Enhance VM Security #1767
Merged
Enhance VM Security #1767
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
taroth21
requested changes
Sep 13, 2024
There was a problem hiding this comment.
@harneshalaka : Many thanks, well done!
I had a look and have added a few suggestions (mostly about use of entities - maybe pre-empting what Daria would suggest during the final style check anyway).
| <abstract> | ||
| <para>You can enhance the security of your virtual machines with AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP). The AMD SEV-SNP feature isolates virtual machines from the host system and other VMs thereby protecting the data and code. This feature encrypts data and ensures that all changes with the code and data in the VM are detected or tracked. Since this isolates VMs, the other VMs or host machine are not affected with threats.</para> | ||
| <para>This section explains the steps to enable and use AMD SEV-SNP on your AMD EPYC server with SUSE Linux Enterprise Server 15-SP6.</para> | ||
| </abstract> |
There was a problem hiding this comment.
Suggested change
| </abstract> | |
| <note> | |
| <title>Technology Preview for &productname;</title> | |
| <para> | |
| This feature is shipped as a Technology Preview in &productname; 15 SP6. | |
| The necessary packages are not part of the default installation or repositories. | |
| </para> | |
| </note> | |
| </abstract> |
There was a problem hiding this comment.
Let's highlight the tech preview in a note and move it up here for more visibility.
Comment on lines
+28
to
+29
| <para> | ||
| Support for AMD SEV-SNP is available as a Technology Preview in SUSE Linux Enterprise Server 15-SP6. However, the necessary packages are not part of the default installation or repositories.</para> |
There was a problem hiding this comment.
Suggested change
| <para> | |
| Support for AMD SEV-SNP is available as a Technology Preview in SUSE Linux Enterprise Server 15-SP6. However, the necessary packages are not part of the default installation or repositories.</para> | |
There was a problem hiding this comment.
I suggest to remove here (and move to the abstract as suggested above)
| <listitem> | ||
| <para>To check whether the module is already enabled, run the command: | ||
| </para> | ||
| <screen># suseconnect -l</screen> |
There was a problem hiding this comment.
@harneshalaka : Please replace the # with proper prompts in this file. For this, either use the entity &prompt.root; (or better &prompt.sudo; where possible), according to our style guide.
For examples, see https://github.com/SUSE/doc-sle/blob/main/xml/security_ldap_sssd.xml#L59 or https://github.com/SUSE/doc-sle/blob/main/xml/tuning_perf.xml#L323
| <title>Installing Packages and Setting up the Base System</title> | ||
|
|
||
| <para> | ||
| The confidential compute module provides replacement packages supporting AMD SEV-SNP. To ensure a maximum of compatibility, these packages are based on the code streams from SUSE Linux Enterprise Server.</para> |
There was a problem hiding this comment.
Suggested change
| The confidential compute module provides replacement packages supporting AMD SEV-SNP. To ensure a maximum of compatibility, these packages are based on the code streams from SUSE Linux Enterprise Server.</para> | |
| The confidential compute module provides replacement packages supporting AMD SEV-SNP. To ensure a maximum of compatibility, these packages are based on the code streams from &productname;.</para> |
| <screen># sudo zypper install coco:kernel-coco coco:qemu coco:libvirt | ||
| <!-- TO DO: Replace with the actual command.--> | ||
| </screen> | ||
| <para>After replacing the packages, you must set up the system with a configuration change to make the AMD SEV-SNP feature ready to use. The IOMMU on the host side must be configured in non-passthrough mode. This is required to prevent peripheral devices from writing to memory which belongs to an encrypted guest and destroy its data integrity. The default IOMMU configuration in SUSE Linux Enterprise Server is <literal>passthrough</literal> mode.</para> |
There was a problem hiding this comment.
Suggested change
| <para>After replacing the packages, you must set up the system with a configuration change to make the AMD SEV-SNP feature ready to use. The IOMMU on the host side must be configured in non-passthrough mode. This is required to prevent peripheral devices from writing to memory which belongs to an encrypted guest and destroy its data integrity. The default IOMMU configuration in SUSE Linux Enterprise Server is <literal>passthrough</literal> mode.</para> | |
| <para>After replacing the packages, you must set up the system with a configuration change to make the AMD SEV-SNP feature ready to use. The IOMMU on the host side must be configured in non-passthrough mode. This is required to prevent peripheral devices from writing to memory which belongs to an encrypted guest and destroy its data integrity. The default IOMMU configuration in &productname; is <literal>passthrough</literal> mode.</para> |
| <para>After replacing the packages, you must set up the system with a configuration change to make the AMD SEV-SNP feature ready to use. The IOMMU on the host side must be configured in non-passthrough mode. This is required to prevent peripheral devices from writing to memory which belongs to an encrypted guest and destroy its data integrity. The default IOMMU configuration in SUSE Linux Enterprise Server is <literal>passthrough</literal> mode.</para> | ||
| </step> | ||
| <step> | ||
| <para>To disable the IOMMU configuration in SUSE Linux Enterprise Server, open the <filename>/etc/default/grub</filename> file and add <literal>iommu=nopt</literal> to the <varname>GRUB_CMDLINE_LINUX_DEFAULT</varname> variable. </para> |
There was a problem hiding this comment.
Suggested change
| <para>To disable the IOMMU configuration in SUSE Linux Enterprise Server, open the <filename>/etc/default/grub</filename> file and add <literal>iommu=nopt</literal> to the <varname>GRUB_CMDLINE_LINUX_DEFAULT</varname> variable. </para> | |
| <para>To disable the IOMMU configuration in &productname;, open the <filename>/etc/default/grub</filename> file and add <literal>iommu=nopt</literal> to the <varname>GRUB_CMDLINE_LINUX_DEFAULT</varname> variable. </para> |
Co-authored-by: Tanja Roth <[email protected]>
aginies
approved these changes
Sep 23, 2024
aginies
reviewed
Sep 24, 2024
| <procedure> | ||
| <step> | ||
| <para>To install the replacement packages, run the command:</para> | ||
| <screen># sudo zypper install coco:kernel-coco coco:qemu coco:libvirt |
There was a problem hiding this comment.
The repo name is not coco; This needs to be adjusted with the name of the CoCo repository.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR creator: Description
Request review of the edited content on Enhancing Virtual Machine Security with AMD SEV-SNP and SUSE Linux Enterprise 15-SP6.
References
https://jira.suse.com/browse/PED-10565
The doc team member merging your PR will take care of backporting to older documents.
When opening a PR, do not set the following check box.