Re: [Qemu-devel] [RFC PATCH v2 06/16] sev: add Secure Encrypted Virtulization (SEV) support

["Michael S. Tsirkin" <mst@redhat.com>]

On Thu, Sep 22, 2016 at 10:52:49AM -0400, Brijesh Singh wrote:
>  # $QEMU \
>     -object sev-receive-info,id=launch0,flags.ks=off \
>     -object sev-guest-info,id=sev0,launch=launch0 \
>     -object security-policy,id=secure0,memory-encryption=sev0 \
>     -machine ....,security-policy=secure0

Looks like most of info in a sev object is actually quite generic.
Let's give it readable generic names please, it will be easier to
review then. For example sev-guest-info -> memory-encryption-guest-info,
etc.

+Bit 0 (debug) - Debugging of the guest is disallowed when set
+Bit 1 (ks) - Sharing keys with other guests is disallowed when set
+Bit 2 (reserved) - must be set to 1
+Bit 3 (nosend) - Sending the guest to another platform is disallowed when set
+Bit 4 (domain) - The guest must not be transmitted to another platform that is not in the domain when set
+Bit 5 (sev) - The guest must not be transmitted to another platform that is not SEV capable when set.
+Bit 15:6 (reserved)
+Bit 16:24 (fw_major) - The guest must not be transmitted to another platform that is not SEV capable when set.
+Bit 25:31 (fw_minor) - The guest must not be transmitted to another platform that is not SEV capable when set.

So e.g. ks -> key-sharing=off. Etc.

And please include documentation about what does each of these things
actually do, so we can discuss whether we even need all of these knobs.

For example: key-sharing=off - will this mean that starting two VMs with
same key on same host fails?
But is it ever useful to do allow key sharing?
Etc.

-- 
MST