Protected Virtualization on s390x
The memory and most of the registers of Protected Virtual Machines (PVMs) are encrypted or inaccessible to the hypervisor, effectively prohibiting VM introspection when the VM is running. At rest, PVMs are encrypted and can only be decrypted by the firmware, represented by an entity called Ultravisor, of specific IBM Z machines.
To run PVMs, a machine with the Protected Virtualization feature, as
indicated by the Ultravisor Call facility (stfle bit 158), is
required. The Ultravisor needs to be initialized at boot by setting
prot_virt=1 on the host’s kernel command line.
Running PVMs requires using the KVM hypervisor.
If those requirements are met, the capability
will indicate that KVM can support PVMs on that LPAR.
Running a Protected Virtual Machine
To run a PVM you will need to select a CPU model which includes the
Unpack facility (stfle bit 161 represented by the feature
S390_FEAT_UNPACK), and add these options to the command line:
-object s390-pv-guest,id=pv0 \ -machine confidential-guest-support=pv0
Adding these options will:
unpackfacility is available
Enable the IOMMU by default for all I/O devices
Initialize the PV mechanism
Passthrough (vfio) devices are currently not supported.
Host huge page backings are not supported. However guests can use huge pages as indicated by its facilities.
A secure guest image can either be loaded from disk or supplied on the QEMU command line. Booting from disk is done by the unmodified s390-ccw BIOS. I.e., the bootmap is interpreted, multiple components are read into memory and control is transferred to one of the components (zipl stage3). Stage3 does some fixups and then transfers control to some program residing in guest memory, which is normally the OS kernel. The secure image has another component prepended (stage3a) that uses the new diag308 subcodes 8 and 10 to trigger the transition into secure mode.
Booting from the image supplied on the QEMU command line requires that
the file passed via -kernel has the same memory layout as would result
from the disk boot. This memory layout includes the encrypted
components (kernel, initrd, cmdline), the stage3a loader and
metadata. In case this boot method is used, the command line
options -initrd and -cmdline are ineffective. The preparation of a PVM
image is done via the
genprotimg tool from the s390-tools