From 3b9116739d5ed60760c5bbf59cceb845449eb931 Mon Sep 17 00:00:00 2001 From: Adam Spiers Date: Thu, 25 Apr 2019 11:42:15 +0100 Subject: [PATCH] Update SEV trait docs to avoid misleading people Since the AMD SEV spec was approved for Stein, it was subsequently realised that a trait would not be sufficient for tracking SEV-capable compute hosts. A resource class is also needed to track the inventory of "slots" available on these hosts, since the number of slots limits how many guests with encrypted memory can run concurrently. Therefore the design pivoted somewhat, and now trait:HW_CPU_AMD_SEV=required will not be the correct way to request SEV functionality: https://specs.openstack.org/openstack/nova-specs/specs/train/approved/amd-sev-libvirt-support.html For reference, the previous spec is here: https://specs.openstack.org/openstack/nova-specs/specs/stein/approved/amd-sev-libvirt-support.html Another lesson learnt from the Stein cycle was that it is not safe to assume that the work targeted for one cycle will actually land in that cycle, therefore it's safer for documentation of an in-progress feature to be transparent that it's in progress and not yet usable. Change-Id: I6b652c20ba4f5ec775829a45939d708066dc3011 blueprint: amd-sev-libvirt-support --- doc/source/reference/index.rst | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/doc/source/reference/index.rst b/doc/source/reference/index.rst index 94b0ac8..1d2ebc2 100644 --- a/doc/source/reference/index.rst +++ b/doc/source/reference/index.rst @@ -80,11 +80,7 @@ correctly by the firmware. SEV is particularly applicable to cloud computing since it can reduce the amount of trust VMs need to place in the hypervisor and administrator of their host system. -The ``os_traits.hw.cpu.amd.SEV`` trait can be used to indicate that a -compute host contains support for SEV not only on-CPU, but also in all -other layers of the hypervisor stack required in order to take -advantage of this feature: the kernel, QEMU, and libvirt. This trait -can be specified as required by a flavor extra spec or image property -``trait:HW_CPU_AMD_SEV=required`` in order to indicate that VMs with -that flavor or image must only be booted on SEV-capable hosts with the -SEV functionality enabled. +The ``os_traits.hw.cpu.amd.SEV`` trait is reserved in order to +indicate that a compute host contains support for SEV not only on-CPU, +but also in all other layers of the hypervisor stack required in order +to take advantage of this feature.