[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [RFC PATCH v2 06/16] sev: add Secure Encrypted Virtuliz
From: |
Michael S. Tsirkin |
Subject: |
Re: [Qemu-devel] [RFC PATCH v2 06/16] sev: add Secure Encrypted Virtulization (SEV) support |
Date: |
Thu, 22 Sep 2016 22:51:26 +0300 |
On Thu, Sep 22, 2016 at 10:52:49AM -0400, Brijesh Singh wrote:
> # $QEMU \
> -object sev-receive-info,id=launch0,flags.ks=off \
> -object sev-guest-info,id=sev0,launch=launch0 \
> -object security-policy,id=secure0,memory-encryption=sev0 \
> -machine ....,security-policy=secure0
Looks like most of info in a sev object is actually quite generic.
Let's give it readable generic names please, it will be easier to
review then. For example sev-guest-info -> memory-encryption-guest-info,
etc.
+Bit 0 (debug) - Debugging of the guest is disallowed when set
+Bit 1 (ks) - Sharing keys with other guests is disallowed when set
+Bit 2 (reserved) - must be set to 1
+Bit 3 (nosend) - Sending the guest to another platform is disallowed when set
+Bit 4 (domain) - The guest must not be transmitted to another platform that is
not in the domain when set
+Bit 5 (sev) - The guest must not be transmitted to another platform that is
not SEV capable when set.
+Bit 15:6 (reserved)
+Bit 16:24 (fw_major) - The guest must not be transmitted to another platform
that is not SEV capable when set.
+Bit 25:31 (fw_minor) - The guest must not be transmitted to another platform
that is not SEV capable when set.
So e.g. ks -> key-sharing=off. Etc.
And please include documentation about what does each of these things
actually do, so we can discuss whether we even need all of these knobs.
For example: key-sharing=off - will this mean that starting two VMs with
same key on same host fails?
But is it ever useful to do allow key sharing?
Etc.
--
MST
- Re: [Qemu-devel] [RFC PATCH v2 03/16] exec: add debug version of physical memory read and write apis, (continued)
- [Qemu-devel] [RFC PATCH v2 07/16] hmp: display memory encryption support in 'info kvm', Brijesh Singh, 2016/09/22
- [Qemu-devel] [RFC PATCH v2 08/16] core: loader: create memory encryption context before copying data, Brijesh Singh, 2016/09/22
- [Qemu-devel] [RFC PATCH v2 09/16] sev: add LAUNCH_START command, Brijesh Singh, 2016/09/22
- [Qemu-devel] [RFC PATCH v2 10/16] sev: add LAUNCH_UPDATE command, Brijesh Singh, 2016/09/22
- [Qemu-devel] [RFC PATCH v2 11/16] sev: add LAUNCH_FINISH command, Brijesh Singh, 2016/09/22
- [Qemu-devel] [RFC PATCH v2 12/16] sev: add DEBUG_DECRYPT command, Brijesh Singh, 2016/09/22
- [Qemu-devel] [RFC PATCH v2 13/16] sev: add DEBUG_ENCRYPT command, Brijesh Singh, 2016/09/22
- [Qemu-devel] [RFC PATCH v2 14/16] i386: set memory encryption ops for PC.BIOS and PC.RAM regions, Brijesh Singh, 2016/09/22
- [Qemu-devel] [RFC PATCH v2 15/16] target-i386: add cpuid Fn8000_001f, Brijesh Singh, 2016/09/22