Constraints

Memory Insertion

The memory insertion must be symmetrical between NUMA nodes.

4, 8, 12, 16, 20, 24, or 32 memory modules
32 GB or 64 GB, mixed insertion not allowed
Use the Computing Product Memory Configuration Assistant to determine the correct memory insertion method.

BIOS Menus

Three-channel interleaving must be disabled.
Die interleaving can be disabled or enabled.

OS

Use openEuler 24.03 LTS SP2 for hosts and cVM guests.

SWIOTLB Buffer

cVMs communicate with peripherals through the SWIOTLB buffer, which defaults to 64 MB. When the I/O communication load is heavy, the SWIOTLB buffer space may be insufficient. Run the following command in the guest OS and if the error log "swiotlb buffer is full" is displayed, the buffer space can be determined insufficient.

dmesg | grep "swiotlb buffer is full"

If this problem exists, you can modify the swiotlb parameter of the guest OS to increase the SWIOTLB buffer space.

If cVMs are started using the QEMU CLI, set the swiotlb parameter as follows:
```
-append "swiotlb=x,force"
```

If cVMs are started using the libvirt XML file, set the swiotlb parameter as follows:
```
<cmdline>swiotlb=x,force</cmdline>
```
- The x value indicates the number of fragments in the SWIOTLB buffer. Each fragment is 2 KB and the SWIOTLB buffer is equal to x multiplied by 2 KB. The SWIOTLB buffer is 64 MB by default and has 32,768 fragments. You can increase the x value to increase the SWIOTLB buffer size (ensure that the buffer size is a multiple of 64 MB). For example, if x is 262144, the SWIOTLB buffer is 512 MB.
- The SWIOTLB buffer occupies non-secure memory. If the host OS receives the error log of "Out of memory: Killed process xxx (qemu-kvm)", the non-secure memory space is insufficient. As a result, the cVM exits.
- The SWIOTLB buffer occupies the secure memory space of a cVM. The minimum secure memory space of a cVM is 1 GB.

Secure Memory Granularity

The secure memory of each cVM must be 2 MB aligned.

cVM Performance

The NUMA nodes bound to the CPUs of a cVM must be the same as the NUMA nodes allocated to secure memory.

The NUMA nodes bound to the CPUs of a cVM must be the same as the NUMA nodes affinitive to the NIC. Run the following command to check the NUMA nodes affinitive to the NIC:
```
cat /sys/class/net/$net_name/device/numa_node
```
The NIC name is net_name. You run the ip addr command in the guest OS to view the NIC name.

The expected result is as follows:
- The command output shows that the ID of the NUMA node affinitive to the NIC is 1.
- The CPU is bound to NUMA node 1 in the libvirt XML file of the cVM.

sysctl_overcommit_memory

The BIOS provides the auto mode for configuring the secure memory. In this mode, the BIOS allocates a secure memory space as large as possible, and the secure memory is larger than the non-secure memory. When the random access memory (RAM) for starting a cVM is greater than the non-secure memory, allow the virtual address space of mmap to be greater than the physical address space. Otherwise, the cVM fails to be started. That is to say, before starting a cVM, ensure that sysctl_overcommit_memory is set to 1. Run the following command:

echo 1 > /proc/sys/vm/overcommit_memory

SMT

Enabling simultaneous multi-threading (SMT) may introduce side-channel attacks and other risks affecting confidential computing workloads. It is therefore recommended to deploy confidential computing on systems with SMT disabled. To disable SMT, perform the following steps:

On the BIOS setup screen, choose Advanced > Power And Performance Configuration.
The CPU PM Control menu is displayed.
Set SMT2 to Disabled.

Overcommitment

CPU or memory overcommitment is not supported.

Parent topic: Feature Description