openstack
/
os-traits
Code Issues Proposed changes

Update SEV trait docs to avoid misleading people 

Since the AMD SEV spec was approved for Stein, it was subsequently
realised that a trait would not be sufficient for tracking SEV-capable
compute hosts.  A resource class is also needed to track the inventory
of "slots" available on these hosts, since the number of slots limits
how many guests with encrypted memory can run concurrently.

Therefore the design pivoted somewhat, and now
trait:HW_CPU_AMD_SEV=required will not be the correct way to request
SEV functionality:

  https://specs.openstack.org/openstack/nova-specs/specs/train/approved/amd-sev-libvirt-support.html

For reference, the previous spec is here:

  https://specs.openstack.org/openstack/nova-specs/specs/stein/approved/amd-sev-libvirt-support.html

Another lesson learnt from the Stein cycle was that it is not safe to
assume that the work targeted for one cycle will actually land in that
cycle, therefore it's safer for documentation of an in-progress
feature to be transparent that it's in progress and not yet usable.

Change-Id: I6b652c20ba4f5ec775829a45939d708066dc3011
blueprint: amd-sev-libvirt-support
This commit is contained in:
Adam Spiers 2019-04-25 11:42:15 +01:00
parent 50ca62cfbd
commit 3b9116739d
1 changed files with 4 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
doc/source/reference/index.rst
View File

@ -80,11 +80,7 @@ correctly by the firmware. SEV is particularly applicable to cloud
computing since it can reduce the amount of trust VMs need to place in
the hypervisor and administrator of their host system.
The ``os_traits.hw.cpu.amd.SEV`` trait can be used to indicate that a
compute host contains support for SEV not only on-CPU, but also in all
other layers of the hypervisor stack required in order to take
advantage of this feature: the kernel, QEMU, and libvirt. This trait
can be specified as required by a flavor extra spec or image property
``trait:HW_CPU_AMD_SEV=required`` in order to indicate that VMs with
that flavor or image must only be booted on SEV-capable hosts with the
SEV functionality enabled.
The ``os_traits.hw.cpu.amd.SEV`` trait is reserved in order to
indicate that a compute host contains support for SEV not only on-CPU,
but also in all other layers of the hypervisor stack required in order
to take advantage of this feature.