On 7/21/22 16:29, Daniel P. Berrangé wrote: > On Thu, Jul 21, 2022 at 04:10:11PM +0200, Michal Prívozník wrote: >> On 7/21/22 15:24, Daniel P. Berrangé wrote: >>> On Thu, Jul 21, 2022 at 03:12:05PM +0200, Michal Prívozník wrote: >>>> On 7/21/22 10:06, Daniel P. Berrangé wrote: >>>> Agreed. While libvirt can allow /dev/sgx* in CGroups (we do that for >>>> other devices, including NVDIMM and virtio-pmem types of <memory/>), >>>> it's more tricky with relabelling. >>>> >>>> By default, when available, libvirt creates a separate mount namespace >>>> for each QEMU process and creates a very small /dev there, with only >>>> those nodes that QEMU needs. Now, if libvirt is fixed (I have follow up >>>> patches on top of this series) the /dev/sgx* nodes are created there AND >>>> I have another patch that sets DAC/SELinux label on them so that uid=0 >>>> is no longer needed. What I worry about though, is the case when this >>>> namespace feature is disabled. Then libvirt should not touch /dev/sgx* >>>> because that might compromise security in the system. >>> >>> That might in turn require the ability to pass in pre-opened FDs for >>> the devices to QEMU. >> >> Yeah, that might be the perfect solution, but IIUC there's currently no >> way to achieve that, or is it? Is it something we should do in QEMU first? > > The code uses 'qemu_open', so it should be possible already with > FD passing, by using a /dev/fdset/NNN path. But there's no attribute that libvirt provides a path to. How does FD passing work in such case then? Here's the SGX part of cmd line: -object '{"qom-type":"memory-backend-epc","id":"memepc0","prealloc":true,"prealloc-threads":16,"size":16777216,"host-nodes":[0],"policy":"bind"}' \ Michal