qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [RFC PATCH v2 06/16] sev: add Secure Encrypted Virtuliz


From: Michael S. Tsirkin
Subject: Re: [Qemu-devel] [RFC PATCH v2 06/16] sev: add Secure Encrypted Virtulization (SEV) support
Date: Thu, 22 Sep 2016 22:51:26 +0300

On Thu, Sep 22, 2016 at 10:52:49AM -0400, Brijesh Singh wrote:
>  # $QEMU \
>     -object sev-receive-info,id=launch0,flags.ks=off \
>     -object sev-guest-info,id=sev0,launch=launch0 \
>     -object security-policy,id=secure0,memory-encryption=sev0 \
>     -machine ....,security-policy=secure0

Looks like most of info in a sev object is actually quite generic.
Let's give it readable generic names please, it will be easier to
review then. For example sev-guest-info -> memory-encryption-guest-info,
etc.

+Bit 0 (debug) - Debugging of the guest is disallowed when set
+Bit 1 (ks) - Sharing keys with other guests is disallowed when set
+Bit 2 (reserved) - must be set to 1
+Bit 3 (nosend) - Sending the guest to another platform is disallowed when set
+Bit 4 (domain) - The guest must not be transmitted to another platform that is 
not in the domain when set
+Bit 5 (sev) - The guest must not be transmitted to another platform that is 
not SEV capable when set.
+Bit 15:6 (reserved)
+Bit 16:24 (fw_major) - The guest must not be transmitted to another platform 
that is not SEV capable when set.
+Bit 25:31 (fw_minor) - The guest must not be transmitted to another platform 
that is not SEV capable when set.

So e.g. ks -> key-sharing=off. Etc.

And please include documentation about what does each of these things
actually do, so we can discuss whether we even need all of these knobs.

For example: key-sharing=off - will this mean that starting two VMs with
same key on same host fails?
But is it ever useful to do allow key sharing?
Etc.

-- 
MST



reply via email to

[Prev in Thread] Current Thread [Next in Thread]