> Well, as discussed with Daniel earlier, libvirt creates a separate mount > namespace for each QEMU and inside it creates a very thin /dev with only a > handful of nodes (per guest config). And what my patch does (and what we > already do for /dev/sev) is mknod() /dev/sgx_provision and /dev/sgx_vepc inside > that thin /dev and chown() it to the user under which QEMU is about to run. > > This namespace feature can be turned off though, in which case libvirt won't > chown() those files (well, my patch is written that way). I think this is acceptable > trade off between security and usability. Namespaces are enabled by default (if > kernel supports them). > > Alright, so here's what we'll do. I'll polish my patches, fix up yours and send for > review. Does this work for you? Definitely Yes! This is awesome! Really appreciated your help. Good to know libvirt creates separate mount namespace and thin /dev for each QEMU. Lin.