mirror of
https://github.com/google/alioth.git
synced 2024-10-22 22:46:38 +00:00
docs(sev): update sev guest instructions
Signed-off-by: Changyuan Lyu <changyuanl@google.com>
This commit is contained in:
Changyuan Lyu
Lencerf
parent
4796ec3966
commit
701baa3827
1 changed files with 19 additions and 21 deletions
40
docs/coco.md
40
docs/coco.md
|
|
@ -11,40 +11,38 @@ Alioth supports booting confidential guests on the following platforms,
|
|||
> Alioth confidential VMs should be used in testing environments only since the
|
||||
> code base has not gone through any serious security reviews.
|
||||
|
||||
## AMD-SEV guest with Oak/Stage0 firmware
|
||||
## AMD-SEV guest with Oak/stage0 firmware
|
||||
|
||||
To launch an SEV guest,
|
||||
|
||||
1. build the stage0 firmware from the Oak project[^stage0],
|
||||
2. prepare the guest Linux kernel of ELF format, the initramfs, and the kernel
|
||||
command line in a text file,
|
||||
3. for SEV guests, `POLICY=0x1`, for SEV-ES guests, `POLICY=0x5`,
|
||||
4. launch the guest by
|
||||
1. build the stage0 firmware from Project Oak[^stage0],
|
||||
|
||||
2. prepare the guest Linux kernel and the initramfs,
|
||||
|
||||
3. launch the guest by
|
||||
|
||||
```bash
|
||||
./alioth run -f /path/to/oak_stage0.bin \
|
||||
--mem-size 1G \
|
||||
--hypervisor kvm,dev_sev=/dev/sev \
|
||||
--memory size=1G \
|
||||
--num-cpu 2 \
|
||||
--fw-cfg name=opt/stage0/elf_kernel,file=/path/to/elf_kernel \
|
||||
--fw-cfg name=opt/stage0/initramfs,file=/path/to/initramfs \
|
||||
--fw-cfg name=opt/stage0/cmdline,file=/path/to/cmdline.txt \
|
||||
--kernel /path/to/vmlinuz \
|
||||
--cmd-line "console=ttyS0" \
|
||||
--initramfs /path/to/initramfs \
|
||||
--coco sev,policy=$POLICY
|
||||
```
|
||||
|
||||
To launch an SEV-SNP guest, pass `--coco snp,policy=0x30000` instead.
|
||||
4. for SEV guests, `POLICY=0x1`, for SEV-ES guests, `POLICY=0x5`,
|
||||
|
||||
> [!NOTE]
|
||||
>
|
||||
> An SEV-SNP guest needs the host KVM to support `KVM_X86_SNP_VM`, which is
|
||||
> scheduled to be merged into Linux 6.11.
|
||||
5. for SEV-SNP guests, pass `--coco snp,policy=0x30000` instead.
|
||||
|
||||
As of 2024-06-25, to try out SEV-SNP with a bleeding edge host Linux kernel,
|
||||
Note:
|
||||
|
||||
- checkout the branch `kvm-coco-queue` of the
|
||||
[Linux KVM tree](https://git.kernel.org/pub/scm/virt/kvm/kvm.git/),
|
||||
- merge the branch `snp-host-latest` of
|
||||
[AMDESE/linux](https://github.com/AMDESE/linux),
|
||||
- build and install the kernel on the test machine.
|
||||
- An SEV-SNP guest requires host Linux kernel 6.11.
|
||||
|
||||
- Stage0 appends `-- --oak-dice=0x17000` to the guest kernel command line. Make
|
||||
sure the init process in the initramfs accepts or ignores this flag. If the
|
||||
init process fails to parse this flag and exits, the guest kernel would panic.
|
||||
|
||||
[^sev]:
|
||||
[AMD Secure Encrypted Virtualization (SEV)](https://www.amd.com/en/developer/sev.html)
|
||||
|
|
|
|||
Loading…
Reference in a new issue