922d8bf811
This is a follow-up to the previous SEV commit which enables booting SEV guests (I659cb77f12a3), making some minor improvements based on nits highlighted during review: - Clarify in the hypervisor-kvm.rst documentation that the num_memory_encrypted_guests option is optional, by rewording and moving it to the list of optional steps. - Make things a bit more concise and avoid duplication of information between the above page and the documentation for the option num_memory_encrypted_guests, instead relying on appropriate hyperlinking between them. - Clarify that virtio-blk can be used for boot disks in newer kernels. - Hyperlink to a page explaining vhost-user - Remove an unneeded mocking of a LOG object. - A few other grammar / spelling tweaks. blueprint: amd-sev-libvirt-support Change-Id: I75b7ec3a45cac25f6ebf77c6ed013de86c6ac947
34 lines
1.7 KiB
YAML
34 lines
1.7 KiB
YAML
---
|
|
features:
|
|
- |
|
|
The libvirt driver can now support requests for guest RAM to be
|
|
encrypted at the hardware level, if there are compute hosts which
|
|
support it. Currently only AMD SEV (Secure Encrypted
|
|
Virtualization) is supported, and it has certain minimum version
|
|
requirements regarding the kernel, QEMU, and libvirt.
|
|
|
|
Memory encryption can be required either via a flavor which has the
|
|
``hw:mem_encryption`` extra spec set to ``True``, or via an image
|
|
which has the ``hw_mem_encryption`` property set to ``True``.
|
|
These do not inherently cause a preference for SEV-capable
|
|
hardware, but for now SEV is the only way of fulfilling the
|
|
requirement. However in the future, support for other
|
|
hardware-level guest memory encryption technology such as Intel
|
|
MKTME may be added. If a guest specifically needs to be booted
|
|
using SEV rather than any other memory encryption technology, it
|
|
is possible to ensure this by adding
|
|
``trait:HW_CPU_X86_AMD_SEV=required`` to the flavor extra specs or
|
|
image properties.
|
|
|
|
In all cases, SEV instances can only be booted from images which
|
|
have the ``hw_firmware_type`` property set to ``uefi``, and only
|
|
when the machine type is set to ``q35``. The latter can be set per
|
|
image by setting the image property ``hw_machine_type=q35``, or
|
|
per compute node by the operator via the ``hw_machine_type``
|
|
configuration option in the ``[libvirt]`` section of
|
|
:file:`nova.conf`.
|
|
|
|
For information on how to set up support for AMD SEV, please see
|
|
the `KVM section of the Configuration Guide
|
|
<https://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html#amd-sev>`_.
|