Enhance VM Security

[harneshalaka]

PR creator: Description

Request review of the edited content on Enhancing Virtual Machine Security with AMD SEV-SNP and SUSE Linux Enterprise 15-SP6.

References

https://jira.suse.com/browse/PED-10565

The doc team member merging your PR will take care of backporting to older documents.
When opening a PR, do not set the following check box.

• all necessary backports are done

[taroth21]

@harneshalaka : Many thanks, well done!

I had a look and have added a few suggestions (mostly about use of entities - maybe pre-empting what Daria would suggest during the final style check anyway).

[taroth21]

Suggested change

	</abstract>
	<note>
	<title>Technology Preview for &productname;</title>
	<para>
	This feature is shipped as a Technology Preview in &productname; 15 SP6.
	The necessary packages are not part of the default installation or repositories.
	</para>
	</note>
	</abstract>

[taroth21]

Let's highlight the tech preview in a note and move it up here for more visibility.

[taroth21]

Suggested change

	<para>
	Support for AMD SEV-SNP is available as a Technology Preview in SUSE Linux Enterprise Server 15-SP6. However, the necessary packages are not part of the default installation or repositories.</para>

[taroth21]

I suggest to remove here (and move to the abstract as suggested above)

[taroth21]

@harneshalaka : Please replace the # with proper prompts in this file. For this, either use the entity &prompt.root; (or better &prompt.sudo; where possible), according to our style guide.

For examples, see https://github.com/SUSE/doc-sle/blob/main/xml/security_ldap_sssd.xml#L59 or https://github.com/SUSE/doc-sle/blob/main/xml/tuning_perf.xml#L323

[taroth21]

Suggested change

	The confidential compute module provides replacement packages supporting AMD SEV-SNP. To ensure a maximum of compatibility, these packages are based on the code streams from SUSE Linux Enterprise Server.</para>
	The confidential compute module provides replacement packages supporting AMD SEV-SNP. To ensure a maximum of compatibility, these packages are based on the code streams from &productname;.</para>

[taroth21]

Suggested change

<para>After replacing the packages, you must set up the system with a configuration change to make the AMD SEV-SNP feature ready to use. The IOMMU on the host side must be configured in non-passthrough mode. This is required to prevent peripheral devices from writing to memory which belongs to an encrypted guest and destroy its data integrity. The default IOMMU configuration in SUSE Linux Enterprise Server is <literal>passthrough</literal> mode.</para>

<para>After replacing the packages, you must set up the system with a configuration change to make the AMD SEV-SNP feature ready to use. The IOMMU on the host side must be configured in non-passthrough mode. This is required to prevent peripheral devices from writing to memory which belongs to an encrypted guest and destroy its data integrity. The default IOMMU configuration in &productname; is <literal>passthrough</literal> mode.</para>

[taroth21]

Suggested change

	<para>To disable the IOMMU configuration in SUSE Linux Enterprise Server, open the <filename>/etc/default/grub</filename> file and add <literal>iommu=nopt</literal> to the <varname>GRUB_CMDLINE_LINUX_DEFAULT</varname> variable. </para>
	<para>To disable the IOMMU configuration in &productname;, open the <filename>/etc/default/grub</filename> file and add <literal>iommu=nopt</literal> to the <varname>GRUB_CMDLINE_LINUX_DEFAULT</varname> variable. </para>

[aginies]

Thanks for getting this done so quickly

[aginies]

The repo name is not coco; This needs to be adjusted with the name of the CoCo repository.