RFC: Add confidential guest support: Secure Execution support #290

mhartmay · 2025-05-02T09:34:39Z

Example to start a confidential guest using two host-key documents

$ vng -r --confidential-guest --confidential-guest-args
host-key-document=/home/mhartmay/storage/git/hostkeys/a46/HKD-3931-02772A8.crt
--confidential-guest-args
host-key-document=/home/mhartmay/storage/git/hostkeys/b35/HKD-9175-029DE48.crt

Another example where always the given pvimg create arguments are used. To do
so, modify the
default_opts sections in ~/.config/virtme-ng/virtme-ng.conf as following:

{
    "default_opts": {
        "confidential_guest_args": ["host-key-document=/home/user/HKD.crt"]
    },
}

Now you can simply run vng --confidential-guest to prepare the Secure Execution boot image using the given host-key document.

mhartmay · 2025-05-02T09:52:11Z

There are still some open TODOs:

check for pvimg
Check for KVM and native run
Add confidential dump support
probing qemu/kvm/hardware and guest kernel for confidential guest support? Not sure about this... there are some other places in virtme-ng that does not handle this as well.

Example to start a confidential guest using two host-key documents ``` $ vng -r --confidential-guest --confidential-guest-args host-key-document=/home/mhartmay/storage/git/hostkeys/a46/HKD-3931-02772A8.crt --confidential-guest-args host-key-document=/home/mhartmay/storage/git/hostkeys/b35/HKD-9175-029DE48.crt ``` Another example where always the given `pvimg create` arguments are used. To do so, modify the `default_opts` sections in `~/.config/virtme-ng/virtme-ng.conf` as following: ``` { "default_opts": { "confidential_guest_args": ["host-key-document=/home/user/HKD.crt"] }, } ``` Now you can simply run `vng --confidential-guest` to prepare the Secure Execution boot image using the given host-key document. Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>

mhartmay · 2025-06-26T09:55:08Z

@arighi Do you know if this approach would work for AMD SEV? Or can you test it? (I do not have access to AMD SEV hardware)

arighi · 2025-06-26T09:59:35Z

@arighi Do you know if this approach would work for AMD SEV? Or can you test it? (I do not have access to AMD SEV hardware)

I also don't have access to any hardware with AMD SEV. And my knowledge about confidential computing is still very basic.
I'd say as long as it works with a certain hardware and it's not breaking/regressing other workloads, I'm totally ok to merge this (it doesn't necessarily need to work with everything).

73C3

mhartmay mentioned this pull request May 2, 2025

Feature: Confidential guest support #279

Open

mhartmay force-pushed the confidential-guest-rfc-v1 branch from 2eb63ab to e8b4e7c Compare May 2, 2025 09:44

mhartmay force-pushed the confidential-guest-rfc-v1 branch 4 times, most recently from 3cd0a5c to 41c2644 Compare May 6, 2025 06:30

mhartmay linked an issue May 6, 2025 that may be closed by this pull request

Feature: Confidential guest support #279

Open

mhartmay marked this pull request as draft May 6, 2025 10:52

mhartmay force-pushed the confidential-guest-rfc-v1 branch 3 times, most recently from 8b31dc6 to f13e0f0 Compare May 15, 2025 10:57

mhartmay force-pushed the confidential-guest-rfc-v1 branch 2 times, most recently from e88da4a to b868d21 Compare June 25, 2025 10:28

mhartmay force-pushed the confidential-guest-rfc-v1 branch from b868d21 to 86914ec Compare June 25, 2025 10:31

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

RFC: Add confidential guest support: Secure Execution support #290

RFC: Add confidential guest support: Secure Execution support #290

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

RFC: Add confidential guest support: Secure Execution support #290

Are you sure you want to change the base?

RFC: Add confidential guest support: Secure Execution support #290

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!