On Mon, 2024-06-24 at 15:09 +0100, Daniel P. Berrangé wrote: > On Fri, Jun 21, 2024 at 03:29:12PM +0100, Roy Hopkins wrote: > > IGVM support has been implemented for Confidential Guests that support > > AMD SEV and AMD SEV-ES. Add some documentation that gives some > > background on the IGVM format and how to use it to configure a > > confidential guest. > > > > Signed-off-by: Roy Hopkins <roy.hopk...@suse.com> > > --- > > docs/system/i386/amd-memory-encryption.rst | 2 + > > docs/system/igvm.rst | 157 +++++++++++++++++++++ > > docs/system/index.rst | 1 + > > 3 files changed, 160 insertions(+) > > create mode 100644 docs/system/igvm.rst > > > diff --git a/docs/system/igvm.rst b/docs/system/igvm.rst > > new file mode 100644 > > index 0000000000..b6e544a508 > > --- /dev/null > > +++ b/docs/system/igvm.rst > > > +Running a Confidential Guest configured using IGVM > > +-------------------------------------------------- > > + > > +To run a confidential guest configured with IGVM you need to add an > > +``igvm-cfg`` object and refer to it from the ``-machine`` parameter: > > + > > +Example (for AMD SEV):: > > + > > + qemu-system-x86_64 \ > > + <other parameters> \ > > + -machine ...,confidential-guest-support=sev0,igvm-cfg=igvm0 \ > > + -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1 \ > > + -object igvm-cfg,id=igvm0,file=/path/to/guest.igvm > > Perhaps also illustrate use of your 'buildigvm' tool for creating > the igvm file first, assuming that's the tool users are most likely > to end up needing ? > > > With regards, > Daniel
I'm not sure it is the tool that _most_ people will end up using, but it is a good example and I'm not aware of many other examples of IGVM build tools. IGVM is likely to be used to package guests with custom configuration requirements, such as the COCONUT-SVSM usage where the SVSM kernel is packaged along with OVMF, configuration and other data required to launch a guest running with a range of privilege levels in a confidential virtual machine. But for the purposes of testing and examples it makes sense to update the documentation to describe how to use the 'buildigvm' tool so I'll update the docs. Regards, Roy
