Re: [Qemu-devel] [RFC PATCH v1 05/22] i386: add new option to enable SEV guest

[Paolo Bonzini]

On 14/09/2016 10:41, Daniel P. Berrange wrote:
>> > Any reason not to pass the sev options themselves through -sev?  You can
>> > then use "-readconfig sev-guest.cfg" where sev-guest.cfg contains
>> > 
>> >    [sev]
>> >    type="encrypted"
>> >    flags = "00000000"
>> >    policy  = "000000"
>> >    dh_pub_qx = "0123456789abcdef0123456789abcdef"
>> >    dh_pub_qy = "0123456789abcdef0123456789abcdef"
>> >    nonce = "0123456789abcdef"
>> >    vcpu_count = "1"
>> >    vcpu_length = "30"
>> >    vcpu_mask = "00ab"
> Agreed, it is really preferrable to define all the options via
> one command line arg (using -object) and not re-invent external
> config files when QEMU already has generic config file support

To be fair, they _were_ reusing QEMU's config file support.  I was
ambivalent regarding using -object vs. creating a new command line,
since this is a singleton object, but indeed it's nicer if the policy is
split to its own object.

The object would be defined like this:

     [object "mypolicy"]
     qom-type = "sev-policy-encrypted"
     dh_pub_qx = "..."
     dh_pub_qy = "..."
     nonce = "..."
     ...

and then you also need to add a property to the MachineState.  The
property is accessed with -machine, and it creates a link to the policy
object---which also enables sev.  In the end you'd have this on the
command line:

    -readconfig mypolicy.cfg -machine sev-policy=mypolicy

Thanks,

Paolo