[libvirt] New Feature: Intel MKTME Support

Mohammed, Karimullah karimullah.mohammed at intel.com
Tue Mar 5 17:23:04 UTC 2019 

Hi Daniel,
MKTME supports encryption of memory(NVRAM) for Virtual Machines(hardware based encryption). This features uses Linux kernel key ring services, i.e. Operations like, allocation and clearing of secret/keys. These keys are used in encryption of memory in Virtual machines. So MKTME provided encryption of entire RAM of a VM, allocated to it, thereby supporting VM isolation feature. 

So to implement this functionality in openstack

1. Nova executes host capability command, to identify if the hardware support for MKTME (openstack xml host_capabilities command request -->> libvirt ->> QEMU)-- qemu monitoring commands
2. Once the hardware is identified and if user configures mktme policy to launch a VM in openstack,  Nova
	a. Sends a new xml command request to libvirt, then libvirt makes a syscall to Linux kernel key ring services to get/retrieve a key/key-handle for this VM ( we are not sure at this point whether to 	make this syscall directly in libvirt or through QEMU)

	b. Once the key is retrieved , Nova compute executes a VM launch xml command request to libvirt with a new argument called mktme- keyhandle , which will send a command request to QEMU to 	launch the VM( We are in process of supporting  this functionality in  QEMU  for VM launch operation, with new mktme-key argument)

We are not sure , where to make this(2a) kernel system calls at present and looking for suggestions. 

Thanks
karim
-----Original Message-----
From: Daniel P. Berrangé [mailto:berrange at redhat.com] 
Sent: Tuesday, March 5, 2019 2:15 AM
To: Mohammed, Karimullah <karimullah.mohammed at intel.com>
Cc: Carvalho, Larkins L <larkins.l.carvalho at intel.com>; libvir-list at redhat.com
Subject: Re: [libvirt] New Feature: Intel MKTME Support

On Mon, Mar 04, 2019 at 10:44:12PM +0000, Mohammed, Karimullah wrote:
> Hi Daniel,
> 
> Thank you for answering our questions. We will soon send our design 
> documentation for a review/discussion for MKTME enablement. This is 
> not a complex feature , but in any case we wanted to start off with a 
> design review , so that we get approved forehand for what we will be 
> implementing.
> 
> I would like to take liberty in asking you question related to 
> Libvirt, I did ask this question in IRC channel did not get any responses.
> 
> Can Libvirt directly make an kernel system call? i.e for a XML request 
> if we have to make a kernel syscall, can we directly make kernel 
> syscall in Libvirt or do we have to go through QEMU to process the 
> request. We would like to know the norm of calling kernel system calls in Libvirt.

It is hard to give a general answer to that without understanding the context of the system call in question.

Libvirt can certainly make arbitrary system calls as it needs. If the system call is discovering information that has an impact on QEMU functionality though, it may be better to query it via QEMU.

If you can provide more detail & usage context we can give a more useful answer.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list