Guest memory requirements

KVM guests in IBM® Secure Execution mode require more memory than the same guests in regular mode.

The following aspects increase the memory requirement of a guest:
  • The extra memory needed by a bounce buffer. Add the swiotlb value multiplied by 2 KB.
  • Disk encryption, if introduced with IBM Secure Execution.
  • Setting up kdump if not already in place. Double the resulting figure of the preceding aspects.

Guests with a too narrowly computed memory assignment might not boot.

Example

Consider a guest that is configured to use kdump, but no disk encryption. The swiotlb value is set to 262144. Assuming swiotlb memory blocks of 2 KB, this results in 512 MB extra memory.

For a disk that is encrypted with LUKS2, use the cryptsetup luksDump <LUKS_volume> command to display the memory needed for the key derivation function. For example (output shortened):
# cryptsetup luksDump /dev/vda6
LUKS header information
Version:       	2
Epoch: ...

Data segments:
  0: crypt
	...

Keyslots:
  0: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2i
	Time cost:  4
	Memory:     270246
	Threads:   ...
...
The example shows that the memory needed is 270246 KB, or approximately 271 MB. The resulting increase in guest size is:
2 * (512 MB + 271 MB) = 1.6 GB
Tip: To reduce the amount of memory that needs to be reserved for kdump, change the LUKS2 key-derivation method from the default Argon2 to PBKDF2. Use the cryptsetup luksConvertKey command.