cutemeli/server
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2adfbd9ea73fc04955d459a3e37101263067ebdb
server/usr/share/doc/qemu-system-common/system/s390x/protvirt.html
cutemeli 2adfbd9ea7 .gitignore angepasst
2026-01-07 20:52:11 +01:00

238 lines
15 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!DOCTYPE html>
<html class="writer-html5" lang="en" data-content_root="../../">
<head>
<meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Protected Virtualization on s390x &mdash; QEMU Debian 1:8.2.2+ds-0ubuntu1.11 documentation</title>
<link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" />
<link rel="stylesheet" type="text/css" href="../../_static/css/theme.css?v=86f27845" />
<link rel="stylesheet" type="text/css" href="../../_static/theme_overrides.css?v=08e6c168" />
<link rel="shortcut icon" href="../../_static/qemu_32x32.png"/>
<script src="../../_static/jquery.js?v=8dae8fb0"></script>
<script src="../../_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script>
<script src="../../_static/documentation_options.js?v=802af9f6"></script>
<script src="../../_static/doctools.js?v=888ff710"></script>
<script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>
<script src="../../_static/custom.js?v=2ab9f71d"></script>
<script src="../../_static/js/theme.js"></script>
<link rel="index" title="Index" href="../../genindex.html" />
<link rel="search" title="Search" href="../../search.html" />
<link rel="next" title="CPU topology on s390x" href="cpu-topology.html" />
<link rel="prev" title="Boot devices on s390x" href="bootdevices.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" style="background: #802400" >
<a href="../../index.html" class="icon icon-home">
QEMU
<img src="../../_static/qemu_128x128.png" class="logo" alt="Logo"/>
</a>
<div class="version">
8.2.2
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="../../search.html" method="get">
<input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
<p class="caption" role="heading"><span class="caption-text">Contents:</span></p>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../about/index.html">About QEMU</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../index.html">System Emulation</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../introduction.html">Introduction</a></li>
<li class="toctree-l2"><a class="reference internal" href="../invocation.html">Invocation</a></li>
<li class="toctree-l2"><a class="reference internal" href="../device-emulation.html">Device Emulation</a></li>
<li class="toctree-l2"><a class="reference internal" href="../keys.html">Keys in the graphical frontends</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mux-chardev.html">Keys in the character backend multiplexer</a></li>
<li class="toctree-l2"><a class="reference internal" href="../monitor.html">QEMU Monitor</a></li>
<li class="toctree-l2"><a class="reference internal" href="../images.html">Disk Images</a></li>
<li class="toctree-l2"><a class="reference internal" href="../virtio-net-failover.html">QEMU virtio-net standby (net_failover)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../linuxboot.html">Direct Linux Boot</a></li>
<li class="toctree-l2"><a class="reference internal" href="../generic-loader.html">Generic Loader</a></li>
<li class="toctree-l2"><a class="reference internal" href="../guest-loader.html">Guest Loader</a></li>
<li class="toctree-l2"><a class="reference internal" href="../barrier.html">QEMU Barrier Client</a></li>
<li class="toctree-l2"><a class="reference internal" href="../vnc-security.html">VNC security</a></li>
<li class="toctree-l2"><a class="reference internal" href="../tls.html">TLS setup for network services</a></li>
<li class="toctree-l2"><a class="reference internal" href="../secrets.html">Providing secret data to QEMU</a></li>
<li class="toctree-l2"><a class="reference internal" href="../authz.html">Client authorization</a></li>
<li class="toctree-l2"><a class="reference internal" href="../gdb.html">GDB usage</a></li>
<li class="toctree-l2"><a class="reference internal" href="../replay.html">Record/replay</a></li>
<li class="toctree-l2"><a class="reference internal" href="../managed-startup.html">Managed start up options</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bootindex.html">Managing device boot order with bootindex properties</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cpu-hotplug.html">Virtual CPU hotplug</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pr-manager.html">Persistent reservation managers</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="../targets.html">QEMU System Emulator Targets</a><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="../target-arm.html">Arm System emulator</a></li>
<li class="toctree-l3"><a class="reference internal" href="../target-avr.html">AVR System emulator</a></li>
<li class="toctree-l3"><a class="reference internal" href="../target-m68k.html">ColdFire System emulator</a></li>
<li class="toctree-l3"><a class="reference internal" href="../target-mips.html">MIPS System emulator</a></li>
<li class="toctree-l3"><a class="reference internal" href="../target-ppc.html">PowerPC System emulator</a></li>
<li class="toctree-l3"><a class="reference internal" href="../target-openrisc.html">OpenRISC System emulator</a></li>
<li class="toctree-l3"><a class="reference internal" href="../target-riscv.html">RISC-V System emulator</a></li>
<li class="toctree-l3"><a class="reference internal" href="../target-rx.html">RX System emulator</a></li>
<li class="toctree-l3 current"><a class="reference internal" href="../target-s390x.html">s390x System emulator</a><ul class="current">
<li class="toctree-l4"><a class="reference internal" href="../target-s390x.html#device-support">Device support</a></li>
<li class="toctree-l4 current"><a class="reference internal" href="../target-s390x.html#architectural-features">Architectural features</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../target-sparc.html">Sparc32 System emulator</a></li>
<li class="toctree-l3"><a class="reference internal" href="../target-sparc64.html">Sparc64 System emulator</a></li>
<li class="toctree-l3"><a class="reference internal" href="../target-i386.html">x86 System emulator</a></li>
<li class="toctree-l3"><a class="reference internal" href="../target-xtensa.html">Xtensa System emulator</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../security.html">Security</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multi-process.html">Multi-process QEMU</a></li>
<li class="toctree-l2"><a class="reference internal" href="../confidential-guest-support.html">Confidential Guest Support</a></li>
<li class="toctree-l2"><a class="reference internal" href="../vm-templating.html">QEMU VM templating</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">User Mode Emulation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../tools/index.html">Tools</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../interop/index.html">System Emulation Management and Interoperability</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../specs/index.html">System Emulation Guest Hardware Specifications</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../devel/index.html">Developer Information</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" style="background: #802400" >
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../../index.html">QEMU</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="../../index.html" class="icon icon-home" aria-label="Home"></a></li>
<li class="breadcrumb-item"><a href="../index.html">System Emulation</a></li>
<li class="breadcrumb-item"><a href="../targets.html">QEMU System Emulator Targets</a></li>
<li class="breadcrumb-item"><a href="../target-s390x.html">s390x System emulator</a></li>
<li class="breadcrumb-item active">Protected Virtualization on s390x</li>
<li class="wy-breadcrumbs-aside">
<a href="https://gitlab.com/qemu-project/qemu/blob/master/docs/system/s390x/protvirt.rst" class="fa fa-gitlab"> Edit on GitLab</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section id="protected-virtualization-on-s390x">
<h1>Protected Virtualization on s390x<a class="headerlink" href="#protected-virtualization-on-s390x" title="Link to this heading"></a></h1>
<p>The memory and most of the registers of Protected Virtual Machines
(PVMs) are encrypted or inaccessible to the hypervisor, effectively
prohibiting VM introspection when the VM is running. At rest, PVMs are
encrypted and can only be decrypted by the firmware, represented by an
entity called Ultravisor, of specific IBM Z machines.</p>
<section id="prerequisites">
<h2>Prerequisites<a class="headerlink" href="#prerequisites" title="Link to this heading"></a></h2>
<p>To run PVMs, a machine with the Protected Virtualization feature, as
indicated by the Ultravisor Call facility (stfle bit 158), is
required. The Ultravisor needs to be initialized at boot by setting
<code class="docutils literal notranslate"><span class="pre">prot_virt=1</span></code> on the hosts kernel command line.</p>
<p>Running PVMs requires using the KVM hypervisor.</p>
<p>If those requirements are met, the capability <code class="docutils literal notranslate"><span class="pre">KVM_CAP_S390_PROTECTED</span></code>
will indicate that KVM can support PVMs on that LPAR.</p>
</section>
<section id="running-a-protected-virtual-machine">
<h2>Running a Protected Virtual Machine<a class="headerlink" href="#running-a-protected-virtual-machine" title="Link to this heading"></a></h2>
<p>To run a PVM you will need to select a CPU model which includes the
<code class="docutils literal notranslate"><span class="pre">Unpack</span> <span class="pre">facility</span></code> (stfle bit 161 represented by the feature
<code class="docutils literal notranslate"><span class="pre">unpack</span></code>/<code class="docutils literal notranslate"><span class="pre">S390_FEAT_UNPACK</span></code>), and add these options to the command line:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">-</span><span class="nb">object</span> <span class="n">s390</span><span class="o">-</span><span class="n">pv</span><span class="o">-</span><span class="n">guest</span><span class="p">,</span><span class="nb">id</span><span class="o">=</span><span class="n">pv0</span> \
<span class="o">-</span><span class="n">machine</span> <span class="n">confidential</span><span class="o">-</span><span class="n">guest</span><span class="o">-</span><span class="n">support</span><span class="o">=</span><span class="n">pv0</span>
</pre></div>
</div>
<p>Adding these options will:</p>
<ul class="simple">
<li><p>Ensure the <code class="docutils literal notranslate"><span class="pre">unpack</span></code> facility is available</p></li>
<li><p>Enable the IOMMU by default for all I/O devices</p></li>
<li><p>Initialize the PV mechanism</p></li>
</ul>
<p>Passthrough (vfio) devices are currently not supported.</p>
<p>Host huge page backings are not supported. However guests can use huge
pages as indicated by its facilities.</p>
</section>
<section id="boot-process">
<h2>Boot Process<a class="headerlink" href="#boot-process" title="Link to this heading"></a></h2>
<p>A secure guest image can either be loaded from disk or supplied on the
QEMU command line. Booting from disk is done by the unmodified
s390-ccw BIOS. I.e., the bootmap is interpreted, multiple components
are read into memory and control is transferred to one of the
components (zipl stage3). Stage3 does some fixups and then transfers
control to some program residing in guest memory, which is normally
the OS kernel. The secure image has another component prepended
(stage3a) that uses the new diag308 subcodes 8 and 10 to trigger the
transition into secure mode.</p>
<p>Booting from the image supplied on the QEMU command line requires that
the file passed via -kernel has the same memory layout as would result
from the disk boot. This memory layout includes the encrypted
components (kernel, initrd, cmdline), the stage3a loader and
metadata. In case this boot method is used, the command line
options -initrd and -cmdline are ineffective. The preparation of a PVM
image is done via the <code class="docutils literal notranslate"><span class="pre">genprotimg</span></code> tool from the s390-tools
collection.</p>
</section>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
<a href="bootdevices.html" class="btn btn-neutral float-left" title="Boot devices on s390x" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
<a href="cpu-topology.html" class="btn btn-neutral float-right" title="CPU topology on s390x" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
<hr/>
<div role="contentinfo">
<p>&#169; Copyright 2025, The QEMU Project Developers.</p>
</div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
provided by <a href="https://readthedocs.org">Read the Docs</a>.
<!-- Empty para to force a blank line after "Built with Sphinx ..." -->
<p></p>
<p>This documentation is for QEMU version 8.2.2.</p>
<p><a href="../../about/license.html">QEMU and this manual are released under the
GNU General Public License, version 2.</a></p>
</footer>
</div>
</div>
</section>
</div>
<script>
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink