Re: [Qemu-devel] [RFC PATCH v4 06/20] core: add new security-policy object

[Brijesh Singh]

On 03/24/2017 10:40 AM, Stefan Hajnoczi wrote:

> Having one security policy doesn't make sense to me.  As mentioned,
> there are many different areas of QEMU that have security relevant
> configuration.  They are all unrelated so combining them into one object
> with vague parameter names like "debug" makes for a confusing
> command-line interface.
>
> If the object is called sev-security-policy then I'm happy.

Works for with me but one of the feedback was to use security-policy [1].
IIRC, the main reason for using 'security-policy' instead of 
'sev-security-policy'
was to add a layer of abstraction so that in future if other platforms supports
memory encryption in slightly different way then all we need to do is to create
new object without needing to add a new parameter in -machine.

[1] http://marc.info/?l=qemu-devel&m=147388592213137&w=2

How about using 'memory-encryption-id' instead of security-policy ? If user 
wants
to launch SEV guest then memory-encryption-id should be set SEV specific object.
Something like this:

-machine ..,memory-encryption-id=sev0 \
-object sev-guest,id=sev,debug=off,launch=launch0 \
-object sev-launch-info,id=launch0 \


Thanks
Brijesh