<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">
</div>
Any comments/suggestions would be highly appreciated!
<div><br>
</div>
<div>Basically, this V13 patch will detect whether QEMU provides SGX NUMA info.</div>
<div>If yes, it means QEMU version is above 7.0.0 and .node attribute is required</div>
<div>in QEMU command line. Otherwise, it assumes the QEMU version is 6.2.0.</div>
<div class="elementToProof" style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Thanks,</div>
<div class="elementToProof" style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Lin.</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Yang, Lin A <lin.a.yang@intel.com><br>
<b>Sent:</b> Friday, July 1, 2022 12:14<br>
<b>To:</b> libvir-list@redhat.com <libvir-list@redhat.com>; Huang, Haibin <haibin.huang@intel.com>; Ding, Jian-feng <jian-feng.ding@intel.com>; Yang, Lin A <lin.a.yang@intel.com><br>
<b>Subject:</b> [libvirt][PATCH v13 0/6] Support query and use SGX</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">This patch series provides support for enabling Intel's Software Guard<br>
Extensions (SGX) feature in guest VM.<br>
<br>
Giving the SGX support in QEMU had been merged. Intel SGX is a set of<br>
instructions that increases the security of application code and data,<br>
giving them more protection from disclosure or modification.<br>
Developers can partition sensitive information into enclaves, which<br>
are areas of execution in memory with more security protection.<br>
<br>
The typical flow looks below at very high level:<br>
<br>
1. Calls virConnectGetDomainCapabilities API to domain capabilities<br>
that includes the following SGX information.<br>
<br>
<feature><br>
...<br>
<sgx supported='yes'><br>
<flc>no</flc> <br>
<sgx1>yes</sgx1> <br>
<sgx2>no</sgx2> <br>
<section_size>2</section_size> <br>
<sections> <br>
<section node='0' size='1'/> <br>
<section node='1' size='1'/> <br>
</sections> <br>
</sgx><br>
...<br>
</feature><br>
<br>
2. User requests to start a guest calling virCreateXML() with SGX<br>
requirement. It supports both non-NUMA SGX interface in QEMU 6.2.0<br>
and NUMA SGX interface in QEMU 7.0.0 and later version.<br>
<br>
Without NUMA info:<br>
<devices><br>
...<br>
<memory model='sgx-epc'><br>
<target><br>
<size unit='KiB'>N</size><br>
</target><br>
</memory><br>
...<br>
</devices><br>
<br>
With NUMA info:<br>
<devices><br>
...<br>
<memory model='sgx-epc'><br>
<source><br>
<nodemask>0-1</nodemask><br>
</source><br>
<target><br>
<size unit='KiB'>16384</size><br>
<node>0</node><br>
</target><br>
</memory><br>
...<br>
</devices><br>
<br>
Please note that it assumes EPC target node in guest VM (.node<br>
attribute) is not required in SGX related parameter in QEMU command<br>
if QEMU didn't provide any SGX NUMA info, like QEMU 6.2.0 version.<br>
<br>
Haibin Huang (4):<br>
Define SGX capabilities structs<br>
Get SGX capabilities form QMP<br>
Convert QMP capabilities to domain capabilities<br>
conf: expose SGX feature in domain capabilities<br>
<br>
Lin Yang (2):<br>
conf: Introduce SGX EPC element into device memory xml<br>
qemu: Add command-line to generate SGX EPC memory backend<br>
<br>
docs/formatdomain.rst | 27 +-<br>
docs/formatdomaincaps.rst | 40 +++<br>
src/conf/domain_capabilities.c | 58 ++++<br>
src/conf/domain_capabilities.h | 24 ++<br>
src/conf/domain_conf.c | 27 ++<br>
src/conf/domain_conf.h | 1 +<br>
src/conf/domain_validate.c | 9 +<br>
src/conf/schemas/domaincaps.rng | 42 +++<br>
src/conf/schemas/domaincommon.rng | 1 +<br>
src/libvirt_private.syms | 1 +<br>
src/qemu/qemu_alias.c | 6 +-<br>
src/qemu/qemu_capabilities.c | 258 ++++++++++++++++++<br>
src/qemu/qemu_capabilities.h | 4 +<br>
src/qemu/qemu_command.c | 87 +++++-<br>
src/qemu/qemu_domain.c | 48 +++-<br>
src/qemu/qemu_domain_address.c | 6 +<br>
src/qemu/qemu_driver.c | 1 +<br>
src/qemu/qemu_monitor.c | 10 +<br>
src/qemu/qemu_monitor.h | 3 +<br>
src/qemu/qemu_monitor_json.c | 154 ++++++++++-<br>
src/qemu/qemu_monitor_json.h | 4 +<br>
src/qemu/qemu_process.c | 2 +<br>
src/qemu/qemu_validate.c | 8 +<br>
src/security/security_apparmor.c | 1 +<br>
src/security/security_dac.c | 2 +<br>
src/security/security_selinux.c | 2 +<br>
tests/domaincapsdata/bhyve_basic.x86_64.xml | 1 +<br>
tests/domaincapsdata/bhyve_fbuf.x86_64.xml | 1 +<br>
tests/domaincapsdata/bhyve_uefi.x86_64.xml | 1 +<br>
tests/domaincapsdata/empty.xml | 1 +<br>
tests/domaincapsdata/libxl-xenfv.xml | 1 +<br>
tests/domaincapsdata/libxl-xenpv.xml | 1 +<br>
.../domaincapsdata/qemu_2.11.0-q35.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_2.11.0-tcg.x86_64.xml | 1 +<br>
tests/domaincapsdata/qemu_2.11.0.s390x.xml | 1 +<br>
tests/domaincapsdata/qemu_2.11.0.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_2.12.0-q35.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml | 1 +<br>
.../qemu_2.12.0-virt.aarch64.xml | 1 +<br>
tests/domaincapsdata/qemu_2.12.0.aarch64.xml | 1 +<br>
tests/domaincapsdata/qemu_2.12.0.ppc64.xml | 1 +<br>
tests/domaincapsdata/qemu_2.12.0.s390x.xml | 1 +<br>
tests/domaincapsdata/qemu_2.12.0.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_3.0.0-q35.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_3.0.0-tcg.x86_64.xml | 1 +<br>
tests/domaincapsdata/qemu_3.0.0.ppc64.xml | 1 +<br>
tests/domaincapsdata/qemu_3.0.0.s390x.xml | 1 +<br>
tests/domaincapsdata/qemu_3.0.0.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_3.1.0-q35.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_3.1.0-tcg.x86_64.xml | 1 +<br>
tests/domaincapsdata/qemu_3.1.0.ppc64.xml | 1 +<br>
tests/domaincapsdata/qemu_3.1.0.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_4.0.0-q35.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_4.0.0-tcg.x86_64.xml | 1 +<br>
.../qemu_4.0.0-virt.aarch64.xml | 1 +<br>
tests/domaincapsdata/qemu_4.0.0.aarch64.xml | 1 +<br>
tests/domaincapsdata/qemu_4.0.0.ppc64.xml | 1 +<br>
tests/domaincapsdata/qemu_4.0.0.s390x.xml | 1 +<br>
tests/domaincapsdata/qemu_4.0.0.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_4.1.0-q35.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_4.1.0-tcg.x86_64.xml | 1 +<br>
tests/domaincapsdata/qemu_4.1.0.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_4.2.0-q35.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml | 1 +<br>
.../qemu_4.2.0-virt.aarch64.xml | 1 +<br>
tests/domaincapsdata/qemu_4.2.0.aarch64.xml | 1 +<br>
tests/domaincapsdata/qemu_4.2.0.ppc64.xml | 1 +<br>
tests/domaincapsdata/qemu_4.2.0.s390x.xml | 1 +<br>
tests/domaincapsdata/qemu_4.2.0.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_5.0.0-q35.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml | 1 +<br>
.../qemu_5.0.0-virt.aarch64.xml | 1 +<br>
tests/domaincapsdata/qemu_5.0.0.aarch64.xml | 1 +<br>
tests/domaincapsdata/qemu_5.0.0.ppc64.xml | 1 +<br>
tests/domaincapsdata/qemu_5.0.0.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_5.1.0-q35.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml | 1 +<br>
tests/domaincapsdata/qemu_5.1.0.sparc.xml | 1 +<br>
tests/domaincapsdata/qemu_5.1.0.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_5.2.0-q35.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_5.2.0-tcg.x86_64.xml | 1 +<br>
.../qemu_5.2.0-virt.aarch64.xml | 1 +<br>
tests/domaincapsdata/qemu_5.2.0.aarch64.xml | 1 +<br>
tests/domaincapsdata/qemu_5.2.0.ppc64.xml | 1 +<br>
tests/domaincapsdata/qemu_5.2.0.s390x.xml | 1 +<br>
tests/domaincapsdata/qemu_5.2.0.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_6.0.0-q35.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_6.0.0-tcg.x86_64.xml | 1 +<br>
.../qemu_6.0.0-virt.aarch64.xml | 1 +<br>
tests/domaincapsdata/qemu_6.0.0.aarch64.xml | 1 +<br>
tests/domaincapsdata/qemu_6.0.0.s390x.xml | 1 +<br>
tests/domaincapsdata/qemu_6.0.0.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_6.1.0-q35.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_6.1.0-tcg.x86_64.xml | 1 +<br>
tests/domaincapsdata/qemu_6.1.0.x86_64.xml | 1 +<br>
.../domaincapsdata/qemu_6.2.0-q35.x86_64.xml | 6 +<br>
.../domaincapsdata/qemu_6.2.0-tcg.x86_64.xml | 6 +<br>
.../qemu_6.2.0-virt.aarch64.xml | 1 +<br>
tests/domaincapsdata/qemu_6.2.0.aarch64.xml | 1 +<br>
tests/domaincapsdata/qemu_6.2.0.ppc64.xml | 1 +<br>
tests/domaincapsdata/qemu_6.2.0.x86_64.xml | 6 +<br>
.../domaincapsdata/qemu_7.0.0-q35.x86_64.xml | 10 +<br>
.../domaincapsdata/qemu_7.0.0-tcg.x86_64.xml | 10 +<br>
.../qemu_7.0.0-virt.aarch64.xml | 1 +<br>
tests/domaincapsdata/qemu_7.0.0.aarch64.xml | 1 +<br>
tests/domaincapsdata/qemu_7.0.0.ppc64.xml | 1 +<br>
tests/domaincapsdata/qemu_7.0.0.x86_64.xml | 10 +<br>
.../domaincapsdata/qemu_7.1.0-q35.x86_64.xml | 10 +<br>
.../domaincapsdata/qemu_7.1.0-tcg.x86_64.xml | 10 +<br>
tests/domaincapsdata/qemu_7.1.0.x86_64.xml | 10 +<br>
.../caps_6.2.0.x86_64.replies | 30 +-<br>
.../caps_6.2.0.x86_64.xml | 7 +<br>
.../caps_7.0.0.x86_64.replies | 34 ++-<br>
.../caps_7.0.0.x86_64.xml | 11 +<br>
.../caps_7.1.0.x86_64.replies | 34 ++-<br>
.../caps_7.1.0.x86_64.xml | 11 +<br>
.../sgx-epc-numa.x86_64-latest.args | 40 +++<br>
tests/qemuxml2argvdata/sgx-epc-numa.xml | 50 ++++<br>
.../sgx-epc.x86_64-6.2.0.args | 37 +++<br>
tests/qemuxml2argvdata/sgx-epc.xml | 36 +++<br>
tests/qemuxml2argvtest.c | 3 +<br>
.../sgx-epc-numa.x86_64-latest.xml | 64 +++++<br>
.../sgx-epc.x86_64-6.2.0.xml | 52 ++++<br>
tests/qemuxml2xmltest.c | 3 +<br>
124 files changed, 1349 insertions(+), 42 deletions(-)<br>
create mode 100644 tests/qemuxml2argvdata/sgx-epc-numa.x86_64-latest.args<br>
create mode 100644 tests/qemuxml2argvdata/sgx-epc-numa.xml<br>
create mode 100644 tests/qemuxml2argvdata/sgx-epc.x86_64-6.2.0.args<br>
create mode 100644 tests/qemuxml2argvdata/sgx-epc.xml<br>
create mode 100644 tests/qemuxml2xmloutdata/sgx-epc-numa.x86_64-latest.xml<br>
create mode 100644 tests/qemuxml2xmloutdata/sgx-epc.x86_64-6.2.0.xml<br>
<br>
-- <br>
2.25.1<br>
<br>
</div>
</span></font></div>
</body>
</html>