[libvirt] New Feature: Intel MKTME Support

Fri Apr 19 08:09:24 UTC 2019

Hi Daniel,
After adding code for this feature, when we run "make check" as expected we are failing at two 
test cases (domaincapstest, qemucapabilitiestest).
So in order to test with right data we figured out that we need to add new .xml files with mktme qemu info
in qemucapabilitiesdata/ and domaincapsschemadata/ directories and .replies file.

We have internal qemu binary with mktme queries enabled. We figured out how to generate a new .replies file with 
our internal qemu binary using qemucapsprobe executable.

Could you please help us in understanding the libvirt test directory qemu and caps xml files?
We have the following questions.

1. How to do we generate .xml files with new mktme data in both qemucapabilitiesdata/ and domaincapsschemadata/ directories?. Or for time being , can we add mktme info to existing .xml files lets sat  caps_4.0.0.x86-64.xml and qemu_4.0.0.x86-64.xml?.
2. Do we have to pass all these test cases (make check) before pushing a patch? Just for the review. We want to get preliminary review feedback from the libvirt community for our feature.
3. we are planning to generate the .replies file using our internal qemu binary to make sure we pass unit and functional test cases with "make check", because for this feature as I mentioned earlier QEMU is not available until mid of next month, is this ok?

Thanks
karim

-----Original Message-----
From: Daniel P. Berrangé [mailto:berrange at redhat.com] 
Sent: Tuesday, March 5, 2019 9:35 AM
To: Mohammed, Karimullah <karimullah.mohammed at intel.com>
Cc: Carvalho, Larkins L <larkins.l.carvalho at intel.com>; libvir-list at redhat.com
Subject: Re: [libvirt] New Feature: Intel MKTME Support

On Tue, Mar 05, 2019 at 05:23:04PM +0000, Mohammed, Karimullah wrote:
> Hi Daniel,
> MKTME supports encryption of memory(NVRAM) for Virtual 
> Machines(hardware based encryption). This features uses Linux kernel key ring services, i.e.
> Operations like, allocation and clearing of secret/keys. These keys 
> are used in encryption of memory in Virtual machines. So MKTME 
> provided encryption of entire RAM of a VM, allocated to it, thereby 
> supporting VM isolation feature.
> 
> So to implement this functionality in openstack
> 
> 1. Nova executes host capability command, to identify if the hardware
>     support for MKTME (openstack xml host_capabilities command request
>     -->> libvirt ->> QEMU)-- qemu monitoring commands 2. Once the 
> hardware is identified and if user configures mktme policy
>    to launch a VM in openstack,  Nova
> 	a. Sends a new xml command request to libvirt, then libvirt makes
>          a syscall to Linux kernel key ring services to get/retrieve a
>          key/key-handle for this VM ( we are not sure at this point
>          whether to make this syscall directly in libvirt or through 
> QEMU)

What will openstack do with the key / key-handle  it gets back from libvirt ?

Why does it need to allocate one before starting the VMs, as opposed to letting QEMU or libvirt allocate it during startup ?

By allocating it separately from the VM start request it opens the possibility for leaking keys, if VM startup fails and the mgmt app doesn't release the now unused key.

> 	b. Once the key is retrieved , Nova compute executes a VM launch
>          xml command request to libvirt with a new argument called
>          mktme- keyhandle , which will send a command request to QEMU
>          to launch the VM( We are in process of supporting  this
>          functionality in  QEMU  for VM launch operation, with new
>          mktme-key argument)
> 
> We are not sure , where to make this(2a) kernel system calls at 
> present and looking for suggestions.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|