IBM Z (s390x) has been supporting confidential virtual machines for a few years now. It is a Linux-first feature, fully supported by KVM and Qemu. This presentation will introduce the technology, the architectural extensions, the typical lifecycle of host and guest, the unique features, and how KVM and Qemu have been adapted to support it. Some of the interesting and unique features covered in the presentation are: * allowing for swapping guest memory in the host * not requiring encryption of guest memory when running * implicit attestation * explicit attestation * secure dumps The lifecycle of a secure guest will be presented including all interactions among the guest, the host, the trusted hardware/firmware (Ultravisor), and the attestation agent.