* Jim Cadden ([email protected]) wrote: > Do you know if virtio-fs can support SEV encrypted guests? > > I work on a project adding SEV support into kata containers. So far, we've > been unable to boot SEV guests > with kata's virtio-fs option (and use virtio-9p instead): > > May 19 16:52:05 sev1 virtiofsd[74904]: [ID: 00074904] virtio_session_mount: > Received vhost-user socket connection > May 19 16:52:05 sev1 virtiofsd[74914]: [ID: 00000001] virtio_loop: Entry > ... > May 19 16:52:07 sev1 virtiofsd[74914]: [ID: 00000001] virtio_loop: Got VU > event > May 19 16:52:07 sev1 virtiofsd[74914]: [ID: 00000001] fv_panic: > libvhost-user: Invalid vring_addr message > > I know that other virtio devices use iommu and DMA apis to share > non-encrypted pages between the host > and encrypted guest. Could something similar be done with virtiofsd andthe > virtio-fs virtio device?
I guess if you can guarantee that everything is going through non-encrypted pages with the iommu, there shouldn't be a difference? My only other worry is whether SEV works with a shared-memory backing (e.g. /dev/shm or memfd with mmap shared). I know there's an existing bug saying that virtio-fs doesn't work with viommu: https://bugzilla.redhat.com/show_bug.cgi?id=1812886 so I suspect it's fall out from that; I think we just haven't implemented the iommu compat code in the daemon. > There are reported problems with vhost-user and SEV: > https://bugzilla.redhat.com/show_bug.cgi?id=1797058 Yes, although it wasn't clear if that was just a performance problem or not. Dave > Thanks for any insight, > Jim > > _______________________________________________ > Virtio-fs mailing list > [email protected] > https://listman.redhat.com/mailman/listinfo/virtio-fs -- Dr. David Alan Gilbert / [email protected] / Manchester, UK _______________________________________________ Virtio-fs mailing list [email protected] https://listman.redhat.com/mailman/listinfo/virtio-fs
