Re: [PATCH RESEND v10 0/5] Support query and use SGX

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2/8/22 06:21, Haibin Huang wrote:
> Because the 5th patch was sent by mistake, so replace the 5th patch and
> send it again.
> 
> This patch series provides support for enabling Intel's Software 
> Guard Extensions (SGX) feature in guest VM.
> Giving the SGX support in QEMU had been merged. Intel SGX is a
> set of instructions that increases the security of application code
>  and data, giving them more protection from disclosure or modification.
> Developers can partition sensitive information into enclaves, which 
> are areas of execution in memory with more security protection.
> 
> It depends on QEMU fixing[1], which will move cpu QOM object from 
> /machine/unattached/device[nn] to /machine/cpu[nn]. It requires libvirt
> to change the default cpu QOM object location once QEMU patch gets
> accepted, but it is out of this SGX patch scope.
> 
> The typical flow looks below at very high level:
> 
> 1. Calls virConnectGetDomainCapabilities API to domain capabilities 
> that includes the following SGX information.
> 
> <feature>
>    ...
>    <sgx supported='yes'>
>      <epc_size unit='KiB'>N</epc_size>
>    </sgx>
>    ...
>  </feature>
> 
> 2. User requests to start a guest calling virCreateXML() with SGX
> requirement. It does not support NUMA yet, since latest QEMU 6.2
> release does not support NUMA.
> It should contain
> 
> <devices>
>     ...
>     <memory model='sgx-epc'>
>        <target>
>            <size unit='KiB'>N</size>
>        </target>
>     </memory>
>     ...
> </devices>
> 
> [1] https://lists.nongnu.org/archive/html/qemu-devel/2022-01/msg03534.html
> 
> Haibin Huang (3):
>   qemu: provide support to query the SGX capability
>   conf: expose SGX feature in domain capabilities
>   Add unit test for domaincapsdata sgx
> 
> Lin Yang (2):
>   conf: Introduce SGX EPC element into device memory xml
>   Update default CPU location in qemu QOM tree
> 


Hey, so I've done review and found mostly small issues. I would squash
them in and push, but the point I'm raising in 5/5 (about -M vs
-machine) ruined my confidence in doing so. Nevertheless, I've uploaded
the changes I would make here:

https://gitlab.com/MichalPrivoznik/libvirt/-/commits/sgx/

I hope you'll find it helpful.

Michal
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux