[PATCH v13 0/6] Support query and use SGX

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This patch series provides support for enabling Intel's Software Guard
Extensions (SGX) feature in guest VM.

Giving the SGX support in QEMU had been merged. Intel SGX is a set of
instructions that increases the security of application code and data,
giving them more protection from disclosure or modification.
Developers can partition sensitive information into enclaves, which
are areas of execution in memory with more security protection.

The typical flow looks below at very high level:

1. Calls virConnectGetDomainCapabilities API to domain capabilities
that includes the following SGX information.

<feature>
  ...
  <sgx supported='yes'>
    <flc>no</flc>                                                          
    <sgx1>yes</sgx1>                                                       
    <sgx2>no</sgx2>                                                        
    <section_size>2</section_size>                                         
    <sections>                                                             
      <section node='0' size='1'/>                                         
      <section node='1' size='1'/>                                         
    </sections>  
  </sgx>
  ...
</feature>

2. User requests to start a guest calling virCreateXML() with SGX
requirement. It supports both non-NUMA SGX interface in QEMU 6.2.0
and NUMA SGX interface in QEMU 7.0.0 and later version.

Without NUMA info:
<devices>
  ...
  <memory model='sgx-epc'>
    <target>
      <size unit='KiB'>N</size>
    </target>
  </memory>
  ...
</devices>

With NUMA info:
<devices>
  ...
  <memory model='sgx-epc'>
    <source>
      <nodemask>0-1</nodemask>
    </source>
    <target>
      <size unit='KiB'>16384</size>
      <node>0</node>
    </target>
  </memory>
  ...
</devices>

Please note that it assumes EPC target node in guest VM (.node
attribute) is not required in SGX related parameter in QEMU command
if QEMU didn't provide any SGX NUMA info, like QEMU 6.2.0 version.

Haibin Huang (4):
  Define SGX capabilities structs
  Get SGX capabilities form QMP
  Convert QMP capabilities to domain capabilities
  conf: expose SGX feature in domain capabilities

Lin Yang (2):
  conf: Introduce SGX EPC element into device memory xml
  qemu: Add command-line to generate SGX EPC memory backend

 docs/formatdomain.rst                         |  27 +-
 docs/formatdomaincaps.rst                     |  40 +++
 src/conf/domain_capabilities.c                |  58 ++++
 src/conf/domain_capabilities.h                |  24 ++
 src/conf/domain_conf.c                        |  27 ++
 src/conf/domain_conf.h                        |   1 +
 src/conf/domain_validate.c                    |   9 +
 src/conf/schemas/domaincaps.rng               |  42 +++
 src/conf/schemas/domaincommon.rng             |   1 +
 src/libvirt_private.syms                      |   1 +
 src/qemu/qemu_alias.c                         |   6 +-
 src/qemu/qemu_capabilities.c                  | 258 ++++++++++++++++++
 src/qemu/qemu_capabilities.h                  |   4 +
 src/qemu/qemu_command.c                       |  87 +++++-
 src/qemu/qemu_domain.c                        |  48 +++-
 src/qemu/qemu_domain_address.c                |   6 +
 src/qemu/qemu_driver.c                        |   1 +
 src/qemu/qemu_monitor.c                       |  10 +
 src/qemu/qemu_monitor.h                       |   3 +
 src/qemu/qemu_monitor_json.c                  | 154 ++++++++++-
 src/qemu/qemu_monitor_json.h                  |   4 +
 src/qemu/qemu_process.c                       |   2 +
 src/qemu/qemu_validate.c                      |   8 +
 src/security/security_apparmor.c              |   1 +
 src/security/security_dac.c                   |   2 +
 src/security/security_selinux.c               |   2 +
 tests/domaincapsdata/bhyve_basic.x86_64.xml   |   1 +
 tests/domaincapsdata/bhyve_fbuf.x86_64.xml    |   1 +
 tests/domaincapsdata/bhyve_uefi.x86_64.xml    |   1 +
 tests/domaincapsdata/empty.xml                |   1 +
 tests/domaincapsdata/libxl-xenfv.xml          |   1 +
 tests/domaincapsdata/libxl-xenpv.xml          |   1 +
 .../domaincapsdata/qemu_2.11.0-q35.x86_64.xml |   1 +
 .../domaincapsdata/qemu_2.11.0-tcg.x86_64.xml |   1 +
 tests/domaincapsdata/qemu_2.11.0.s390x.xml    |   1 +
 tests/domaincapsdata/qemu_2.11.0.x86_64.xml   |   1 +
 .../domaincapsdata/qemu_2.12.0-q35.x86_64.xml |   1 +
 .../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml |   1 +
 .../qemu_2.12.0-virt.aarch64.xml              |   1 +
 tests/domaincapsdata/qemu_2.12.0.aarch64.xml  |   1 +
 tests/domaincapsdata/qemu_2.12.0.ppc64.xml    |   1 +
 tests/domaincapsdata/qemu_2.12.0.s390x.xml    |   1 +
 tests/domaincapsdata/qemu_2.12.0.x86_64.xml   |   1 +
 .../domaincapsdata/qemu_3.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_3.0.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_3.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_3.0.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_3.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_3.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_3.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_3.1.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_3.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_4.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_4.0.0-tcg.x86_64.xml  |   1 +
 .../qemu_4.0.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_4.0.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_4.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_4.0.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_4.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_4.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_4.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_4.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_4.2.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml  |   1 +
 .../qemu_4.2.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_4.2.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_4.2.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_4.2.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_4.2.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_5.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml  |   1 +
 .../qemu_5.0.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_5.0.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_5.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_5.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_5.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_5.1.0.sparc.xml     |   1 +
 tests/domaincapsdata/qemu_5.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_5.2.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_5.2.0-tcg.x86_64.xml  |   1 +
 .../qemu_5.2.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_5.2.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_5.2.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_5.2.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_5.2.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_6.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_6.0.0-tcg.x86_64.xml  |   1 +
 .../qemu_6.0.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_6.0.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_6.0.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_6.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_6.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_6.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_6.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_6.2.0-q35.x86_64.xml  |   6 +
 .../domaincapsdata/qemu_6.2.0-tcg.x86_64.xml  |   6 +
 .../qemu_6.2.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_6.2.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_6.2.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_6.2.0.x86_64.xml    |   6 +
 .../domaincapsdata/qemu_7.0.0-q35.x86_64.xml  |  10 +
 .../domaincapsdata/qemu_7.0.0-tcg.x86_64.xml  |  10 +
 .../qemu_7.0.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_7.0.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_7.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_7.0.0.x86_64.xml    |  10 +
 .../domaincapsdata/qemu_7.1.0-q35.x86_64.xml  |  10 +
 .../domaincapsdata/qemu_7.1.0-tcg.x86_64.xml  |  10 +
 tests/domaincapsdata/qemu_7.1.0.x86_64.xml    |  10 +
 .../caps_6.2.0.x86_64.replies                 |  30 +-
 .../caps_6.2.0.x86_64.xml                     |   7 +
 .../caps_7.0.0.x86_64.replies                 |  34 ++-
 .../caps_7.0.0.x86_64.xml                     |  11 +
 .../caps_7.1.0.x86_64.replies                 |  34 ++-
 .../caps_7.1.0.x86_64.xml                     |  11 +
 .../sgx-epc-numa.x86_64-latest.args           |  40 +++
 tests/qemuxml2argvdata/sgx-epc-numa.xml       |  50 ++++
 .../sgx-epc.x86_64-6.2.0.args                 |  37 +++
 tests/qemuxml2argvdata/sgx-epc.xml            |  36 +++
 tests/qemuxml2argvtest.c                      |   3 +
 .../sgx-epc-numa.x86_64-latest.xml            |  64 +++++
 .../sgx-epc.x86_64-6.2.0.xml                  |  52 ++++
 tests/qemuxml2xmltest.c                       |   3 +
 124 files changed, 1349 insertions(+), 42 deletions(-)
 create mode 100644 tests/qemuxml2argvdata/sgx-epc-numa.x86_64-latest.args
 create mode 100644 tests/qemuxml2argvdata/sgx-epc-numa.xml
 create mode 100644 tests/qemuxml2argvdata/sgx-epc.x86_64-6.2.0.args
 create mode 100644 tests/qemuxml2argvdata/sgx-epc.xml
 create mode 100644 tests/qemuxml2xmloutdata/sgx-epc-numa.x86_64-latest.xml
 create mode 100644 tests/qemuxml2xmloutdata/sgx-epc.x86_64-6.2.0.xml

-- 
2.25.1




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux