mirrors/alioth
1
0
Fork 0
mirror of https://github.com/google/alioth.git synced 2024-10-23 15:00:13 +00:00
Code Issues Projects Releases Packages Wiki Activity
alioth/docs/coco.md
Changyuan Lyu 701baa3827 docs(sev): update sev guest instructions 
Signed-off-by: Changyuan Lyu <changyuanl@google.com>
2024-08-01 00:17:06 -07:00

55 lines
1.5 KiB
Markdown
Raw Blame History

# Confidential Compute (coco)
Alioth supports booting confidential guests on the following platforms,
- AMD-SEV [^sev]
The implementation takes QEMU [^qemu] as a reference.
> [!IMPORTANT]
>
> Alioth confidential VMs should be used in testing environments only since the
> code base has not gone through any serious security reviews.
## AMD-SEV guest with Oak/stage0 firmware
To launch an SEV guest,
1. build the stage0 firmware from Project Oak[^stage0],
2. prepare the guest Linux kernel and the initramfs,
3. launch the guest by
```bash
./alioth run -f /path/to/oak_stage0.bin \
--hypervisor kvm,dev_sev=/dev/sev \
--memory size=1G \
--num-cpu 2 \
--kernel /path/to/vmlinuz \
--cmd-line "console=ttyS0" \
--initramfs /path/to/initramfs \
--coco sev,policy=$POLICY
```
4. for SEV guests, `POLICY=0x1`, for SEV-ES guests, `POLICY=0x5`,
5. for SEV-SNP guests, pass `--coco snp,policy=0x30000` instead.
Note:
- An SEV-SNP guest requires host Linux kernel 6.11.
- Stage0 appends `-- --oak-dice=0x17000` to the guest kernel command line. Make
sure the init process in the initramfs accepts or ignores this flag. If the
init process fails to parse this flag and exits, the guest kernel would panic.
[^sev]:
[AMD Secure Encrypted Virtualization (SEV)](https://www.amd.com/en/developer/sev.html)
[^stage0]:
[Oak/stage0 firmware](https://github.com/project-oak/oak/tree/main/stage0_bin)
[^qemu]:
[QEMU's doc on SEV](https://www.qemu.org/docs/master/system/i386/amd-memory-encryption.html)
Reference in a new issue View git blame Copy permalink