[PATCH] docs: Describe protected virtualization guest setup

Boris Fiuczynski fiuczy at linux.ibm.com
Wed Apr 29 17:00:00 UTC 2020 

On 4/29/20 3:29 PM, Daniel P. Berrangé wrote:
> On Tue, Apr 28, 2020 at 05:58:02PM +0200, Boris Fiuczynski wrote:
>> From: Viktor Mihajlovski <mihajlov at linux.ibm.com>
>>
>> Protected virtualization/IBM Secure Execution for Linux protects
>> guest memory and state from the host.
>>
>> Add some basic information about technology and a brief guide
>> on setting up secure guests with libvirt.
>>
>> Signed-off-by: Viktor Mihajlovski <mihajlov at linux.ibm.com>
>> Reviewed-by: Boris Fiuczynski <fiuczy at linux.ibm.com>
>> Reviewed-by: Paulo de Rezende Pinatti <ppinatti at linux.ibm.com>
>> ---
>>   docs/kbase.html.in                      |   3 +
>>   docs/kbase/protected_virtualization.rst | 188 ++++++++++++++++++++++++
> 
> I'd suggest calling this  s390_protected_virt.rst
Done

> 
>> diff --git a/docs/kbase.html.in b/docs/kbase.html.in
>> index c586e0f676..05a3239224 100644
>> --- a/docs/kbase.html.in
>> +++ b/docs/kbase.html.in
>> @@ -14,6 +14,9 @@
>>           <dt><a href="kbase/secureusage.html">Secure usage</a></dt>
>>           <dd>Secure usage of the libvirt APIs</dd>
>>   
>> +        <dt><a href="kbase/protected_virtualization.html">Protected virtualization</a></dt>
> 
> "s390 Protected virtualization"  as the title

As discussed changed to "Protected virtualization on s390".

> 
>> +        <dd>Running secure guests with IBM Secure Execution</dd>
> 
> s/secure guests/secure s390 guests/

Done

> 
>> +
>>           <dt><a href="kbase/launch_security_sev.html">Launch security</a></dt>
>>           <dd>Securely launching VMs with AMD SEV</dd>
>>   
>> diff --git a/docs/kbase/protected_virtualization.rst b/docs/kbase/protected_virtualization.rst
>> new file mode 100644
>> index 0000000000..48f2add14e
>> --- /dev/null
>> +++ b/docs/kbase/protected_virtualization.rst
>> @@ -0,0 +1,188 @@
>> +========================
>> +Protected Virtualization
> 
> s/^/s390/

As discussed changed to "Protected virtualization on s390".

> 
>> +========================
> 
>> +Host Requirements
>> +=================
>> +
>> +IBM Secure Execution for Linux has some hardware and firmware
>> +requirements. The system hardware must be an IBM z15 (or newer),
>> +or an IBM LinuxONE III (or newer).
>> +
>> +It is also necessary that the IBM Secure Execution feature is
>> +enabled for that system. Check for facility '158', e.g.
>> +
>> +::
>> +
>> +   $ grep facilities /proc/cpuinfo | grep 158
> 
> I'd suggest that "virt-host-validate" be probing for this
> so we can just tell them to run that command.

Extending virt-host-validate can be done.
This documentation follows the same bare bone approach as is used in 
docs/kbase/launch_security_sev.rst.
Would it be OK to explain both with and without libvirt means?

I will have a look at virt-host-validate once the cache invalidation is 
ready.

> 
>> +The kernel must include the protected virtualization support
>> +which can be verified by checking for the presence of directory
>> +``/sys/firmware/uv``. It will only be present when both the
>> +hardware and the kernel support are available.
>> +
>> +Finally, the host operating system must donate some memory to
>> +the ultravisor needed to store memory security information.
>> +This is achieved by specifying the following kernel command
>> +line parameter to the host boot configuration
>> +
>> +::
>> +
>> +   prot_virt=1
>> +
>> +
>> +Guest Requirements
>> +==================
>> +
>> +Guest Boot
>> +----------
>> +
>> +To start a guest in protected virtualization secure mode, the
>> +boot image must have been prepared first with the program
>> +``genprotimg`` using the correct public key for this host.
>> +``genprotimg`` is part of the package ``s390-tools``, or
>> +``s390-utils``, depending on the Linux distribution being used.
>> +It can also be found at
>> +`<https://github.com/ibm-s390-tools/s390-tools/tree/master/genprotimg>`_
>> +
>> +The guests have to be configured to use the host CPU model, which
>> +must contain the ``unpack`` facility indicating ultravisor guest support.
>> +
>> +With the following command it's possible to check whether the host
>> +CPU model satisfies the requirement
>> +
>> +::
>> +
>> +   $ virsh domcapabilities | grep unpack
>> +
>> +which should return
>> +
>> +::
>> +
>> +   <feature policy='require' name='unpack'/>
>> +
>> +If the check fails despite the host system actually supporting
>> +protected virtualization guests, this can be caused by a stale
>> +libvirt capabilities cache. To recover, run the following
>> +commands
>> +
>> +::
>> +
>> +   $ systemctl stop libvirtd
>> +   $ rm /var/cache/libvirt/qemu/capabilities/*.xml
>> +   $ systemctl start libvirtd
> 
> If this is truly needed that it is a bug in libvirt - we're missing
> something in the cache invalidation logic.

Yes, as I wrote to your other mail... we are working on it.


> 
> Regards,
> Daniel
> 


-- 
Mit freundlichen Grüßen/Kind regards
    Boris Fiuczynski

IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294

More information about the libvir-list mailing list