[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [RFC PATCH v4 06/20] core: add new security-policy obje

From: Brijesh Singh
Subject: Re: [Qemu-devel] [RFC PATCH v4 06/20] core: add new security-policy object
Date: Thu, 23 Mar 2017 13:59:48 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0

Hi Stefan,

On 03/23/2017 06:35 AM, Stefan Hajnoczi wrote:
On Wed, Mar 08, 2017 at 03:52:09PM -0500, Brijesh Singh wrote:
The object can be used to define global security policy for the guest.

"security-policy" is very vague.  Lots of parts of QEMU have security
related options (e.g. VNC display, networking, etc).

I'd prefer a
-machine memory-encryption=on|off,memory-encryption-debug=on|off
or -m encryption=on|off,encryption-debug=on|off switch instead of a new
security policy object with questionable scope.

In v1 [1], I had something similar but not exactly the same. I had a new command
line switch but the overall feedback was to consider creating new security 
which can be used to define a machine security policy.

[1] http://marc.info/?t=147378617700002&r=1&w=2

some more discussion here [2]

[2] http://marc.info/?t=147378241700011&r=1&w=2

IMHO, a new object is helpful because it provide options to launch a guest 
memory encryption support but still can take a advantage of disabling the debug
feature. e.g on non SEV platform we can launch guest with "-object 
which will reject the guest memory accesses via gdbstub or qemu monitor command 
line interface.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]