Constraints

Application Constraints

The hardware server must be equipped with a new Kunpeng 920 processor model (7270Z/7280Z/7250Y/7260Y/5253Z/5252Z/5235Z/5230Z).

Memory Insertion

The memory insertion must be symmetrical between NUMA nodes.

4, 8, 12, 16, 20, 24, or 32 memory modules
32 GB or 64 GB, mixed insertion not allowed
Use the Computing Product Memory Configuration Assistant to determine the correct memory insertion method.

BIOS Menus

Three-channel interleaving must be disabled.
Die interleaving can be disabled or enabled.

SWIOTLB Buffer

cVMs communicate with peripherals through the SWIOTLB buffer. The SWIOTLB buffer is 64 MB by default. In high-load I/O communication scenarios, the SWIOTLB buffer space may be insufficient. Run the following command in the guest OS. If the error message "switlb buffer is full" is displayed, the problem occurs. In this case, follow the instructions in Increasing the SWIOTLB Buffer Space to resolve the issue.

dmesg | grep "swiotlb buffer is full"

Secure Memory Granularity

The secure memory of each cVM must be 2 MB aligned.

cVM Performance

The NUMA nodes bound to the CPUs of a cVM must be the same as the NUMA nodes allocated to secure memory.

The NUMA nodes bound to the CPUs of a cVM must be the same as the NUMA nodes affinitized to the NIC. Run the following command to check the NUMA nodes affinitized to the NIC:
```
cat /sys/class/net/$net_name/device/numa_node
```
The NIC name is net_name. You run the ip addr command in the guest OS to view the NIC name.

The expected result is as follows:
- The command output shows that the ID of the NUMA node affinitized to the NIC is 1.
- The CPU is bound to NUMA node 1 in the libvirt XML file of the cVM.

sysctl_overcommit_memory

The BIOS provides the auto mode for configuring the secure memory. In this mode, the BIOS allocates a secure memory space as large as possible, and the secure memory is larger than the non-secure memory. When the random access memory (RAM) for starting a cVM is greater than the non-secure memory, allow the virtual address space of mmap to be greater than the physical address space. Otherwise, the cVM fails to be started. That is to say, before starting a cVM, ensure that sysctl_overcommit_memory is set to 1. Run the following command:

echo 1 > /proc/sys/vm/overcommit_memory

SMT

Enabling simultaneous multi-threading (SMT) may introduce side-channel attacks and other risks affecting confidential computing workloads. It is therefore recommended to deploy confidential computing on systems with SMT disabled. To disable SMT, see Disabling SMT.

Overcommitment

CPU or memory overcommitment is not supported.

Commands Supported by libvirt

Commands Supported by libvirt lists the libvirt commands for cVMs:

**Table 1** libvirt commands
virsh Subcommand	Description	Option	Supported on cVMs	Supported on Other VMs
define	Defines a VM domain from a specified XML file.	--validate	√	√
undefine	Destroys a VM domain.	--managed-save	x	√
		--storage	√	√
		--remove-all-storage	√	√
		--delete-storage-volume-snapshots	x	√
		--wipe-storage	√	√
		--snapshots-metadata	x	√
		--checkpoints-metadata	x	√
		--nvram	x	√
		--keep-nvram	x	√
		--tpm	x	√
		--keep-tpm	x	√
start	Starts a defined VM.	--console	√	√
		--paused	x	√
		--autodestroy	√	√
		--bypass-cache	√	√
		--force-boot	x	√
		--pass-fds	x	√
		--reset-nvram	x	√
destroy	Destroys a running VM.	--graceful	√	√
destroy	Destroys a running VM.	--remove-logs	√	√
console	Logs in to a VM through the serial port.	--devname	√	√
		--force	√	√
		--resume	x	√
		--safe	√	√
create	Creates and starts a VM from a specified XML file.	--console	√	√
		--paused	x	√
		--autodestroy	√	√
		--pass-fds	x	√
		--validate	√	√
		--reset-nvram	x	√
attach-disk	Attaches drives.	--subdriver	√	√
		--live	√	√
		--persistent	√	√
detach-disk	Detaches drives.	--live	√	√
detach-disk	Detaches drives.	--persistent	√	√
attach-interface	Attaches network interfaces.	--model	√	√
		--live	√	√
		--persistent	√	√
detach-interface	Detaches network interfaces.	--live	√	√
detach-interface	Detaches network interfaces.	--persistent	√	√
attach-device	Attaches devices using an XML file.	--live	√	√
attach-device	Attaches devices using an XML file.	--persistent	√	√
detach-device	Detaches devices using XML files.	--live	√	√
detach-device	Detaches devices using XML files.	--persistent	√	√
tmm	Displays TMM information, including secure memory usage.	--dev	√	x
tmm	Displays TMM information, including secure memory usage.	--detail	√	x
√: Supported by cVMs or common VMs. x: Not supported by cVMs or common VMs.

Parent topic: Feature Description