From: Paolo Bonzini <pbonzini@redhat.com>
To: Brijesh Singh <brijesh.singh@amd.com>,
ehabkost@redhat.com, crosthwaite.peter@gmail.com,
armbru@redhat.com, mst@redhat.com, p.fedin@samsung.com,
qemu-devel@nongnu.org, lcapitulino@redhat.com, rth@twiddle.net
Subject: Re: [Qemu-devel] [RFC PATCH v2 06/16] sev: add Secure Encrypted Virtulization (SEV) support
Date: Thu, 22 Sep 2016 17:12:39 +0200 [thread overview]
Message-ID: <69f9cab5-e2dd-0461-8857-64cfa4bb7e8e@redhat.com> (raw)
In-Reply-To: <147455596937.8519.6403549430047219068.stgit@brijesh-build-machine>
On 22/09/2016 16:52, Brijesh Singh wrote:
> to launch unencrypted SEV guest:
> # $QEMU \
> -object sev-launch-info,id=launch0,flags.ks=off \
> -object sev-guest-info,id,sev0,launch=launch0 \
> -object security-policy,id=secure0,memory-encryption=sev0 \
> -machine ....,security-policy=secure0
>
> - sev-receive-info: provides the properties to set/get parameters required
> to launch encrypted SEV guest.
>
> In this mode the boot images received from the guest owner are
> pre-encrypted with owners transport keys. The SEV guest boot process
> would re-encrypt the images using guest owner's key.
>
> to launch encrypted SEV guest:
>
> # $QEMU \
> -object sev-receive-info,id=launch0,flags.ks=off \
> -object sev-guest-info,id=sev0,launch=launch0 \
> -object security-policy,id=secure0,memory-encryption=sev0 \
> -machine ....,security-policy=secure0
>
> - sev-policy-info: provides properties to get/set SEV specific policy
> parameters required by SEV launch and migrate objects.
>
> e.g to disable key share during encrypted launch.
> # $QEMU \
> -object sev-policy-info,id=policy0,ks=off \
> -object sev-launch-info,id=sev0,policy=policy0 \
> .....
>
> sev-policy should be provided by the guest owner.
>
> - sev-guest-info: provides properties to set SEV guest launch object id
> used during guest launch.
>
> to use encrypted guest launch
> # $QEMU \
> -object sev-receive-info,id=launch0 \
> -object sev-send-info,id=send0 \
> -object sev-guest-info,id=sev0,launch=launch0,send=send0 \
> .....
>
References to other objects should be implemented as link properties
(e.g. with type 'link<sev-guest-info>'). Then QOM takes care of filling
in a QSEVGuestInfo* with the pointer to an object with the right id.
There is some redundancy (e.g. "flags.ks" in launch/receive vs. "ks" in
policy). Can you document the full model in
docs/amd-memory-encryption.txt? It's not necessary to include the
kernel API documentation.
Paolo
next prev parent reply other threads:[~2016-09-22 15:12 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-22 14:51 [Qemu-devel] [RFC PATCH v2 00/16] x86: Secure Encrypted Virtualization (AMD) Brijesh Singh
2016-09-22 14:52 ` [Qemu-devel] [RFC PATCH v2 01/16] memattrs: add debug attrs Brijesh Singh
2016-09-22 14:52 ` [Qemu-devel] [RFC PATCH v2 02/16] exec: add guest RAM read and write ops Brijesh Singh
2016-09-22 15:22 ` Paolo Bonzini
2016-09-22 14:52 ` [Qemu-devel] [RFC PATCH v2 03/16] exec: add debug version of physical memory read and write apis Brijesh Singh
2016-09-22 15:21 ` Paolo Bonzini
2016-09-22 14:52 ` [Qemu-devel] [RFC PATCH v2 04/16] monitor: use debug version of memory access apis Brijesh Singh
2016-09-22 15:18 ` Paolo Bonzini
2016-09-22 19:24 ` Michael S. Tsirkin
2016-09-22 20:55 ` Brijesh Singh
2016-09-22 14:52 ` [Qemu-devel] [RFC PATCH v2 05/16] core: add new security-policy object Brijesh Singh
2016-09-22 14:52 ` [Qemu-devel] [RFC PATCH v2 06/16] sev: add Secure Encrypted Virtulization (SEV) support Brijesh Singh
2016-09-22 15:12 ` Paolo Bonzini [this message]
2016-09-22 21:12 ` Brijesh Singh
2016-09-22 21:57 ` Michael S. Tsirkin
2016-09-22 19:51 ` Michael S. Tsirkin
2016-09-22 14:52 ` [Qemu-devel] [RFC PATCH v2 07/16] hmp: display memory encryption support in 'info kvm' Brijesh Singh
2016-09-22 15:32 ` Eric Blake
2016-09-22 14:53 ` [Qemu-devel] [RFC PATCH v2 08/16] core: loader: create memory encryption context before copying data Brijesh Singh
2016-09-22 14:53 ` [Qemu-devel] [RFC PATCH v2 09/16] sev: add LAUNCH_START command Brijesh Singh
2016-09-22 14:53 ` [Qemu-devel] [RFC PATCH v2 10/16] sev: add LAUNCH_UPDATE command Brijesh Singh
2016-09-22 14:53 ` [Qemu-devel] [RFC PATCH v2 11/16] sev: add LAUNCH_FINISH command Brijesh Singh
2016-09-22 14:53 ` [Qemu-devel] [RFC PATCH v2 12/16] sev: add DEBUG_DECRYPT command Brijesh Singh
2016-09-22 14:54 ` [Qemu-devel] [RFC PATCH v2 13/16] sev: add DEBUG_ENCRYPT command Brijesh Singh
2016-09-22 14:54 ` [Qemu-devel] [RFC PATCH v2 14/16] i386: set memory encryption ops for PC.BIOS and PC.RAM regions Brijesh Singh
2016-09-22 14:54 ` [Qemu-devel] [RFC PATCH v2 15/16] target-i386: add cpuid Fn8000_001f Brijesh Singh
2016-09-22 14:54 ` [Qemu-devel] [RFC PATCH v2 16/16] i386: clear C-bit in SEV guest page table walk Brijesh Singh
2016-09-22 15:53 ` [Qemu-devel] [RFC PATCH v2 00/16] x86: Secure Encrypted Virtualization (AMD) no-reply
2016-09-22 15:54 ` no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69f9cab5-e2dd-0461-8857-64cfa4bb7e8e@redhat.com \
--to=pbonzini@redhat.com \
--cc=armbru@redhat.com \
--cc=brijesh.singh@amd.com \
--cc=crosthwaite.peter@gmail.com \
--cc=ehabkost@redhat.com \
--cc=lcapitulino@redhat.com \
--cc=mst@redhat.com \
--cc=p.fedin@samsung.com \
--cc=qemu-devel@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).