For example, this setting makes the required bounce buffer for virtio
devices the default and you do not have to specify it explicitly for each device. This setting also
leads to warning messages if the CPU model of the virtual server does not include all features that
are required by IBM Secure Execution for Linux.
Manual domain-XML configuration
If the output of the virsh domcapabilities command shows that you
do not have support for the launchSecurity element, you must configure the domain XML manually:
Ensure that the XML has iommu="on" set to allow the use of
bounce buffers on every element that represents a virtio device, for example, the
<disk>, <serial>, and
<interface> elements.
Do not define a memory balloon device for secure guests. Use the following definition in the
guest XML:
<memballoon model='none'/>
For example, the following domain configuration-XML, called secguest1.xml, configures a virtual machine called secguest1 that
allows bounce buffers:
The <kernel> entry must contain the fully qualified path and
file name of the secure boot image file.
On the KVM host console, define the virtual machine with the virsh
define command.
For example, to define secguest1 defined by the
secguest1.xml:
# virsh define secguest1.xml
From the KVM host console, verify that the guest can be started with the virsh
start command.
For example, to start
secguest1:
# virsh start secguest1
Results
The KVM guest defined by secguest1.img starts running in IBM Secure Execution mode. For information about
troubleshooting, see Starting virtual server fails.