qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [RFC PATCH v1 05/22] i386: add new option to enable SEV


From: Paolo Bonzini
Subject: Re: [Qemu-devel] [RFC PATCH v1 05/22] i386: add new option to enable SEV guest
Date: Wed, 14 Sep 2016 11:11:51 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0


On 14/09/2016 10:41, Daniel P. Berrange wrote:
>> > Any reason not to pass the sev options themselves through -sev?  You can
>> > then use "-readconfig sev-guest.cfg" where sev-guest.cfg contains
>> > 
>> >    [sev]
>> >    type="encrypted"
>> >    flags = "00000000"
>> >    policy  = "000000"
>> >    dh_pub_qx = "0123456789abcdef0123456789abcdef"
>> >    dh_pub_qy = "0123456789abcdef0123456789abcdef"
>> >    nonce = "0123456789abcdef"
>> >    vcpu_count = "1"
>> >    vcpu_length = "30"
>> >    vcpu_mask = "00ab"
> Agreed, it is really preferrable to define all the options via
> one command line arg (using -object) and not re-invent external
> config files when QEMU already has generic config file support

To be fair, they _were_ reusing QEMU's config file support.  I was
ambivalent regarding using -object vs. creating a new command line,
since this is a singleton object, but indeed it's nicer if the policy is
split to its own object.

The object would be defined like this:

     [object "mypolicy"]
     qom-type = "sev-policy-encrypted"
     dh_pub_qx = "..."
     dh_pub_qy = "..."
     nonce = "..."
     ...

and then you also need to add a property to the MachineState.  The
property is accessed with -machine, and it creates a link to the policy
object---which also enables sev.  In the end you'd have this on the
command line:

    -readconfig mypolicy.cfg -machine sev-policy=mypolicy

Thanks,

Paolo



reply via email to

[Prev in Thread] Current Thread [Next in Thread]