[no subject]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



===Trademark approval===

N/A

===Alignment with the Fedora Strategy===

This aligns with

* '''"Reaching the world"'''. Including SGX will make the Fedora
support for hosting Intel TDX confidential virtual machines feature
complete, by enabling attestation by the guest owner
* '''"Innovation & leadership in technology"'''. SGX is a general
purpose infrastructure technology which enables application developers
to build systems to securely run sensitive workloads. Confidential
virtual machines are expected to become a standard part of the public
cloud in the coming years, as well as make inroads into private clouds
in large organizations. As noted earlier, SGX unlocks the ability to
ship TDX confidential VM technology in future Fedora.

== Upgrade/compatibility impact ==

This is a new package set which should not have any upgrade impact, as
it will not initially be a dependency of other software. In future it
may be pulled in automatically as a dependency in certain KVM
deployment scenarios. Even when installed, using anything related to
SGX first requires host firmware changes to enable use of the
technology. The systemd services provided have their unit files
conditionalized on the existence of '''/dev/sgx_enclave''' device
nodes.

== Early Testing (Optional) ==

Do you require 'QA Blueprint' support? N

The proposed new packages are available for testing via Copr, until
such time as they are reviewed & built in Fedora koji:

* https://copr.fedorainfracloud.org/coprs/berrange/sgx-ng/

These should work on any Intel Xeon class platform which has a
suitable HW configuration. NB there may be specific DIMM population
requirements.

== How To Test ==

* [https://fedoraproject.org/wiki/Virt/SGX Documentation on host
setup] is available but that's a fairly minimalist test. It does not
do much that's interesting to an end user, but is at least proving
that the '''pce''' and '''ide''' enclaves are usable. This is the
limit of the anticipated testing of SGX in Fedora. More extensive
testing will be performed when TDX is integrated at a later date,
though some of this may be performed early on an adhoc basis using
development snapshots of TDX.

== User Experience ==

Initially the will be minimal real world user experience impact, since
on its own this proposal doesn't deliver noticeable end user features.
No existing applications in Fedora are known to have support for SGX
and none are being proposed yet.

The conceptual user benefit will be that users can bootstrap trust in
SGX on their Fedora host. This will facilitate users in deploying 3rd
party applications of their choosing that utilize SGX. It will
facilitate testing by engineers working on TDX support and its
integration into Fedora.

At a later time, when support for Intel TDX is integrated into KVM and
QEMU, the real world Fedora user benefit will significantly expand.

== Dependencies ==

The primary functional dependency for use of SGX is kernel support,
which has been enabled in Fedora for some time. See
"'''CONFIG_X86_SGX=y'''" in the kconfig files.

The packages include some new systemd unit files, two of which should
be configured to be started by default. This will require changes to
the systemd presets in the 'fedora-release' package.

* '''mpa_registration.service''' - this is conditionalized on SGX
being enabled, as witnessed by existence of '''/dev/sgx_eclave.'''
Thus enabling it by default will be a no-op on any existing machines
which have not had SGX turned on in the firmware. It is expected to be
installed on all SGX installations
* '''qgs.socket''' (as a trigger for '''qgs.service''') - this is
likewise conditionalized on SGX being enabled. This will may be pulled
in as a dependency of either libvirt or QEMU RPMs, TBD in the future
TDX change proposal.

== Contingency Plan ==


* Contingency mechanism: The new packages have no ill effects on
existing Fedora usage. Any outstanding work can be postponed to a
later release if required.
* Contingency deadline: Beta freeze
* Blocks release? No

== Documentation ==

[https://fedoraproject.org/wiki/Virt/SGX Documentation on host setup]
is available which is pretty much all that this change is expected to
enable.

A change proposal in future Fedora will cover usage of SGX with TDX
confidential virtual machines, which is more interesting to end users.

== Release Notes ==

-- 
Aoife Moloney

Fedora Operations Architect

Fedora Project

Matrix: @amoloney:fedora.im

IRC: amoloney

-- 
_______________________________________________
devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux