mirror of
https://github.com/google/alioth.git
synced 2024-10-23 15:00:13 +00:00
docs(sev): boot AMD-SEV guests with Oak/Stage0
Signed-off-by: Changyuan Lyu <changyuanl@google.com>
This commit is contained in:
parent
5ad2ea658c
commit
f88f290ab9
1 changed files with 36 additions and 0 deletions
36
docs/coco.md
Normal file
36
docs/coco.md
Normal file
|
@ -0,0 +1,36 @@
|
|||
# Confidential Compute (coco)
|
||||
|
||||
Alioth supports booting confidential guests on the following platforms:
|
||||
|
||||
- AMD-SEV [^sev]
|
||||
|
||||
## AMD-SEV guest with Oak/Stage0 firmware
|
||||
|
||||
WARNING: the current implementation takes QEMU [^qemu] as a reference and should
|
||||
be used in testing environments only.
|
||||
|
||||
To launch an SEV guest,
|
||||
|
||||
1. build the stage0 firmware from the Oak project[^stage0],
|
||||
2. prepare the guest Linux kernel of ELF format, the initramfs, and the kernel
|
||||
command line in a text file,
|
||||
3. for SEV guests, `POLICY=0x1`, for SEV-ES guests, `POLICY=0x5`,
|
||||
4. launch the guest by
|
||||
```bash
|
||||
./alioth run -f /path/to/oak_stage0.bin \
|
||||
--mem-size 1G \
|
||||
--num-cpu 2 \
|
||||
--fw-cfg name=opt/stage0/elf_kernel,file=/path/to/elf_kernel \
|
||||
--fw-cfg name=opt/stage0/initramfs,file=/path/to/initramfs \
|
||||
--fw-cfg name=opt/stage0/cmdline,file=/path/to/cmdline.txt \
|
||||
--coco sev,policy=$POLICY
|
||||
```
|
||||
|
||||
[^sev]:
|
||||
[AMD Secure Encrypted Virtualization (SEV)](https://www.amd.com/en/developer/sev.html)
|
||||
|
||||
[^stage0]:
|
||||
[Oak/stage0 firmware](https://github.com/project-oak/oak/tree/main/stage0_bin)
|
||||
|
||||
[^qemu]:
|
||||
[QEMU's doc on SEV](https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html)
|
Loading…
Reference in a new issue