[libvirt] New Feature: Intel MKTME Support

Daniel P. Berrangé berrange at redhat.com
Wed Mar 6 11:36:25 UTC 2019 

BTW, if possible, could you configure your email client to line
wrap text at 72 columns. It is currently sending messages with
no line breaks except at end of paragraph which means I have to
word wrap your quoted text myself when replying. 

On Wed, Mar 06, 2019 at 10:27:59AM +0000, Mohammed, Karimullah wrote:
> We want to understand following things in virtualization.
> 
> 1. What do you mean by " letting QEMU or libvirt to allocate key-handle 
>  during startup ?. Is this means, before launching a VM get key-handle 
> in either in Libvirt/QEMU?.. if so next tpoint

I mean do it during the virDomainCreate  API call, which is the call
a mgmt app already makes to start a VM.

> 2. If not in QEMU, can we make Linux syscalls to get key-handle before
>  launching  a command to QEMU during VM launch? In Libvirt?  like
> 
> 	. Nova compute  during launch of an VM , sends mktme policy
>         in the same xml file to Libvirt.
>       . Libvirt makes kernel syscall to get key-handle and then 
>         sends QEMU command to launch the VM with addition of 
>         key-handle parameter
> 
> Here is the brief presentation of, how we plan to execute mtkme 
> end to end in openstack, so that we are on same page..
> 1. Cloud service provider(CSP) launches a VM instance using  mktme
>    policy in Image meta-data
> 	Mktme-policy {
> 			Mktme-key-id = "Mname1" (String),
> 			Mktme-key-type = cpu or user (CPU = hardware
>                                        generated key, user = user given key)
> 			Mktme-key-url  = https://xx.xx.xx ( URL to fetch the key)
> 			}
> 2. After all checks , Nova compute will get a command to launch a VM, 
>    if mtkme-policy to be found. If mktme-key-type is user, it gets the
>    key from the url specified in mktme-key-url and that key is called 
>    mktme-key. If mktme-key-type is cpu no action and mktme-key will be
>    null.
> 
> 3. Assuming key-handle and VM launch are separate calls. Nova compute 
>    execute a new libvirt command to get the key-handle given the
>    arguments { Mktme-key-id, Mktme-key-type, Mktme-key(if user type key). }. 
> 	a. Libvirt make a Linux kernel ring service syscall request_key(
>          with above parameters), request_key syscall return a key-handle 
>          if a key exist with mktme-key-id or it will create a new 
>          key-handle and returns it. This is true for both user and cpu
>          type keys. (Now this command can also be extended/execute in QEMU)
>       b. Nova gets the key-handle in return and launched the VM instance 
>          using this additional key-handle argument to Libvirt again.

Nova is requesting a value from libvirt and then feeding it straight
back to libvirt. This is the bit that looks pointless to me. It is
appearing to add an extra API call for no benefit.

The only reason to have a seperate API call is if Nova needs to do
some kind of computational work with the key it gets in step (a)
before it then gives it back to libvirt in step (b).

> 4. Assuming key-handle is done in Libvirt( if I'm not mistaken, this what
>    you were proposing). Nova compute execute VM launch libvirt call using 
>    mktme additional parameters { Mktme-key-id, Mktme-key-type, Mktme-key
>    (if user type key, ). }
>      a. Libvirt upon receiving this call , execute request_key kernel 
>         syscall using the above parameters and gets the key-handle and 
>         thereby launches  the VM using the usual QEMU command with 
>         addition parameter of mktme key-handle. And again this whole
>         process can also get executed in QEMU, but we have some limitation
>         I guess at this point).

I think libvirt would still talk to the kernel to get the key. Since the
keys are a finite resource, we don't want to give QEMU the permission to
request keys itself as that opens a denial of service possibility. QEMU
should only be able to use keys it has been given by libvirt, which means
libivrt must request them from the kernel.


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list