[libvirt][PATCH RESEND v10 0/5] Support query and use SGX
Michal Prívozník
mprivozn at redhat.com
Wed Feb 16 10:25:27 UTC 2022
On 2/8/22 06:21, Haibin Huang wrote:
> Because the 5th patch was sent by mistake, so replace the 5th patch and
> send it again.
>
> This patch series provides support for enabling Intel's Software
> Guard Extensions (SGX) feature in guest VM.
> Giving the SGX support in QEMU had been merged. Intel SGX is a
> set of instructions that increases the security of application code
> and data, giving them more protection from disclosure or modification.
> Developers can partition sensitive information into enclaves, which
> are areas of execution in memory with more security protection.
>
> It depends on QEMU fixing[1], which will move cpu QOM object from
> /machine/unattached/device[nn] to /machine/cpu[nn]. It requires libvirt
> to change the default cpu QOM object location once QEMU patch gets
> accepted, but it is out of this SGX patch scope.
>
> The typical flow looks below at very high level:
>
> 1. Calls virConnectGetDomainCapabilities API to domain capabilities
> that includes the following SGX information.
>
> <feature>
> ...
> <sgx supported='yes'>
> <epc_size unit='KiB'>N</epc_size>
> </sgx>
> ...
> </feature>
>
> 2. User requests to start a guest calling virCreateXML() with SGX
> requirement. It does not support NUMA yet, since latest QEMU 6.2
> release does not support NUMA.
> It should contain
>
> <devices>
> ...
> <memory model='sgx-epc'>
> <target>
> <size unit='KiB'>N</size>
> </target>
> </memory>
> ...
> </devices>
>
> [1] https://lists.nongnu.org/archive/html/qemu-devel/2022-01/msg03534.html
>
> Haibin Huang (3):
> qemu: provide support to query the SGX capability
> conf: expose SGX feature in domain capabilities
> Add unit test for domaincapsdata sgx
>
> Lin Yang (2):
> conf: Introduce SGX EPC element into device memory xml
> Update default CPU location in qemu QOM tree
>
Hey, so I've done review and found mostly small issues. I would squash
them in and push, but the point I'm raising in 5/5 (about -M vs
-machine) ruined my confidence in doing so. Nevertheless, I've uploaded
the changes I would make here:
https://gitlab.com/MichalPrivoznik/libvirt/-/commits/sgx/
I hope you'll find it helpful.
Michal
More information about the libvir-list
mailing list