Re: [RFC PATCH 00/16] Confidential computing and AMD SEV support

["Teddy Astie" <teddy.astie@xxxxxxxxxx>]

Le 16/05/2025 à 12:54, Jürgen Groß a écrit :
> On 16.05.25 11:31, Teddy Astie wrote:
>>
>> In order to create a confidential computing domain, the process is
>> follow :
>>   - create a HVM/PVH domain with XEN_DOMCTL_CDF_coco
>>   - populate initial memory as usual
>>   - apply coco_prepare_initial_mem on all initial pages
>>     (under SEV, this will encrypt memory)
>>
>> Under xl, it is exposed through the `coco` parameter ("coco = 1").
>
> Wouldn't it make sense to allow specifying the kind of domain
> (SEV, SEV-ES, SEV-SNP, TDX) like KVM does?
>

Yes, I was thinking of exposing it through in a optional arch-specific
parameter for specifying some SEV-specific parameters (enable SNP, ...).

And by default rely on what the platform provides with a "best default"
configuration.
(AFAICT it's not possible to have both SEV (AMD-specific) and TDX
(Intel-specific), or at least not yet)

> It might not be needed right now, but in future this could be needed
> (e.g. when allowing migration between hosts with different SEV
> features).
>
> I don't think this is important during RFC phase, but the final
> configuration and hypervisor interfaces of this series should allow
> that.
>
>
> Juergen

Teddy


Teddy Astie | Vates XCP-ng Developer

XCP-ng & Xen Orchestra - Vates solutions

web: https://vates.tech