《云原生机密计算最佳实践白皮书》——06运行时底座——海光CSV机密虚拟机(1) https://developer.aliyun.com/article/1231199?groupCode=aliyun_linux
步骤五:启动CSV guest虚拟机
启动方式一:使用 QEMU 命令行启动
请参考如下qemu命令行启动CSV guest虚拟机:
sudo /usr/libexec/qemu-kvm -enable-kvm -cpu host -smp 4 -m 4096 -drive if=pflflash, format=raw,unit=0,fifile=/usr/share/edk2/ovmf/OVMF_CODE.cc.fd,readonly=on -hda test.qcow2 -object sev-guest,id=sev0,policy=0x1,cbitpos=47,reduced-phys-bits=5 -machine memory-encryption=sev0 -name test -monitor stdio
启动方式二:使用virsh启动
virsh 是用于管理 虚拟化环境中的客户机和 Hypervisor 的命令行工具,与 virt-manager 等工具类似,它也是通过 libvirt API 来实现虚拟化的管理。virsh 是完全在命令行文本模式下运行的用户态工具,它是系统管理员通过脚本程序实现虚拟化自动部署和管理的理想工具之一。
配置libvirt
请将/etc/libvirt/qemu.conf中的user和group设置为root,以免出现权限问题和报错:
442 # Some examples of valid values are: 443 # 444 # user = "qemu" # A user named "qemu" 445 # user = "+0" # Super user (uid=0) 446 # user = "100" # A user named "100" or a user with uid=100 447 # 448 user = "root" 449 450 # The group for QEMU processes run by the system instance. It can be 451 # specifified in a similar way to user. 452 group = "root" 453
重启libvirtd服务
systemctl daemon-reload service libvirtd restart
创建CSV guest配置文件
以下是CSV虚拟机的参考配置文件csv_launch.xml,在使用过程中,请根据实际需求,修改对应的配置字段。更多配置请参考Launch security with AMD SEV
<domain type = 'kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'> <name>csv_launch</name> <memory unit='GiB'>4</memory> <vcpu>4</vcpu> <os> <type arch = 'x86_64' machine = 'pc'>hvm</type> <boot dev = 'hd'/> </os> <features> <acpi/> <apic/> <pae/> </features> <clock offffset = 'utc'/> <on_poweroffff>destroy</on_poweroffff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <devices> <emulator>/usr/libexec/qemu-kvm</emulator> <disk type = 'fifile' device = 'disk'> <driver name = 'qemu' type = 'qcow2' cache = 'none'/> <source fifile = '/tmp/test.qcow2'/> <target dev = 'hda' bus = 'ide'/> </disk> <memballoon model='none'/> <graphics type='vnc' port='-1' autoport='yes' listen='0.0.0.0' keymap='en-us'> <listen type='address' address='0.0.0.0'/> </graphics> </devices> <launchSecurity type='sev'> <policy>0x0001</policy> <cbitpos>47</cbitpos> <reducedPhysBits>5</reducedPhysBits> </launchSecurity> <qemu:commandline> <qemu:arg value="-drive"/> <qemu:arg value="if=pflflash,format=raw,unit=0,fifile=/usr/share/edk2/ovmf /OVMF_CODE.cc.fd,readonly=on"/> </qemu:commandline> </domain>
启动CSV虚拟机
sudo virsh create csv_launch.xml
步骤六:检查guest的CSV使能状态
• 请使用vnc或其他远程工具连接guest
• anolis镜像默认用户名anuser,密码anolisos
localhost login: anuser Password: anolisos
登录虚拟机后,执行:
dmesg | grep -i sev
显示内容应类似如下,则证明CSV虚拟机启动成功:
[ 0.129692] AMD Secure Encrypted Virtualization (SEV) active [ 1.886794] software IO TLB: SEV is active and system is using DMA bounce buffffers
