Guest memory requirements
KVM guests in IBM® Secure Execution mode require more memory than the same guests in regular mode.
The following aspects increase the memory requirement of a guest:
- The extra memory needed by a bounce buffer. Add the swiotlb value multiplied by 2 KB.
- Disk encryption, if introduced with IBM Secure Execution.
- Setting up kdump if not already in place. Double the resulting figure of the preceding aspects.
Guests with a too narrowly computed memory assignment might not boot.
Example
Consider a guest that is configured to use kdump, but no disk encryption. The swiotlb value is set to 262144. Assuming swiotlb memory blocks of 2 KB, this results in 512 MB extra memory.
For a disk that is encrypted with LUKS2, use the cryptsetup luksDump
<LUKS_volume> command to display the memory needed for the key derivation function.
For example (output shortened):
# cryptsetup luksDump /dev/vda6 LUKS header information Version: 2 Epoch: ... Data segments: 0: crypt ... Keyslots: 0: luks2 Key: 512 bits Priority: normal Cipher: aes-xts-plain64 Cipher key: 512 bits PBKDF: argon2i Time cost: 4 Memory: 270246 Threads: ... ...The example shows that the memory needed is 270246 KB, or approximately 271 MB. The resulting increase in guest size is:
2 * (512 MB + 271 MB) = 1.6 GBTip: To reduce the amount of memory that needs to be reserved for
kdump, change the LUKS2 key-derivation method from the default Argon2 to PBKDF2. Use the
cryptsetup luksConvertKey command.