On 14/09/2016 10:41, Daniel P. Berrange wrote:
>> > Any reason not to pass the sev options themselves through -sev? You can
>> > then use "-readconfig sev-guest.cfg" where sev-guest.cfg contains
>> >
>> > [sev]
>> > type="encrypted"
>> > flags = "00000000"
>> > policy = "000000"
>> > dh_pub_qx = "0123456789abcdef0123456789abcdef"
>> > dh_pub_qy = "0123456789abcdef0123456789abcdef"
>> > nonce = "0123456789abcdef"
>> > vcpu_count = "1"
>> > vcpu_length = "30"
>> > vcpu_mask = "00ab"
> Agreed, it is really preferrable to define all the options via
> one command line arg (using -object) and not re-invent external
> config files when QEMU already has generic config file support
To be fair, they _were_ reusing QEMU's config file support. I was
ambivalent regarding using -object vs. creating a new command line,
since this is a singleton object, but indeed it's nicer if the policy is
split to its own object.
The object would be defined like this:
[object "mypolicy"]
qom-type = "sev-policy-encrypted"
dh_pub_qx = "..."
dh_pub_qy = "..."
nonce = "..."
...
and then you also need to add a property to the MachineState. The
property is accessed with -machine, and it creates a link to the policy
object---which also enables sev. In the end you'd have this on the
command line:
-readconfig mypolicy.cfg -machine sev-policy=mypolicy
Thanks,
Paolo
