search

google / alioth

Experimental KVM-based type-2 hypervisor in Rust implemented from scratch.
Apache License 2.0
164 stars 10 forks source link

Boot AMD-SEV guests with Oak/Stage0 #22

Closed Lencerf closed 6 months ago

Lencerf commented 6 months ago

Confidential Compute (coco)

Alioth supports booting confidential guests on the following platforms:

AMD-SEV guest with Oak/Stage0 firmware

WARNING: the current implementation takes QEMU [^qemu] as a reference and should be used in testing environments only.

To launch an SEV guest,

  1. build the stage0 firmware from the Oak project[^stage0],
  2. prepare the guest Linux kernel of ELF format, the initramfs, and the kernel command line in a text file,
  3. for SEV guests, POLICY=0x1, for SEV-ES guests, POLICY=0x5,
  4. launch the guest by 
    ./alioth run -f /path/to/oak_stage0.bin \
   --mem-size 1G \
   --num-cpu 2 \
   --fw-cfg name=opt/stage0/elf_kernel,file=/path/to/elf_kernel \
   --fw-cfg name=opt/stage0/initramfs,file=/path/to/initramfs \
   --fw-cfg name=opt/stage0/cmdline,file=/path/to/cmdline.txt \
   --coco sev,policy=$POLICY

[^sev]: AMD Secure Encrypted Virtualization (SEV)

[^stage0]: Oak/stage0 firmware

[^qemu]: QEMU's doc on SEV