Updated content.

SUSE · Sep 12, 2024 · 1e8f186 · 1e8f186
1 parent df67a49
commit 1e8f186
Showing 1 changed file with 7 additions and 12 deletions.
diff --git a/xml/vm_security.xml b/xml/vm_security.xml
@@ -8,7 +8,7 @@
   <title>Enhancing Virtual Machine Security with AMD SEV-SNP</title>
   <info>
     <abstract>
-      <para>You can enhance the security of your virtual machines with AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP). The AMD SEV-SNP feature isolates virtual machines from the host system and other VMs thereby protecting the data and code. This feature encrypts data and ensures that all changes with the code and data in the VM is detected or tracked. Since this isolates VMs, the other VMs or host machine are not affected.</para>
+      <para>You can enhance the security of your virtual machines with AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP). The AMD SEV-SNP feature isolates virtual machines from the host system and other VMs thereby protecting the data and code. This feature encrypts data and ensures that all changes with the code and data in the VM are detected or tracked. Since this isolates VMs, the other VMs or host machine are not affected with threats.</para>
       <para>This section explains the steps to enable and use AMD SEV-SNP on your AMD EPYC server with SUSE Linux Enterprise Server 15-SP6.</para>
     </abstract>
     <dm:docmanager xmlns:dm="urn:x-suse:ns:docmanager">
@@ -20,12 +20,7 @@
     <title>Supported Hardware</title>
 
     <para>
-    The following requirements must be satisfied to use the feature:</para>
-<itemizedlist>
-  <listitem><para>To run AMD SEV-SNP virtual machines, a system with an AMD EPYC (3rd Gen or newer) is required.</para></listitem>
-  <listitem><para>The BIOS of the AMD machine must provide the necessary options to enable support for confidential computing on the platform.</para></listitem>
-  <listitem><para>SEV-SNP functionality must be enabled in the BIOS, with options such as Memory Encryption and Secure Nested Paging turned on.</para></listitem>
-</itemizedlist>
+      A system with an AMD EPYC (3rd Gen or newer) is required run AMD SEV-SNP virtual machines. The BIOS of the AMD machine must provide the necessary options to enable support for confidential computing on the platform.</para>
   </sect1>
   <sect1 xml:id="vm-security-enable-confidential-compute-module">
     <title>Enabling Confidential Compute Module</title>
@@ -35,9 +30,9 @@
     <para>The packages are shipped via Confidential Compute Module. You must enable it at system installation time or later via the SUSEConnect command line tool.</para>
     <itemizedlist>
       <listitem>
-        <para>To check whether the module is already enabled, run the command
+        <para>To check whether the module is already enabled, run the command:
         </para>
-        <screen>suseconnect -l</screen>
+        <screen># suseconnect -l</screen>
         <para>This displays the list of available modules with their activation status and commands to enable the inactive modules.</para>
 
       <para>The inactive confidential compute module appears as given below:</para>
@@ -64,7 +59,7 @@
 
     <para>
       The confidential compute module provides replacement packages supporting AMD SEV-SNP. To ensure a maximum of compatibility, these packages are based on the code streams from SUSE Linux Enterprise Server.</para>
-<para>Three components need to be replaced:</para>
+<para>The three components that need to be replaced are:</para>
 <itemizedlist>
   <listitem>
     <para>The Linux kernel</para>
@@ -79,10 +74,10 @@
 <procedure>
   <step>
     <para>To install the replacement packages, run the command:</para>
-    <screen>sudo zypper install coco:kernel-coco coco:qemu coco:libvirt
+    <screen># sudo zypper install coco:kernel-coco coco:qemu coco:libvirt
       <!-- TO DO: Replace with the actual command.-->
     </screen>
-    <para>After replacing the packages, you must set up the system with a configuration change to make the AMD SEV-SNP feature ready to use. The IOMMU on the host side must be configured in non-<literal>passthrough</literal> mode. This is required to prevent peripheral devices from writing to memory which belongs to an encrypted guest and destroy its data integrity. The default IOMMU configuration in SUSE Linux Enterprise Server is <literal>passthrough</literal> mode.</para>
+    <para>After replacing the packages, you must set up the system with a configuration change to make the AMD SEV-SNP feature ready to use. The IOMMU on the host side must be configured in non-passthrough mode. This is required to prevent peripheral devices from writing to memory which belongs to an encrypted guest and destroy its data integrity. The default IOMMU configuration in SUSE Linux Enterprise Server is <literal>passthrough</literal> mode.</para>
   </step>
 <step>
   <para>To disable the IOMMU configuration in SUSE Linux Enterprise Server, open the <filename>/etc/default/grub</filename> file and add <literal>iommu=nopt</literal> to the <varname>GRUB_CMDLINE_LINUX_DEFAULT</varname> variable. </para>