[Virtio-fs] virtiofs: Support for SEV encrypted guests
Dr. David Alan Gilbert
dgilbert at redhat.com
Mon May 24 08:10:29 UTC 2021
* Jim Cadden (jcadden at linux.vnet.ibm.com) wrote:
> Do you know if virtio-fs can support SEV encrypted guests?
>
> I work on a project adding SEV support into kata containers. So far, we've
> been unable to boot SEV guests
> with kata's virtio-fs option (and use virtio-9p instead):
>
> May 19 16:52:05 sev1 virtiofsd[74904]: [ID: 00074904] virtio_session_mount:
> Received vhost-user socket connection
> May 19 16:52:05 sev1 virtiofsd[74914]: [ID: 00000001] virtio_loop: Entry
> ...
> May 19 16:52:07 sev1 virtiofsd[74914]: [ID: 00000001] virtio_loop: Got VU
> event
> May 19 16:52:07 sev1 virtiofsd[74914]: [ID: 00000001] fv_panic:
> libvhost-user: Invalid vring_addr message
>
> I know that other virtio devices use iommu and DMA apis to share
> non-encrypted pages between the host
> and encrypted guest. Could something similar be done with virtiofsd andthe
> virtio-fs virtio device?
I guess if you can guarantee that everything is going through
non-encrypted pages with the iommu, there shouldn't be a difference?
My only other worry is whether SEV works with a shared-memory backing
(e.g. /dev/shm or memfd with mmap shared).
I know there's an existing bug saying that virtio-fs doesn't work with
viommu:
https://bugzilla.redhat.com/show_bug.cgi?id=1812886
so I suspect it's fall out from that; I think we just haven't
implemented the iommu compat code in the daemon.
> There are reported problems with vhost-user and SEV:
> https://bugzilla.redhat.com/show_bug.cgi?id=1797058
Yes, although it wasn't clear if that was just a performance problem or
not.
Dave
> Thanks for any insight,
> Jim
>
> _______________________________________________
> Virtio-fs mailing list
> Virtio-fs at redhat.com
> https://listman.redhat.com/mailman/listinfo/virtio-fs
--
Dr. David Alan Gilbert / dgilbert at redhat.com / Manchester, UK
More information about the Virtio-fs
mailing list