《云原生机密计算最佳实践白皮书》——06运行时底座——AMD SEV机密虚拟机(2) https://developer.aliyun.com/article/1230949?groupCode=aliyun_linux
第五步 启动VM
virsh 安装的方式
virt-install \ --name sev-guest \ --memory 4096 \ --memtune hard_limit=4563402 \ --boot uefifi \ --disk /var/lib/libvirt/images/sev-guest.img,device=disk,bus=scsi \ --disk /var/lib/libvirt/images/init-passwd.iso,device=cdrom \ --os-type linux \ --os-variant centos8 \ --import \ --controller type=scsi,model=virtio-scsi,driver.iommu=on \ --controller type=virtio-serial,driver.iommu=on \ --network network=default,model=virtio,driver.iommu=on \ --memballoon driver.iommu=on \ --graphics none \ --launchSecurity sev
virsh 用xml文件 启动
• 创建sev.xml 文件,内容如下
<domain type = 'kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'> <name>csv_launch</name> <memory unit='GiB'>4</memory> <vcpu>4</vcpu> <os> <type arch = 'x86_64' machine = 'pc'>hvm</type> <boot dev = 'hd'/> </os> <features> <acpi/> <apic/> <pae/> </features> <clock offffset = 'utc'/> <on_poweroffff>destroy</on_poweroffff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <devices> <emulator>/usr/libexec/qemu-kvm</emulator> <disk type = 'fifile' device = 'disk'> <driver name = 'qemu' type = 'qcow2' cache = 'none'/> <source fifile = '/tmp/test.qcow2'/> <target dev = 'hda' bus = 'ide'/> </disk> <memballoon model='none'/> <graphics type='vnc' port='-1' autoport='yes' listen='0.0.0.0' keymap='en-us'> <listen type='address' address='0.0.0.0'/> </graphics> </devices> <launchSecurity type='sev'> <policy>0x0001</policy> <cbitpos>51</cbitpos> <reducedPhysBits>1</reducedPhysBits> </launchSecurity> <qemu:commandline> <qemu:arg value="-drive"/> <qemu:arg value="if=pflflash,format=raw,unit=0,fifile=/usr/share/edk2/ovmf/OVMF_ CODE.cc.fd,readonly=on"/> </qemu:commandline> </domain>
• 导入sev-guest虚拟机
virsh defifine sev.xml
• 开启虚拟机
virsh start sev-guest
第六步 检查SEV 在虚拟机中是否开启
1、virsh console sev-guest
2、dmesg | grep SEV
[ 0.374549] AMD Memory Encryption Features active: SEV
