)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"a3b00a8d2c3d9454ab4f01eae9ff597c6d1c8385","unresolved":false,"context_lines":[{"line_number":4,"context_line":"Commit:     bryanstephenson \u003cbryan.stephenson@suse.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2019-09-10 19:39:48 -0700"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Added a section on Secure Encrypted Virtualization."},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Added a section explaining security capabilities and limitations of SEV"},{"line_number":10,"context_line":"(Secure Encrypted Virtualization). The nova changes for SEV are nearly"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"5faad753_d3d13bcf","line":7,"range":{"start_line":7,"start_character":0,"end_line":7,"end_character":5},"updated":"2019-09-11 15:13:07.000000000","message":"Micro-nit: standard practice *tends* to be to use the present tense (i.e. \"Add\") although I see numerous exceptions to this within this repo\u0027s history (especially from the commit bots).","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"a3b00a8d2c3d9454ab4f01eae9ff597c6d1c8385","unresolved":false,"context_lines":[{"line_number":7,"context_line":"Added a section on Secure Encrypted Virtualization."},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Added a section explaining security capabilities and limitations of SEV"},{"line_number":10,"context_line":"(Secure Encrypted Virtualization). The nova changes for SEV are nearly"},{"line_number":11,"context_line":"complete, see: https://review.opendev.org/#/c/666616/"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Also added a sentence in the introduction paragraph to mention the"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"5faad753_936d0334","line":10,"range":{"start_line":10,"start_character":64,"end_line":10,"end_character":70},"updated":"2019-09-11 15:13:07.000000000","message":"Actually they are now merged :-)","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"a3b00a8d2c3d9454ab4f01eae9ff597c6d1c8385","unresolved":false,"context_lines":[{"line_number":7,"context_line":"Added a section on Secure Encrypted Virtualization."},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Added a section explaining security capabilities and limitations of SEV"},{"line_number":10,"context_line":"(Secure Encrypted Virtualization). The nova changes for SEV are nearly"},{"line_number":11,"context_line":"complete, see: https://review.opendev.org/#/c/666616/"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Also added a sentence in the introduction paragraph to mention the"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"5faad753_93dbc3eb","line":10,"range":{"start_line":10,"start_character":39,"end_line":10,"end_character":43},"updated":"2019-09-11 15:13:07.000000000","message":"Femto-nit: apparently \"Nova\" is the preferred capitalization, although it doesn\u0027t matter much in a commit message.","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"33160b2c3481992b6db9c1c07872d10d1a516296","unresolved":false,"context_lines":[{"line_number":7,"context_line":"Added a section on Secure Encrypted Virtualization."},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Added a section explaining security capabilities and limitations of SEV"},{"line_number":10,"context_line":"(Secure Encrypted Virtualization). The nova changes for SEV are nearly"},{"line_number":11,"context_line":"complete, see: https://review.opendev.org/#/c/666616/"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Also added a sentence in the introduction paragraph to mention the"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"5faad753_e4990b6e","line":10,"range":{"start_line":10,"start_character":39,"end_line":10,"end_character":43},"in_reply_to":"5faad753_0987a0d9","updated":"2019-09-11 16:30:46.000000000","message":"It wasn\u0027t just you BTW, I had this nitpick from at least 2 other cores IIRC ;-)","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"3ddc2921a3d94df8d0b62ae50ca59414ffa50651","unresolved":false,"context_lines":[{"line_number":7,"context_line":"Added a section on Secure Encrypted Virtualization."},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Added a section explaining security capabilities and limitations of SEV"},{"line_number":10,"context_line":"(Secure Encrypted Virtualization). The nova changes for SEV are nearly"},{"line_number":11,"context_line":"complete, see: https://review.opendev.org/#/c/666616/"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Also added a sentence in the introduction paragraph to mention the"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"5faad753_aed0d220","line":10,"range":{"start_line":10,"start_character":39,"end_line":10,"end_character":43},"in_reply_to":"5faad753_93dbc3eb","updated":"2019-09-11 15:22:44.000000000","message":"https://docs.openstack.org/doc-contrib-guide/writing-style/openstack-components.html\n\nnova ;)","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"3bc2f54eff60306a5c55896b0b7d1278b5b5756f","unresolved":false,"context_lines":[{"line_number":7,"context_line":"Added a section on Secure Encrypted Virtualization."},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Added a section explaining security capabilities and limitations of SEV"},{"line_number":10,"context_line":"(Secure Encrypted Virtualization). The nova changes for SEV are nearly"},{"line_number":11,"context_line":"complete, see: https://review.opendev.org/#/c/666616/"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Also added a sentence in the introduction paragraph to mention the"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"5faad753_ee148a50","line":10,"range":{"start_line":10,"start_character":39,"end_line":10,"end_character":43},"in_reply_to":"5faad753_aed0d220","updated":"2019-09-11 15:40:28.000000000","message":"Regardless of what that says, the Nova cores have been nit-picking my contributions with \"s/nova/Nova/\" ...\n\nso either they need to be re-educated, or they\u0027ve decided to go against that doc, or that doc is wrong.  I suspect the latter is the least likely of the three.","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":10607,"name":"Alexandra Settle","email":"a.settle@outlook.com","username":"asettle"},"change_message_id":"05ff024e99e7344867b23f2108064910b0357676","unresolved":false,"context_lines":[{"line_number":7,"context_line":"Added a section on Secure Encrypted Virtualization."},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Added a section explaining security capabilities and limitations of SEV"},{"line_number":10,"context_line":"(Secure Encrypted Virtualization). The nova changes for SEV are nearly"},{"line_number":11,"context_line":"complete, see: https://review.opendev.org/#/c/666616/"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Also added a sentence in the introduction paragraph to mention the"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"3fa7e38b_e4128858","line":10,"range":{"start_line":10,"start_character":39,"end_line":10,"end_character":43},"in_reply_to":"5faad753_e4990b6e","updated":"2019-09-20 09:25:30.000000000","message":"If I can find the logs, I will. But we had a *huge* debate about this in the past. Service names vs. project names was never totally agreed upon, so we created our own convention. Whilst of course, nova is a name and therefore the expectation is that it is capitalised in the way proper nouns are, I can\u0027t remember why we decided to change this. If I remember correctly, it had a lot do with user confusion regarding what is the service, vs. the fact it was a project name... and that we incorporate the project name into things like the CLI.\n\nAlright, let me see what I can find... it would be on the old openstack-docs/dev mailing list I imagine.","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"3868df723fbf26ce8123b4a55c84caf29c90a2d6","unresolved":false,"context_lines":[{"line_number":7,"context_line":"Added a section on Secure Encrypted Virtualization."},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Added a section explaining security capabilities and limitations of SEV"},{"line_number":10,"context_line":"(Secure Encrypted Virtualization). The nova changes for SEV are nearly"},{"line_number":11,"context_line":"complete, see: https://review.opendev.org/#/c/666616/"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Also added a sentence in the introduction paragraph to mention the"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"5faad753_0987a0d9","line":10,"range":{"start_line":10,"start_character":39,"end_line":10,"end_character":43},"in_reply_to":"5faad753_ee148a50","updated":"2019-09-11 16:02:19.000000000","message":"AJaeger\u0027s link is news to me. If that\u0027s what the docs folks prefer, I\u0027ll stfu. (I assume it\u0027s still desirable to capitalize \u0027nova\u0027 at the beginning of a sentence though.)","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"}],"security-guide/source/compute/hardening-the-virtualization-layers.rst":[{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"a3b00a8d2c3d9454ab4f01eae9ff597c6d1c8385","unresolved":false,"context_lines":[{"line_number":5,"context_line":"In the beginning of this chapter we discuss the use of both physical and"},{"line_number":6,"context_line":"virtual hardware by instances, the associated security risks, and some"},{"line_number":7,"context_line":"recommendations for mitigating those risks. Then we discuss how the Secure"},{"line_number":8,"context_line":"Encrypted Virtualizaion tehcnology can be used to encrypt the memory of VMs on"},{"line_number":9,"context_line":"AMD-based machines which support the technology. We conclude the chapter with a"},{"line_number":10,"context_line":"discussion of sVirt, an open source project for integrating SELinux mandatory"},{"line_number":11,"context_line":"access controls with the virtualization components."}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_0e824650","line":8,"range":{"start_line":8,"start_character":10,"end_line":8,"end_character":23},"updated":"2019-09-11 15:13:07.000000000","message":"also Virtualization typo","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"0a53ed33410aff8f77c32374fc067340469b55f1","unresolved":false,"context_lines":[{"line_number":5,"context_line":"In the beginning of this chapter we discuss the use of both physical and"},{"line_number":6,"context_line":"virtual hardware by instances, the associated security risks, and some"},{"line_number":7,"context_line":"recommendations for mitigating those risks. Then we discuss how the Secure"},{"line_number":8,"context_line":"Encrypted Virtualizaion tehcnology can be used to encrypt the memory of VMs on"},{"line_number":9,"context_line":"AMD-based machines which support the technology. We conclude the chapter with a"},{"line_number":10,"context_line":"discussion of sVirt, an open source project for integrating SELinux mandatory"},{"line_number":11,"context_line":"access controls with the virtualization components."}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_2922aaa5","line":8,"range":{"start_line":8,"start_character":24,"end_line":8,"end_character":34},"updated":"2019-09-11 06:17:09.000000000","message":"typo: hc-\u003ech","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"0a53ed33410aff8f77c32374fc067340469b55f1","unresolved":false,"context_lines":[{"line_number":179,"context_line":"`Secure Encrypted Virtualization (SEV) \u003chttps://developer.amd.com/sev/\u003e`_ is a"},{"line_number":180,"context_line":"technology from AMD which enables the the memory for a VM to be encrypted with"},{"line_number":181,"context_line":"a key unique to the VM. SEV is available with KVM guests on certain AMD-based"},{"line_number":182,"context_line":"machines. The first phase of SEV integration with OpenStack does not provide"},{"line_number":183,"context_line":"the LAUNCH_MEASURE or LAUNCH_SECRET capabilities which are available with the"},{"line_number":184,"context_line":"firmware. This means that data used by an SEV-protected VM may be subject to"},{"line_number":185,"context_line":"attacks from a motivated adversary who has control of the hypervisor. For"},{"line_number":186,"context_line":"example, a rogue administrator on the hypervisor machine could provide a VM"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_a94a1a52","line":183,"range":{"start_line":182,"start_character":9,"end_line":183,"end_character":48},"updated":"2019-09-11 06:17:09.000000000","message":"Does it make sense to say which release is this? Or is it not clear when the next integration will happen?","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"a3b00a8d2c3d9454ab4f01eae9ff597c6d1c8385","unresolved":false,"context_lines":[{"line_number":179,"context_line":"`Secure Encrypted Virtualization (SEV) \u003chttps://developer.amd.com/sev/\u003e`_ is a"},{"line_number":180,"context_line":"technology from AMD which enables the the memory for a VM to be encrypted with"},{"line_number":181,"context_line":"a key unique to the VM. SEV is available with KVM guests on certain AMD-based"},{"line_number":182,"context_line":"machines. The first phase of SEV integration with OpenStack does not provide"},{"line_number":183,"context_line":"the LAUNCH_MEASURE or LAUNCH_SECRET capabilities which are available with the"},{"line_number":184,"context_line":"firmware. This means that data used by an SEV-protected VM may be subject to"},{"line_number":185,"context_line":"attacks from a motivated adversary who has control of the hypervisor. For"},{"line_number":186,"context_line":"example, a rogue administrator on the hypervisor machine could provide a VM"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_d3ea9b73","line":183,"range":{"start_line":182,"start_character":9,"end_line":183,"end_character":48},"in_reply_to":"5faad753_a94a1a52","updated":"2019-09-11 15:13:07.000000000","message":"The first phase just completed today, in the nick of time for Train.","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":24938,"name":"Bryan Stephenson","email":"bryan.stephenson@suse.com","username":"bryans"},"change_message_id":"07bb6a01c6b2428e8a6f3e3af93afa9be08e191b","unresolved":false,"context_lines":[{"line_number":179,"context_line":"`Secure Encrypted Virtualization (SEV) \u003chttps://developer.amd.com/sev/\u003e`_ is a"},{"line_number":180,"context_line":"technology from AMD which enables the the memory for a VM to be encrypted with"},{"line_number":181,"context_line":"a key unique to the VM. SEV is available with KVM guests on certain AMD-based"},{"line_number":182,"context_line":"machines. The first phase of SEV integration with OpenStack does not provide"},{"line_number":183,"context_line":"the LAUNCH_MEASURE or LAUNCH_SECRET capabilities which are available with the"},{"line_number":184,"context_line":"firmware. This means that data used by an SEV-protected VM may be subject to"},{"line_number":185,"context_line":"attacks from a motivated adversary who has control of the hypervisor. For"},{"line_number":186,"context_line":"example, a rogue administrator on the hypervisor machine could provide a VM"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_6b139e5d","line":183,"range":{"start_line":182,"start_character":9,"end_line":183,"end_character":48},"in_reply_to":"5faad753_d3ea9b73","updated":"2019-09-12 03:40:34.000000000","message":"I\u0027ll add that SEV is available as a technical preview with Train.","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"a3b00a8d2c3d9454ab4f01eae9ff597c6d1c8385","unresolved":false,"context_lines":[{"line_number":183,"context_line":"the LAUNCH_MEASURE or LAUNCH_SECRET capabilities which are available with the"},{"line_number":184,"context_line":"firmware. This means that data used by an SEV-protected VM may be subject to"},{"line_number":185,"context_line":"attacks from a motivated adversary who has control of the hypervisor. For"},{"line_number":186,"context_line":"example, a rogue administrator on the hypervisor machine could provide a VM"},{"line_number":187,"context_line":"image for tenants with a backdoor and spyware capable of stealing secrets, or"},{"line_number":188,"context_line":"replace the VNC server process to snoop data sent to or from the VM console"},{"line_number":189,"context_line":"including passwords which unlock full disk encryption solutions. SEV provides"},{"line_number":190,"context_line":"protection for data in the memory used by the running VM. To reduce the chance"},{"line_number":191,"context_line":"for other avenues of attack to expose data several security practices should"},{"line_number":192,"context_line":"accompany the use of SEV. These include the following."}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_33c20feb","line":189,"range":{"start_line":186,"start_character":9,"end_line":189,"end_character":63},"updated":"2019-09-11 15:13:07.000000000","message":"or just directly read the memory of the guest?  Wouldn\u0027t that be easier to do and harder for the guest\u0027s owner to detect?","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":24938,"name":"Bryan Stephenson","email":"bryan.stephenson@suse.com","username":"bryans"},"change_message_id":"07bb6a01c6b2428e8a6f3e3af93afa9be08e191b","unresolved":false,"context_lines":[{"line_number":183,"context_line":"the LAUNCH_MEASURE or LAUNCH_SECRET capabilities which are available with the"},{"line_number":184,"context_line":"firmware. This means that data used by an SEV-protected VM may be subject to"},{"line_number":185,"context_line":"attacks from a motivated adversary who has control of the hypervisor. For"},{"line_number":186,"context_line":"example, a rogue administrator on the hypervisor machine could provide a VM"},{"line_number":187,"context_line":"image for tenants with a backdoor and spyware capable of stealing secrets, or"},{"line_number":188,"context_line":"replace the VNC server process to snoop data sent to or from the VM console"},{"line_number":189,"context_line":"including passwords which unlock full disk encryption solutions. SEV provides"},{"line_number":190,"context_line":"protection for data in the memory used by the running VM. To reduce the chance"},{"line_number":191,"context_line":"for other avenues of attack to expose data several security practices should"},{"line_number":192,"context_line":"accompany the use of SEV. These include the following."}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_0b88ea6e","line":189,"range":{"start_line":186,"start_character":9,"end_line":189,"end_character":63},"in_reply_to":"5faad753_33c20feb","updated":"2019-09-12 03:40:34.000000000","message":"My understanding is that they would be reading the encrypted memory of the guest, because even the hypervisor does not have access to the VM\u0027s SEV key. There may be avenues of attack to intercept the decrypted memory on its way to the CPU; I\u0027ll check with AMD to see if that is feasible.","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"a3b00a8d2c3d9454ab4f01eae9ff597c6d1c8385","unresolved":false,"context_lines":[{"line_number":188,"context_line":"replace the VNC server process to snoop data sent to or from the VM console"},{"line_number":189,"context_line":"including passwords which unlock full disk encryption solutions. SEV provides"},{"line_number":190,"context_line":"protection for data in the memory used by the running VM. To reduce the chance"},{"line_number":191,"context_line":"for other avenues of attack to expose data several security practices should"},{"line_number":192,"context_line":"accompany the use of SEV. These include the following."},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"- A full disk encryption solution should be used by the VM."}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_b3727fe2","line":191,"range":{"start_line":191,"start_character":38,"end_line":191,"end_character":42},"updated":"2019-09-11 15:13:07.000000000","message":"comma: \"data,\"","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"0a53ed33410aff8f77c32374fc067340469b55f1","unresolved":false,"context_lines":[{"line_number":189,"context_line":"including passwords which unlock full disk encryption solutions. SEV provides"},{"line_number":190,"context_line":"protection for data in the memory used by the running VM. To reduce the chance"},{"line_number":191,"context_line":"for other avenues of attack to expose data several security practices should"},{"line_number":192,"context_line":"accompany the use of SEV. These include the following."},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"- A full disk encryption solution should be used by the VM."},{"line_number":195,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_29570a05","line":192,"range":{"start_line":192,"start_character":53,"end_line":192,"end_character":54},"updated":"2019-09-11 06:17:09.000000000","message":"colon:","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"a3b00a8d2c3d9454ab4f01eae9ff597c6d1c8385","unresolved":false,"context_lines":[{"line_number":193,"context_line":""},{"line_number":194,"context_line":"- A full disk encryption solution should be used by the VM."},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"- The VM should be well maintained, including regular security scanning and"},{"line_number":197,"context_line":"  patching to ensure a continuously strong security posture for the VM."},{"line_number":198,"context_line":"  Additional security tools and processes should be considered and used for"},{"line_number":199,"context_line":"  the VM appropriate to the level of sensivity of the data."},{"line_number":200,"context_line":""},{"line_number":201,"context_line":"- Connections to the VM should use encrypted and authenticated protocols such"},{"line_number":202,"context_line":"  as HTTPS and SSH."},{"line_number":203,"context_line":""},{"line_number":204,"context_line":"- A bootloader password should be used on the VM."},{"line_number":205,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_932503c5","line":202,"range":{"start_line":196,"start_character":0,"end_line":202,"end_character":19},"updated":"2019-09-11 15:13:07.000000000","message":"These are normal best practices which users with sense will take for granted - so for clarity and brevity, I think it might be worth separating them out into a separate list, below the list of best practices which are required specifically in the SEV case for securing the guest.","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":24938,"name":"Bryan Stephenson","email":"bryan.stephenson@suse.com","username":"bryans"},"change_message_id":"07bb6a01c6b2428e8a6f3e3af93afa9be08e191b","unresolved":false,"context_lines":[{"line_number":193,"context_line":""},{"line_number":194,"context_line":"- A full disk encryption solution should be used by the VM."},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"- The VM should be well maintained, including regular security scanning and"},{"line_number":197,"context_line":"  patching to ensure a continuously strong security posture for the VM."},{"line_number":198,"context_line":"  Additional security tools and processes should be considered and used for"},{"line_number":199,"context_line":"  the VM appropriate to the level of sensivity of the data."},{"line_number":200,"context_line":""},{"line_number":201,"context_line":"- Connections to the VM should use encrypted and authenticated protocols such"},{"line_number":202,"context_line":"  as HTTPS and SSH."},{"line_number":203,"context_line":""},{"line_number":204,"context_line":"- A bootloader password should be used on the VM."},{"line_number":205,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_8bd85a7f","line":202,"range":{"start_line":196,"start_character":0,"end_line":202,"end_character":19},"in_reply_to":"5faad753_932503c5","updated":"2019-09-12 03:40:34.000000000","message":"Good idea. I\u0027ll do that.","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"0a53ed33410aff8f77c32374fc067340469b55f1","unresolved":false,"context_lines":[{"line_number":205,"context_line":""},{"line_number":206,"context_line":"To use SEV there are several requirements:"},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"- The compute node machine and KVM Hypervisor need to be configured for SEV"},{"line_number":209,"context_line":"  usage. The `KVM Hypervisor section of the Nova Configuration Guide"},{"line_number":210,"context_line":"  \u003chttps://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html\u003e`_"},{"line_number":211,"context_line":"  contains information needed to configure the machine and hypervisor, and"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_697662a7","line":208,"range":{"start_line":208,"start_character":35,"end_line":208,"end_character":36},"updated":"2019-09-11 06:17:09.000000000","message":"lowercase hypervisor, also below","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":24938,"name":"Bryan Stephenson","email":"bryan.stephenson@suse.com","username":"bryans"},"change_message_id":"07bb6a01c6b2428e8a6f3e3af93afa9be08e191b","unresolved":false,"context_lines":[{"line_number":205,"context_line":""},{"line_number":206,"context_line":"To use SEV there are several requirements:"},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"- The compute node machine and KVM Hypervisor need to be configured for SEV"},{"line_number":209,"context_line":"  usage. The `KVM Hypervisor section of the Nova Configuration Guide"},{"line_number":210,"context_line":"  \u003chttps://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html\u003e`_"},{"line_number":211,"context_line":"  contains information needed to configure the machine and hypervisor, and"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_0b0a2a89","line":208,"range":{"start_line":208,"start_character":35,"end_line":208,"end_character":36},"in_reply_to":"5faad753_697662a7","updated":"2019-09-12 03:40:34.000000000","message":"Fixed this in the next version.","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"a3b00a8d2c3d9454ab4f01eae9ff597c6d1c8385","unresolved":false,"context_lines":[{"line_number":207,"context_line":""},{"line_number":208,"context_line":"- The compute node machine and KVM Hypervisor need to be configured for SEV"},{"line_number":209,"context_line":"  usage. The `KVM Hypervisor section of the Nova Configuration Guide"},{"line_number":210,"context_line":"  \u003chttps://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html\u003e`_"},{"line_number":211,"context_line":"  contains information needed to configure the machine and hypervisor, and"},{"line_number":212,"context_line":"  lists several limitations of SEV."},{"line_number":213,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_ee09ea2b","line":210,"updated":"2019-09-11 15:13:07.000000000","message":"Use the anchor here to deep-link to the right section:\n\nhttps://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html#amd-sev-secure-encrypted-virtualization","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":24938,"name":"Bryan Stephenson","email":"bryan.stephenson@suse.com","username":"bryans"},"change_message_id":"07bb6a01c6b2428e8a6f3e3af93afa9be08e191b","unresolved":false,"context_lines":[{"line_number":207,"context_line":""},{"line_number":208,"context_line":"- The compute node machine and KVM Hypervisor need to be configured for SEV"},{"line_number":209,"context_line":"  usage. The `KVM Hypervisor section of the Nova Configuration Guide"},{"line_number":210,"context_line":"  \u003chttps://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html\u003e`_"},{"line_number":211,"context_line":"  contains information needed to configure the machine and hypervisor, and"},{"line_number":212,"context_line":"  lists several limitations of SEV."},{"line_number":213,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_4bc1022e","line":210,"in_reply_to":"5faad753_0904807a","updated":"2019-09-12 03:40:34.000000000","message":"I couldn\u0027t find how to use the :nova-doc: role after some searching, so I played around with it but not successfully. With the addition of the #amd-sev-secure-encrypted-virtualization deeplink it still goes across multiple lines so I just kept the full URL. If it is important to use :nova-doc: please point me to a place where I can learn to use it properly.","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"e4c65beebc1abb0ddbbee14a1ee8e78883b2f946","unresolved":false,"context_lines":[{"line_number":207,"context_line":""},{"line_number":208,"context_line":"- The compute node machine and KVM Hypervisor need to be configured for SEV"},{"line_number":209,"context_line":"  usage. The `KVM Hypervisor section of the Nova Configuration Guide"},{"line_number":210,"context_line":"  \u003chttps://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html\u003e`_"},{"line_number":211,"context_line":"  contains information needed to configure the machine and hypervisor, and"},{"line_number":212,"context_line":"  lists several limitations of SEV."},{"line_number":213,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_7b54c753","line":210,"in_reply_to":"5faad753_4bc1022e","updated":"2019-09-12 11:32:24.000000000","message":"Yup, my bad, according to AJaeger you can\u0027t use :nova-doc: here, so please disregard.","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"3868df723fbf26ce8123b4a55c84caf29c90a2d6","unresolved":false,"context_lines":[{"line_number":207,"context_line":""},{"line_number":208,"context_line":"- The compute node machine and KVM Hypervisor need to be configured for SEV"},{"line_number":209,"context_line":"  usage. The `KVM Hypervisor section of the Nova Configuration Guide"},{"line_number":210,"context_line":"  \u003chttps://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html\u003e`_"},{"line_number":211,"context_line":"  contains information needed to configure the machine and hypervisor, and"},{"line_number":212,"context_line":"  lists several limitations of SEV."},{"line_number":213,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_0904807a","line":210,"in_reply_to":"5faad753_ee09ea2b","updated":"2019-09-11 16:02:19.000000000","message":"Also, if the :nova-doc: role is configured, the early part of the URL can be elided.","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"a3b00a8d2c3d9454ab4f01eae9ff597c6d1c8385","unresolved":false,"context_lines":[{"line_number":212,"context_line":"  lists several limitations of SEV."},{"line_number":213,"context_line":""},{"line_number":214,"context_line":"- Either the cloud operator will need to define one or more flavors that"},{"line_number":215,"context_line":"  enable SEV or users will need to define SEV-enabled images."},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"- The VM must be the modern ``Q35`` machine type and must use UEFI firmware."},{"line_number":218,"context_line":"  ``SATA`` and ``virtio-scsi`` disks are supported. ``virtio-blk`` and IDE"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_ce0e6e31","line":215,"range":{"start_line":215,"start_character":2,"end_line":215,"end_character":12},"updated":"2019-09-11 15:13:07.000000000","message":"\"enable SEV, or ...\"\n\nbut I think this whole list can be removed (see below)","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"a3b00a8d2c3d9454ab4f01eae9ff597c6d1c8385","unresolved":false,"context_lines":[{"line_number":214,"context_line":"- Either the cloud operator will need to define one or more flavors that"},{"line_number":215,"context_line":"  enable SEV or users will need to define SEV-enabled images."},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"- The VM must be the modern ``Q35`` machine type and must use UEFI firmware."},{"line_number":218,"context_line":"  ``SATA`` and ``virtio-scsi`` disks are supported. ``virtio-blk`` and IDE"},{"line_number":219,"context_line":"  disks are not supported at this time."},{"line_number":220,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_ae3c52c8","line":217,"range":{"start_line":217,"start_character":30,"end_line":217,"end_character":33},"updated":"2019-09-11 15:13:07.000000000","message":"I think this is better lowercase since that\u0027s what libvirt and related Nova options use, but I think this whole list can be removed (see below).","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"a3b00a8d2c3d9454ab4f01eae9ff597c6d1c8385","unresolved":false,"context_lines":[{"line_number":215,"context_line":"  enable SEV or users will need to define SEV-enabled images."},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"- The VM must be the modern ``Q35`` machine type and must use UEFI firmware."},{"line_number":218,"context_line":"  ``SATA`` and ``virtio-scsi`` disks are supported. ``virtio-blk`` and IDE"},{"line_number":219,"context_line":"  disks are not supported at this time."},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"- All ``virtio`` devices need to be configured with the ``iommu\u003d\u0027on\u0027``"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_6e4bba58","line":218,"range":{"start_line":218,"start_character":52,"end_line":218,"end_character":66},"updated":"2019-09-11 15:13:07.000000000","message":"This is now out of date; see https://review.opendev.org/#/c/681254/2/doc/source/admin/configuration/hypervisor-kvm.rst@675\n\nActually virtio-blk was even possible before on non-boot disks, but now also on boot disks given the right kernel fixes, thanks to Jim and Joerg.\n\nBut I think this whole list can be removed (see below).","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"a3b00a8d2c3d9454ab4f01eae9ff597c6d1c8385","unresolved":false,"context_lines":[{"line_number":218,"context_line":"  ``SATA`` and ``virtio-scsi`` disks are supported. ``virtio-blk`` and IDE"},{"line_number":219,"context_line":"  disks are not supported at this time."},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"- All ``virtio`` devices need to be configured with the ``iommu\u003d\u0027on\u0027``"},{"line_number":222,"context_line":"  attribute in their ``\u003cdriver\u003e`` configuration. All memory regions used by the"},{"line_number":223,"context_line":"  VM must be locked for Direct Memory Access (DMA) to prevent swapping."},{"line_number":224,"context_line":""},{"line_number":225,"context_line":"- The ``iommu`` attribute must be ``on`` for all virtio devices.  Despite the"},{"line_number":226,"context_line":"  name, this does not require the guest or host to have an IOMMU device, but"},{"line_number":227,"context_line":"  merely enables the virtio flag which indicates that virtualized DMA should be"},{"line_number":228,"context_line":"  used."},{"line_number":229,"context_line":""},{"line_number":230,"context_line":"- All the memory regions allocated by QEMU are pinned, so that they cannot be"},{"line_number":231,"context_line":"  swapped to disk."},{"line_number":232,"context_line":""},{"line_number":233,"context_line":"Mandatory access controls"},{"line_number":234,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_6eb97a2c","line":231,"range":{"start_line":221,"start_character":0,"end_line":231,"end_character":18},"updated":"2019-09-11 15:13:07.000000000","message":"This is all taken care of automatically so I don\u0027t think it needs to be mentioned.\n\nIn fact, I think this entire list can be removed as it\u0027s just duplicating information in https://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html#amd-sev-secure-encrypted-virtualization","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":24938,"name":"Bryan Stephenson","email":"bryan.stephenson@suse.com","username":"bryans"},"change_message_id":"07bb6a01c6b2428e8a6f3e3af93afa9be08e191b","unresolved":false,"context_lines":[{"line_number":218,"context_line":"  ``SATA`` and ``virtio-scsi`` disks are supported. ``virtio-blk`` and IDE"},{"line_number":219,"context_line":"  disks are not supported at this time."},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"- All ``virtio`` devices need to be configured with the ``iommu\u003d\u0027on\u0027``"},{"line_number":222,"context_line":"  attribute in their ``\u003cdriver\u003e`` configuration. All memory regions used by the"},{"line_number":223,"context_line":"  VM must be locked for Direct Memory Access (DMA) to prevent swapping."},{"line_number":224,"context_line":""},{"line_number":225,"context_line":"- The ``iommu`` attribute must be ``on`` for all virtio devices.  Despite the"},{"line_number":226,"context_line":"  name, this does not require the guest or host to have an IOMMU device, but"},{"line_number":227,"context_line":"  merely enables the virtio flag which indicates that virtualized DMA should be"},{"line_number":228,"context_line":"  used."},{"line_number":229,"context_line":""},{"line_number":230,"context_line":"- All the memory regions allocated by QEMU are pinned, so that they cannot be"},{"line_number":231,"context_line":"  swapped to disk."},{"line_number":232,"context_line":""},{"line_number":233,"context_line":"Mandatory access controls"},{"line_number":234,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5faad753_6b22be54","line":231,"range":{"start_line":221,"start_character":0,"end_line":231,"end_character":18},"in_reply_to":"5faad753_6eb97a2c","updated":"2019-09-12 03:40:34.000000000","message":"Definitely do not want to duplicate information. I\u0027ll remove it from this document since we link to the nova docs.","commit_id":"d4a484731220c56bfaa981de7f4769911f46216a"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"c5bd6c6d8b159220659dbe8ac50106b836aff1fc","unresolved":false,"context_lines":[{"line_number":182,"context_line":"preview with KVM guests on certain AMD-based machines for the purpose of"},{"line_number":183,"context_line":"evaluating the technology."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"The `KVM hypervisor section of the Nova Configuration Guide`__ contains"},{"line_number":186,"context_line":"information needed to configure the machine and hypervisor, and lists several"},{"line_number":187,"context_line":"limitations of SEV."},{"line_number":188,"context_line":""},{"line_number":189,"context_line":"__ https://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html#amd-sev-secure-encrypted-virtualization"},{"line_number":190,"context_line":""},{"line_number":191,"context_line":"SEV provides protection for data in the memory used by the running VM."},{"line_number":192,"context_line":"However while the first phase of SEV integration with OpenStack enables"}],"source_content_type":"text/x-rst","patch_set":4,"id":"5faad753_1e4d81c3","line":189,"range":{"start_line":185,"start_character":0,"end_line":189,"end_character":121},"updated":"2019-09-12 12:15:33.000000000","message":"please revert, this needs to be inline for translations.","commit_id":"af6ef1f6e941d81578767a6dad660bf4b47d4fcc"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"819610219930a445c1af8edebe8e6b7f6fb3d92d","unresolved":false,"context_lines":[{"line_number":182,"context_line":"preview with KVM guests on certain AMD-based machines for the purpose of"},{"line_number":183,"context_line":"evaluating the technology."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"The `KVM hypervisor section of the Nova Configuration Guide`__ contains"},{"line_number":186,"context_line":"information needed to configure the machine and hypervisor, and lists several"},{"line_number":187,"context_line":"limitations of SEV."},{"line_number":188,"context_line":""},{"line_number":189,"context_line":"__ https://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html#amd-sev-secure-encrypted-virtualization"},{"line_number":190,"context_line":""},{"line_number":191,"context_line":"SEV provides protection for data in the memory used by the running VM."},{"line_number":192,"context_line":"However while the first phase of SEV integration with OpenStack enables"}],"source_content_type":"text/x-rst","patch_set":4,"id":"5faad753_29c3653a","line":189,"range":{"start_line":185,"start_character":0,"end_line":189,"end_character":121},"in_reply_to":"5faad753_1e4d81c3","updated":"2019-09-12 12:48:11.000000000","message":"Done. There should be CI to catch that, so you don\u0027t need to waste time saying it.","commit_id":"af6ef1f6e941d81578767a6dad660bf4b47d4fcc"},{"author":{"_account_id":10607,"name":"Alexandra Settle","email":"a.settle@outlook.com","username":"asettle"},"change_message_id":"7d5d35fbbe854a0c05782b6001a973715bd20f29","unresolved":false,"context_lines":[{"line_number":177,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"`Secure Encrypted Virtualization (SEV) \u003chttps://developer.amd.com/sev/\u003e`_ is a"},{"line_number":180,"context_line":"technology from AMD which enables the memory for a VM to be encrypted with a"},{"line_number":181,"context_line":"key unique to the VM. SEV is available in the Train release as a technical"},{"line_number":182,"context_line":"preview with KVM guests on certain AMD-based machines for the purpose of"},{"line_number":183,"context_line":"evaluating the technology."}],"source_content_type":"text/x-rst","patch_set":5,"id":"5faad753_4a8c8f7e","line":180,"range":{"start_line":180,"start_character":16,"end_line":180,"end_character":19},"updated":"2019-09-12 14:17:44.000000000","message":"expand this acronym if it hasn\u0027t been mentioned before","commit_id":"2e3a89511c5eb1a8f188ca9c69c6ff0eefc43b80"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"f95879f694650721928856b413188a1f73a9589c","unresolved":false,"context_lines":[{"line_number":177,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"`Secure Encrypted Virtualization (SEV) \u003chttps://developer.amd.com/sev/\u003e`_ is a"},{"line_number":180,"context_line":"technology from AMD which enables the memory for a VM to be encrypted with a"},{"line_number":181,"context_line":"key unique to the VM. SEV is available in the Train release as a technical"},{"line_number":182,"context_line":"preview with KVM guests on certain AMD-based machines for the purpose of"},{"line_number":183,"context_line":"evaluating the technology."}],"source_content_type":"text/x-rst","patch_set":5,"id":"5faad753_eac8db22","line":180,"range":{"start_line":180,"start_character":16,"end_line":180,"end_character":19},"in_reply_to":"5faad753_4a8c8f7e","updated":"2019-09-12 14:36:04.000000000","message":"Hrm, I think most people would be more confused by \"Advanced Micro Devices\" than by \"AMD\" :-)  I literally had to check Wikipedia to find out what it stands for.  It would be like replacing \"IBM\" with \"International Business Machines\".","commit_id":"2e3a89511c5eb1a8f188ca9c69c6ff0eefc43b80"},{"author":{"_account_id":6547,"name":"Andreas Jaeger","email":"jaegerandi@gmail.com","username":"jaegerandi"},"change_message_id":"1d377b7129b08308ea5869faebfa05bf12d26bff","unresolved":false,"context_lines":[{"line_number":177,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"`Secure Encrypted Virtualization (SEV) \u003chttps://developer.amd.com/sev/\u003e`_ is a"},{"line_number":180,"context_line":"technology from AMD which enables the memory for a VM to be encrypted with a"},{"line_number":181,"context_line":"key unique to the VM. SEV is available in the Train release as a technical"},{"line_number":182,"context_line":"preview with KVM guests on certain AMD-based machines for the purpose of"},{"line_number":183,"context_line":"evaluating the technology."}],"source_content_type":"text/x-rst","patch_set":5,"id":"5faad753_cd1f3459","line":180,"range":{"start_line":180,"start_character":16,"end_line":180,"end_character":19},"in_reply_to":"5faad753_920f1d36","updated":"2019-09-15 16:59:49.000000000","message":"Agreed, leave as is","commit_id":"2e3a89511c5eb1a8f188ca9c69c6ff0eefc43b80"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"c4384fd05557c3c2e1be8953a28c397af629c854","unresolved":false,"context_lines":[{"line_number":177,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"`Secure Encrypted Virtualization (SEV) \u003chttps://developer.amd.com/sev/\u003e`_ is a"},{"line_number":180,"context_line":"technology from AMD which enables the memory for a VM to be encrypted with a"},{"line_number":181,"context_line":"key unique to the VM. SEV is available in the Train release as a technical"},{"line_number":182,"context_line":"preview with KVM guests on certain AMD-based machines for the purpose of"},{"line_number":183,"context_line":"evaluating the technology."}],"source_content_type":"text/x-rst","patch_set":5,"id":"5faad753_920f1d36","line":180,"range":{"start_line":180,"start_character":16,"end_line":180,"end_character":19},"in_reply_to":"5faad753_eac8db22","updated":"2019-09-12 17:34:44.000000000","message":"agree with Adam here","commit_id":"2e3a89511c5eb1a8f188ca9c69c6ff0eefc43b80"},{"author":{"_account_id":10607,"name":"Alexandra Settle","email":"a.settle@outlook.com","username":"asettle"},"change_message_id":"7d5d35fbbe854a0c05782b6001a973715bd20f29","unresolved":false,"context_lines":[{"line_number":182,"context_line":"preview with KVM guests on certain AMD-based machines for the purpose of"},{"line_number":183,"context_line":"evaluating the technology."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"The `KVM hypervisor section of the Nova Configuration Guide"},{"line_number":186,"context_line":"\u003chttps://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html#amd-sev-secure-encrypted-virtualization\u003e`_"},{"line_number":187,"context_line":"contains information needed to configure the machine and hypervisor, and lists"},{"line_number":188,"context_line":"several limitations of SEV."}],"source_content_type":"text/x-rst","patch_set":5,"id":"5faad753_4ae1ef29","line":185,"range":{"start_line":185,"start_character":35,"end_line":185,"end_character":39},"updated":"2019-09-12 14:17:44.000000000","message":"nova* -\u003e https://docs.openstack.org/doc-contrib-guide/writing-style/openstack-components.html","commit_id":"2e3a89511c5eb1a8f188ca9c69c6ff0eefc43b80"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"c4384fd05557c3c2e1be8953a28c397af629c854","unresolved":false,"context_lines":[{"line_number":182,"context_line":"preview with KVM guests on certain AMD-based machines for the purpose of"},{"line_number":183,"context_line":"evaluating the technology."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"The `KVM hypervisor section of the Nova Configuration Guide"},{"line_number":186,"context_line":"\u003chttps://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html#amd-sev-secure-encrypted-virtualization\u003e`_"},{"line_number":187,"context_line":"contains information needed to configure the machine and hypervisor, and lists"},{"line_number":188,"context_line":"several limitations of SEV."}],"source_content_type":"text/x-rst","patch_set":5,"id":"5faad753_12656d1e","line":185,"range":{"start_line":185,"start_character":35,"end_line":185,"end_character":39},"in_reply_to":"5faad753_0a9c570d","updated":"2019-09-12 17:34:44.000000000","message":"Isn\u0027t \"Nova Configuration Guide\" the title of a document?\n\n[Later] Naw, I guess the title is technically \"Configuration\". In which case none of these three words should be capitalized.","commit_id":"2e3a89511c5eb1a8f188ca9c69c6ff0eefc43b80"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"ae784864f8d4a95ec40bcb706d08f73c657132e0","unresolved":false,"context_lines":[{"line_number":182,"context_line":"preview with KVM guests on certain AMD-based machines for the purpose of"},{"line_number":183,"context_line":"evaluating the technology."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"The `KVM hypervisor section of the Nova Configuration Guide"},{"line_number":186,"context_line":"\u003chttps://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html#amd-sev-secure-encrypted-virtualization\u003e`_"},{"line_number":187,"context_line":"contains information needed to configure the machine and hypervisor, and lists"},{"line_number":188,"context_line":"several limitations of SEV."}],"source_content_type":"text/x-rst","patch_set":5,"id":"5faad753_a8dbc679","line":185,"range":{"start_line":185,"start_character":35,"end_line":185,"end_character":39},"in_reply_to":"5faad753_12656d1e","updated":"2019-09-12 18:25:52.000000000","message":"Done","commit_id":"2e3a89511c5eb1a8f188ca9c69c6ff0eefc43b80"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"f95879f694650721928856b413188a1f73a9589c","unresolved":false,"context_lines":[{"line_number":182,"context_line":"preview with KVM guests on certain AMD-based machines for the purpose of"},{"line_number":183,"context_line":"evaluating the technology."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"The `KVM hypervisor section of the Nova Configuration Guide"},{"line_number":186,"context_line":"\u003chttps://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html#amd-sev-secure-encrypted-virtualization\u003e`_"},{"line_number":187,"context_line":"contains information needed to configure the machine and hypervisor, and lists"},{"line_number":188,"context_line":"several limitations of SEV."}],"source_content_type":"text/x-rst","patch_set":5,"id":"5faad753_0a9c570d","line":185,"range":{"start_line":185,"start_character":35,"end_line":185,"end_character":39},"in_reply_to":"5faad753_4ae1ef29","updated":"2019-09-12 14:36:04.000000000","message":"*lol*\n\nThe confusion continues: https://review.opendev.org/#/c/681359/2//COMMIT_MSG@10\n\nOK, done.","commit_id":"2e3a89511c5eb1a8f188ca9c69c6ff0eefc43b80"},{"author":{"_account_id":10607,"name":"Alexandra Settle","email":"a.settle@outlook.com","username":"asettle"},"change_message_id":"7d5d35fbbe854a0c05782b6001a973715bd20f29","unresolved":false,"context_lines":[{"line_number":188,"context_line":"several limitations of SEV."},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"SEV provides protection for data in the memory used by the running VM."},{"line_number":191,"context_line":"However while the first phase of SEV integration with OpenStack enables"},{"line_number":192,"context_line":"encrypted memory for VMs, importantly it does not provide the"},{"line_number":193,"context_line":"``LAUNCH_MEASURE`` or ``LAUNCH_SECRET`` capabilities which are available with"},{"line_number":194,"context_line":"the SEV firmware. This means that data used by an SEV-protected VM may be"}],"source_content_type":"text/x-rst","patch_set":5,"id":"5faad753_ead3fb5e","line":191,"range":{"start_line":191,"start_character":0,"end_line":191,"end_character":7},"updated":"2019-09-12 14:17:44.000000000","message":"However, while*","commit_id":"2e3a89511c5eb1a8f188ca9c69c6ff0eefc43b80"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"f95879f694650721928856b413188a1f73a9589c","unresolved":false,"context_lines":[{"line_number":188,"context_line":"several limitations of SEV."},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"SEV provides protection for data in the memory used by the running VM."},{"line_number":191,"context_line":"However while the first phase of SEV integration with OpenStack enables"},{"line_number":192,"context_line":"encrypted memory for VMs, importantly it does not provide the"},{"line_number":193,"context_line":"``LAUNCH_MEASURE`` or ``LAUNCH_SECRET`` capabilities which are available with"},{"line_number":194,"context_line":"the SEV firmware. This means that data used by an SEV-protected VM may be"}],"source_content_type":"text/x-rst","patch_set":5,"id":"5faad753_2a9033ed","line":191,"range":{"start_line":191,"start_character":0,"end_line":191,"end_character":7},"in_reply_to":"5faad753_ead3fb5e","updated":"2019-09-12 14:36:04.000000000","message":"Done","commit_id":"2e3a89511c5eb1a8f188ca9c69c6ff0eefc43b80"}]}