri, 7 Aug 2020 11:13:39 +0000 (+0200) Subject: kbase: sev: Provide more details on virtio-net configuration X-Git-Tag: v6.7.0-rc1~127 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=61e56729ffdb1036cdc543add95009fc74f2a8d8;p=thirdparty%2Flibvirt.git kbase: sev: Provide more details on virtio-net configuration With virtio-net we also need to disable the iPXE option ROM otherwise a SEV-enabled guest would not boot. While at it, fix the full machine XML examples accordingly. Reported-by: Dr. David Alan Gilbert Signed-off-by: Erik Skultety Reviewed-by: Laszlo Ersek --- diff --git a/docs/kbase/launch_security_sev.rst b/docs/kbase/launch_security_sev.rst index cfdc2a6120..4a37c0c379 100644 --- a/docs/kbase/launch_security_sev.rst +++ b/docs/kbase/launch_security_sev.rst @@ -291,8 +291,9 @@ can still perform DoS on each other. Virtio ------ -In order to make virtio devices work, we need to enable emulated IOMMU -on the devices so that virtual DMA can work. +In order to make virtio devices work, we need to use +```` inside the given device XML element in order +to enable DMA API in the virtio driver. :: @@ -337,6 +338,26 @@ model, which means that virtio GPU cannot be used. ... +Virtio-net +~~~~~~~~~~ +With virtio-net it's also necessary to disable the iPXE option ROM as +iPXE is not aware of SEV (at the time of this writing). This translates to the +following XML: + +:: + + + ... + + ... + + + + + ... + + + Checking SEV from within the guest ================================== @@ -424,6 +445,7 @@ Q35 machine + @@ -496,6 +518,8 @@ PC-i440fx machine + +