From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41654) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bk5ku-0005Iq-J3 for qemu-devel@nongnu.org; Wed, 14 Sep 2016 04:41:21 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bk5kq-0000P4-BL for qemu-devel@nongnu.org; Wed, 14 Sep 2016 04:41:19 -0400 Received: from mx1.redhat.com ([209.132.183.28]:49598) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bk5kq-0000Ot-4H for qemu-devel@nongnu.org; Wed, 14 Sep 2016 04:41:16 -0400 Date: Wed, 14 Sep 2016 09:41:10 +0100 From: "Daniel P. Berrange" Message-ID: <20160914084110.GE28399@redhat.com> Reply-To: "Daniel P. Berrange" References: <147377800565.11859.4411044563640180545.stgit@brijesh-build-machine> <147377805350.11859.16913701772043413471.stgit@brijesh-build-machine> <7e358d25-a22f-0c31-798c-c7f0c2f1d38c@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <7e358d25-a22f-0c31-798c-c7f0c2f1d38c@redhat.com> Subject: Re: [Qemu-devel] [RFC PATCH v1 05/22] i386: add new option to enable SEV guest List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Paolo Bonzini Cc: Brijesh Singh , ehabkost@redhat.com, crosthwaite.peter@gmail.com, armbru@redhat.com, mst@redhat.com, p.fedin@samsung.com, qemu-devel@nongnu.org, lcapitulino@redhat.com, rth@twiddle.net On Wed, Sep 14, 2016 at 12:41:59AM +0200, Paolo Bonzini wrote: > > > On 13/09/2016 16:47, Brijesh Singh wrote: > > The patch adds '-sev' option to enable the Secure Encrypted > > Virtualization (SEV) guest. If this option is specified, Qemu > > assumes that user wants to launch this guest into SEV mode. > > > > Here are example on how to launch a guest into SEV mode. > > > > 1) late launch: in this mode the images received from guest > > owner are unencrypted and must be encrypted using SEV LAUNCH command > > before starting the guest. > > > > $ qemu -sev type=unencrypted config=guest_01.conf > > > > 2) pre-encrypted: in this mode the images received from guest > > owners are encrypted using transport keys. It must be re-encrypted > > using SEV RECEIVE commands before starting the guest. > > > > $ qemu -sev type=encrypted config=guest_02.conf > > > > The config file will contains various parameters (e.g key , policy) > > required during guest launch process. > > Any reason not to pass the sev options themselves through -sev? You can > then use "-readconfig sev-guest.cfg" where sev-guest.cfg contains > > [sev] > type="encrypted" > flags = "00000000" > policy = "000000" > dh_pub_qx = "0123456789abcdef0123456789abcdef" > dh_pub_qy = "0123456789abcdef0123456789abcdef" > nonce = "0123456789abcdef" > vcpu_count = "1" > vcpu_length = "30" > vcpu_mask = "00ab" Agreed, it is really preferrable to define all the options via one command line arg (using -object) and not re-invent external config files when QEMU already has generic config file support Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|