45 lines
1.7 KiB
ReStructuredText
45 lines
1.7 KiB
ReStructuredText
|
Confidential Guest Support
|
||
|
==========================
|
||
|
|
||
|
Traditionally, hypervisors such as QEMU have complete access to a
|
||
|
guest's memory and other state, meaning that a compromised hypervisor
|
||
|
can compromise any of its guests. A number of platforms have added
|
||
|
mechanisms in hardware and/or firmware which give guests at least some
|
||
|
protection from a compromised hypervisor. This is obviously
|
||
|
especially desirable for public cloud environments.
|
||
|
|
||
|
These mechanisms have different names and different modes of
|
||
|
operation, but are often referred to as Secure Guests or Confidential
|
||
|
Guests. We use the term "Confidential Guest Support" to distinguish
|
||
|
this from other aspects of guest security (such as security against
|
||
|
attacks from other guests, or from network sources).
|
||
|
|
||
|
Running a Confidential Guest
|
||
|
----------------------------
|
||
|
|
||
|
To run a confidential guest you need to add two command line parameters:
|
||
|
|
||
|
1. Use ``-object`` to create a "confidential guest support" object. The
|
||
|
type and parameters will vary with the specific mechanism to be
|
||
|
used
|
||
|
2. Set the ``confidential-guest-support`` machine parameter to the ID of
|
||
|
the object from (1).
|
||
|
|
||
|
Example (for AMD SEV)::
|
||
|
|
||
|
qemu-system-x86_64 \
|
||
|
<other parameters> \
|
||
|
-machine ...,confidential-guest-support=sev0 \
|
||
|
-object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1
|
||
|
|
||
|
Supported mechanisms
|
||
|
--------------------
|
||
|
|
||
|
Currently supported confidential guest mechanisms are:
|
||
|
|
||
|
* AMD Secure Encrypted Virtualization (SEV) (see :doc:`i386/amd-memory-encryption`)
|
||
|
* POWER Protected Execution Facility (PEF) (see :ref:`power-papr-protected-execution-facility-pef`)
|
||
|
* s390x Protected Virtualization (PV) (see :doc:`s390x/protvirt`)
|
||
|
|
||
|
Other mechanisms may be supported in future.
|