xemu/docs/system/confidential-guest-support.rst
Cornelia Huck 96a46def58 docs: rstfy confidential guest documentation
Also rstfy the documentation for AMD SEV, and link it.

The documentation for PEF had been merged into the pseries doc,
fix the reference.

Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <20220204161251.241877-1-cohuck@redhat.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
2022-02-09 09:08:56 +01:00

45 lines
1.7 KiB
ReStructuredText

Confidential Guest Support
==========================
Traditionally, hypervisors such as QEMU have complete access to a
guest's memory and other state, meaning that a compromised hypervisor
can compromise any of its guests. A number of platforms have added
mechanisms in hardware and/or firmware which give guests at least some
protection from a compromised hypervisor. This is obviously
especially desirable for public cloud environments.
These mechanisms have different names and different modes of
operation, but are often referred to as Secure Guests or Confidential
Guests. We use the term "Confidential Guest Support" to distinguish
this from other aspects of guest security (such as security against
attacks from other guests, or from network sources).
Running a Confidential Guest
----------------------------
To run a confidential guest you need to add two command line parameters:
1. Use ``-object`` to create a "confidential guest support" object. The
type and parameters will vary with the specific mechanism to be
used
2. Set the ``confidential-guest-support`` machine parameter to the ID of
the object from (1).
Example (for AMD SEV)::
qemu-system-x86_64 \
<other parameters> \
-machine ...,confidential-guest-support=sev0 \
-object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1
Supported mechanisms
--------------------
Currently supported confidential guest mechanisms are:
* AMD Secure Encrypted Virtualization (SEV) (see :doc:`i386/amd-memory-encryption`)
* POWER Protected Execution Facility (PEF) (see :ref:`power-papr-protected-execution-facility-pef`)
* s390x Protected Virtualization (PV) (see :doc:`s390x/protvirt`)
Other mechanisms may be supported in future.