openstack/nova
Code Issues Proposed changes
95f96ed3aa
nova/releasenotes/notes/bp-amd-sev-libvirt-support-4b7cf8f0756d88b8.yaml
Adam Spiers 922d8bf811 Improve SEV documentation and other minor tweaks 
This is a follow-up to the previous SEV commit which enables booting
SEV guests (I659cb77f12a3), making some minor improvements based on
nits highlighted during review:

- Clarify in the hypervisor-kvm.rst documentation that the
  num_memory_encrypted_guests option is optional, by rewording and
  moving it to the list of optional steps.

- Make things a bit more concise and avoid duplication of information
  between the above page and the documentation for the option
  num_memory_encrypted_guests, instead relying on appropriate
  hyperlinking between them.

- Clarify that virtio-blk can be used for boot disks in newer kernels.

- Hyperlink to a page explaining vhost-user

- Remove an unneeded mocking of a LOG object.

- A few other grammar / spelling tweaks.

blueprint: amd-sev-libvirt-support
Change-Id: I75b7ec3a45cac25f6ebf77c6ed013de86c6ac947
2019-09-10 14:48:32 +01:00

34 lines
1.7 KiB
YAML
Raw Blame History

---
features:
- |
The libvirt driver can now support requests for guest RAM to be
encrypted at the hardware level, if there are compute hosts which
support it. Currently only AMD SEV (Secure Encrypted
Virtualization) is supported, and it has certain minimum version
requirements regarding the kernel, QEMU, and libvirt.
Memory encryption can be required either via a flavor which has the
``hw:mem_encryption`` extra spec set to ``True``, or via an image
which has the ``hw_mem_encryption`` property set to ``True``.
These do not inherently cause a preference for SEV-capable
hardware, but for now SEV is the only way of fulfilling the
requirement. However in the future, support for other
hardware-level guest memory encryption technology such as Intel
MKTME may be added. If a guest specifically needs to be booted
using SEV rather than any other memory encryption technology, it
is possible to ensure this by adding
``trait:HW_CPU_X86_AMD_SEV=required`` to the flavor extra specs or
image properties.
In all cases, SEV instances can only be booted from images which
have the ``hw_firmware_type`` property set to ``uefi``, and only
when the machine type is set to ``q35``. The latter can be set per
image by setting the image property ``hw_machine_type=q35``, or
per compute node by the operator via the ``hw_machine_type``
configuration option in the ``[libvirt]`` section of
:file:`nova.conf`.
For information on how to set up support for AMD SEV, please see
the `KVM section of the Configuration Guide
<https://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html#amd-sev>`_.
View Git Blame Copy Permalink