cutemeli/server
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2adfbd9ea73fc04955d459a3e37101263067ebdb
server/usr/share/doc/qemu-system-common/system/confidential-guest-support.html
cutemeli 2adfbd9ea7 .gitignore angepasst
2026-01-07 20:52:11 +01:00

206 lines
12 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!DOCTYPE html>
<html class="writer-html5" lang="en" data-content_root="../">
<head>
<meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Confidential Guest Support &mdash; QEMU Debian 1:8.2.2+ds-0ubuntu1.11 documentation</title>
<link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" />
<link rel="stylesheet" type="text/css" href="../_static/css/theme.css?v=86f27845" />
<link rel="stylesheet" type="text/css" href="../_static/theme_overrides.css?v=08e6c168" />
<link rel="shortcut icon" href="../_static/qemu_32x32.png"/>
<script src="../_static/jquery.js?v=8dae8fb0"></script>
<script src="../_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script>
<script src="../_static/documentation_options.js?v=802af9f6"></script>
<script src="../_static/doctools.js?v=888ff710"></script>
<script src="../_static/sphinx_highlight.js?v=dc90522c"></script>
<script src="../_static/custom.js?v=2ab9f71d"></script>
<script src="../_static/js/theme.js"></script>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="QEMU VM templating" href="vm-templating.html" />
<link rel="prev" title="Multi-process QEMU" href="multi-process.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" style="background: #802400" >
<a href="../index.html" class="icon icon-home">
QEMU
<img src="../_static/qemu_128x128.png" class="logo" alt="Logo"/>
</a>
<div class="version">
8.2.2
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="../search.html" method="get">
<input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
<p class="caption" role="heading"><span class="caption-text">Contents:</span></p>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../about/index.html">About QEMU</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">System Emulation</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="introduction.html">Introduction</a></li>
<li class="toctree-l2"><a class="reference internal" href="invocation.html">Invocation</a></li>
<li class="toctree-l2"><a class="reference internal" href="device-emulation.html">Device Emulation</a></li>
<li class="toctree-l2"><a class="reference internal" href="keys.html">Keys in the graphical frontends</a></li>
<li class="toctree-l2"><a class="reference internal" href="mux-chardev.html">Keys in the character backend multiplexer</a></li>
<li class="toctree-l2"><a class="reference internal" href="monitor.html">QEMU Monitor</a></li>
<li class="toctree-l2"><a class="reference internal" href="images.html">Disk Images</a></li>
<li class="toctree-l2"><a class="reference internal" href="virtio-net-failover.html">QEMU virtio-net standby (net_failover)</a></li>
<li class="toctree-l2"><a class="reference internal" href="linuxboot.html">Direct Linux Boot</a></li>
<li class="toctree-l2"><a class="reference internal" href="generic-loader.html">Generic Loader</a></li>
<li class="toctree-l2"><a class="reference internal" href="guest-loader.html">Guest Loader</a></li>
<li class="toctree-l2"><a class="reference internal" href="barrier.html">QEMU Barrier Client</a></li>
<li class="toctree-l2"><a class="reference internal" href="vnc-security.html">VNC security</a></li>
<li class="toctree-l2"><a class="reference internal" href="tls.html">TLS setup for network services</a></li>
<li class="toctree-l2"><a class="reference internal" href="secrets.html">Providing secret data to QEMU</a></li>
<li class="toctree-l2"><a class="reference internal" href="authz.html">Client authorization</a></li>
<li class="toctree-l2"><a class="reference internal" href="gdb.html">GDB usage</a></li>
<li class="toctree-l2"><a class="reference internal" href="replay.html">Record/replay</a></li>
<li class="toctree-l2"><a class="reference internal" href="managed-startup.html">Managed start up options</a></li>
<li class="toctree-l2"><a class="reference internal" href="bootindex.html">Managing device boot order with bootindex properties</a></li>
<li class="toctree-l2"><a class="reference internal" href="cpu-hotplug.html">Virtual CPU hotplug</a></li>
<li class="toctree-l2"><a class="reference internal" href="pr-manager.html">Persistent reservation managers</a></li>
<li class="toctree-l2"><a class="reference internal" href="targets.html">QEMU System Emulator Targets</a></li>
<li class="toctree-l2"><a class="reference internal" href="security.html">Security</a></li>
<li class="toctree-l2"><a class="reference internal" href="multi-process.html">Multi-process QEMU</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Confidential Guest Support</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#running-a-confidential-guest">Running a Confidential Guest</a></li>
<li class="toctree-l3"><a class="reference internal" href="#supported-mechanisms">Supported mechanisms</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="vm-templating.html">QEMU VM templating</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../user/index.html">User Mode Emulation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../tools/index.html">Tools</a></li>
<li class="toctree-l1"><a class="reference internal" href="../interop/index.html">System Emulation Management and Interoperability</a></li>
<li class="toctree-l1"><a class="reference internal" href="../specs/index.html">System Emulation Guest Hardware Specifications</a></li>
<li class="toctree-l1"><a class="reference internal" href="../devel/index.html">Developer Information</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" style="background: #802400" >
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../index.html">QEMU</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="../index.html" class="icon icon-home" aria-label="Home"></a></li>
<li class="breadcrumb-item"><a href="index.html">System Emulation</a></li>
<li class="breadcrumb-item active">Confidential Guest Support</li>
<li class="wy-breadcrumbs-aside">
<a href="https://gitlab.com/qemu-project/qemu/blob/master/docs/system/confidential-guest-support.rst" class="fa fa-gitlab"> Edit on GitLab</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section id="confidential-guest-support">
<h1>Confidential Guest Support<a class="headerlink" href="#confidential-guest-support" title="Link to this heading"></a></h1>
<p>Traditionally, hypervisors such as QEMU have complete access to a
guests memory and other state, meaning that a compromised hypervisor
can compromise any of its guests. A number of platforms have added
mechanisms in hardware and/or firmware which give guests at least some
protection from a compromised hypervisor. This is obviously
especially desirable for public cloud environments.</p>
<p>These mechanisms have different names and different modes of
operation, but are often referred to as Secure Guests or Confidential
Guests. We use the term “Confidential Guest Support” to distinguish
this from other aspects of guest security (such as security against
attacks from other guests, or from network sources).</p>
<section id="running-a-confidential-guest">
<h2>Running a Confidential Guest<a class="headerlink" href="#running-a-confidential-guest" title="Link to this heading"></a></h2>
<p>To run a confidential guest you need to add two command line parameters:</p>
<ol class="arabic simple">
<li><p>Use <code class="docutils literal notranslate"><span class="pre">-object</span></code> to create a “confidential guest support” object. The
type and parameters will vary with the specific mechanism to be
used</p></li>
<li><p>Set the <code class="docutils literal notranslate"><span class="pre">confidential-guest-support</span></code> machine parameter to the ID of
the object from (1).</p></li>
</ol>
<p>Example (for AMD SEV):</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">qemu</span><span class="o">-</span><span class="n">system</span><span class="o">-</span><span class="n">x86_64</span> \
<span class="o">&lt;</span><span class="n">other</span> <span class="n">parameters</span><span class="o">&gt;</span> \
<span class="o">-</span><span class="n">machine</span> <span class="o">...</span><span class="p">,</span><span class="n">confidential</span><span class="o">-</span><span class="n">guest</span><span class="o">-</span><span class="n">support</span><span class="o">=</span><span class="n">sev0</span> \
<span class="o">-</span><span class="nb">object</span> <span class="n">sev</span><span class="o">-</span><span class="n">guest</span><span class="p">,</span><span class="nb">id</span><span class="o">=</span><span class="n">sev0</span><span class="p">,</span><span class="n">cbitpos</span><span class="o">=</span><span class="mi">47</span><span class="p">,</span><span class="n">reduced</span><span class="o">-</span><span class="n">phys</span><span class="o">-</span><span class="n">bits</span><span class="o">=</span><span class="mi">1</span>
</pre></div>
</div>
</section>
<section id="supported-mechanisms">
<h2>Supported mechanisms<a class="headerlink" href="#supported-mechanisms" title="Link to this heading"></a></h2>
<p>Currently supported confidential guest mechanisms are:</p>
<ul class="simple">
<li><p>AMD Secure Encrypted Virtualization (SEV) (see <a class="reference internal" href="i386/amd-memory-encryption.html"><span class="doc">AMD Secure Encrypted Virtualization (SEV)</span></a>)</p></li>
<li><p>POWER Protected Execution Facility (PEF) (see <a class="reference internal" href="ppc/pseries.html#power-papr-protected-execution-facility-pef"><span class="std std-ref">POWER (PAPR) Protected Execution Facility (PEF)</span></a>)</p></li>
<li><p>s390x Protected Virtualization (PV) (see <a class="reference internal" href="s390x/protvirt.html"><span class="doc">Protected Virtualization on s390x</span></a>)</p></li>
</ul>
<p>Other mechanisms may be supported in future.</p>
</section>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
<a href="multi-process.html" class="btn btn-neutral float-left" title="Multi-process QEMU" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
<a href="vm-templating.html" class="btn btn-neutral float-right" title="QEMU VM templating" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
<hr/>
<div role="contentinfo">
<p>&#169; Copyright 2025, The QEMU Project Developers.</p>
</div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
provided by <a href="https://readthedocs.org">Read the Docs</a>.
<!-- Empty para to force a blank line after "Built with Sphinx ..." -->
<p></p>
<p>This documentation is for QEMU version 8.2.2.</p>
<p><a href="../about/license.html">QEMU and this manual are released under the
GNU General Public License, version 2.</a></p>
</footer>
</div>
</div>
</section>
</div>
<script>
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink