31 lines
1.0 KiB
Plaintext
31 lines
1.0 KiB
Plaintext
POWER (PAPR) Protected Execution Facility (PEF)
|
|
===============================================
|
|
|
|
Protected Execution Facility (PEF), also known as Secure Guest support
|
|
is a feature found on IBM POWER9 and POWER10 processors.
|
|
|
|
If a suitable firmware including an Ultravisor is installed, it adds
|
|
an extra memory protection mode to the CPU. The ultravisor manages a
|
|
pool of secure memory which cannot be accessed by the hypervisor.
|
|
|
|
When this feature is enabled in QEMU, a guest can use ultracalls to
|
|
enter "secure mode". This transfers most of its memory to secure
|
|
memory, where it cannot be eavesdropped by a compromised hypervisor.
|
|
|
|
Launching
|
|
---------
|
|
|
|
To launch a guest which will be permitted to enter PEF secure mode:
|
|
|
|
# ${QEMU} \
|
|
-object pef-guest,id=pef0 \
|
|
-machine confidential-guest-support=pef0 \
|
|
...
|
|
|
|
Live Migration
|
|
----------------
|
|
|
|
Live migration is not yet implemented for PEF guests. For
|
|
consistency, we currently prevent migration if the PEF feature is
|
|
enabled, whether or not the guest has actually entered secure mode.
|