From b8c85135d9de76d810701a8c95fd72e2805b20c6 Mon Sep 17 00:00:00 2001 From: "David B. Kinder" Date: Tue, 9 Aug 2022 13:01:29 -0700 Subject: [PATCH] doc: update Security VM Features config option Updated the description of Security VM Features per review comments, and made the option visible (again) in the configurator as an advanced hypervisor option. Created a new glossary entry for "Security VM", referenced by this new description and tooltip. Tweak wording of virtio console and input device descriptions. Signed-off-by: David B. Kinder Tracked-On: #7968 --- doc/glossary.rst | 6 ++++++ misc/config_tools/schema/config.xsd | 19 +++++++++++++++---- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/doc/glossary.rst b/doc/glossary.rst index 8921490a4..70fd85ca4 100644 --- a/doc/glossary.rst +++ b/doc/glossary.rst @@ -143,6 +143,12 @@ Glossary of Terms developers can use to define a scenario configuration appropriate for their own application. + Security VM + A special :term:`User VM` providing software-based security services + within a dynamic virtualized environment. Such security services are + application dependent and can include antivirus and malware detection, + virtualized firewalls, resource monitoring, and more. + Service VM A special VM, directly launched by the hypervisor. The Service VM can access hardware resources directly by running native drivers and provides diff --git a/misc/config_tools/schema/config.xsd b/misc/config_tools/schema/config.xsd index 040433dd3..1208f0da5 100644 --- a/misc/config_tools/schema/config.xsd +++ b/misc/config_tools/schema/config.xsd @@ -69,8 +69,19 @@ - - Enable to do fixup for TPM2 and SMBIOS for Security VM. If no Security VM, setting this option to ``n`` + + This option enables hypervisor features potentially needed by a :term:`Security VM`: + +- The virtual Trusted Platform Module (vTPM) 2.0 ACPI table, likely + used by a security VM, is usually generated statically at build + time. Checking this option enables the ACRN hypervisor to update the + vTPM 2.0 ACPI table if the physical ACPI table was modified by the BIOS. +- Data from the system management BIOS (SMBIOS) can replace probing + hardware directly to discover what devices are present. Checking + this option enables the hypervisor to pass through the physical + SMBIOS to a pre-launched security VM. + +If your VM is not a security VM, leave this option unchecked. @@ -448,7 +459,7 @@ This feature enables you to view the VM's GPU output in the Service VM. Virtio console device for data input and output. The virtio console BE driver copies data from the frontend's transmitting virtqueue when it receives a kick on virtqueue (implemented as a vmexit). -The BE driver then writes the data to backend, and can be implemented as PTY, TTY, STDIO, and regular file. +The BE driver then writes the data to backend, and can be implemented as a PTY, TTY, STDIO, or regular file. For details, see :ref:`virtio-console`. @@ -462,7 +473,7 @@ is the virtio network driver, simulating the virtual NIC. The backend could be: The virtio input device creates a virtual human interface device such as a keyboard, -mouse, and tablet. It sends Linux input layer events over virtio. +mouse, or tablet. The device sends Linux input layer events over virtio.