[libvirt][PATCH v13 0/6] Support query and use SGX
Yang, Lin A
lin.a.yang at intel.com
Mon Jul 18 22:08:09 UTC 2022
Any comments/suggestions would be highly appreciated!
Basically, this V13 patch will detect whether QEMU provides SGX NUMA info.
If yes, it means QEMU version is above 7.0.0 and .node attribute is required
in QEMU command line. Otherwise, it assumes the QEMU version is 6.2.0.
Thanks,
Lin.
________________________________
From: Yang, Lin A <lin.a.yang at intel.com>
Sent: Friday, July 1, 2022 12:14
To: libvir-list at redhat.com <libvir-list at redhat.com>; Huang, Haibin <haibin.huang at intel.com>; Ding, Jian-feng <jian-feng.ding at intel.com>; Yang, Lin A <lin.a.yang at intel.com>
Subject: [libvirt][PATCH v13 0/6] Support query and use SGX
This patch series provides support for enabling Intel's Software Guard
Extensions (SGX) feature in guest VM.
Giving the SGX support in QEMU had been merged. Intel SGX is a set of
instructions that increases the security of application code and data,
giving them more protection from disclosure or modification.
Developers can partition sensitive information into enclaves, which
are areas of execution in memory with more security protection.
The typical flow looks below at very high level:
1. Calls virConnectGetDomainCapabilities API to domain capabilities
that includes the following SGX information.
<feature>
...
<sgx supported='yes'>
<flc>no</flc>
<sgx1>yes</sgx1>
<sgx2>no</sgx2>
<section_size>2</section_size>
<sections>
<section node='0' size='1'/>
<section node='1' size='1'/>
</sections>
</sgx>
...
</feature>
2. User requests to start a guest calling virCreateXML() with SGX
requirement. It supports both non-NUMA SGX interface in QEMU 6.2.0
and NUMA SGX interface in QEMU 7.0.0 and later version.
Without NUMA info:
<devices>
...
<memory model='sgx-epc'>
<target>
<size unit='KiB'>N</size>
</target>
</memory>
...
</devices>
With NUMA info:
<devices>
...
<memory model='sgx-epc'>
<source>
<nodemask>0-1</nodemask>
</source>
<target>
<size unit='KiB'>16384</size>
<node>0</node>
</target>
</memory>
...
</devices>
Please note that it assumes EPC target node in guest VM (.node
attribute) is not required in SGX related parameter in QEMU command
if QEMU didn't provide any SGX NUMA info, like QEMU 6.2.0 version.
Haibin Huang (4):
Define SGX capabilities structs
Get SGX capabilities form QMP
Convert QMP capabilities to domain capabilities
conf: expose SGX feature in domain capabilities
Lin Yang (2):
conf: Introduce SGX EPC element into device memory xml
qemu: Add command-line to generate SGX EPC memory backend
docs/formatdomain.rst | 27 +-
docs/formatdomaincaps.rst | 40 +++
src/conf/domain_capabilities.c | 58 ++++
src/conf/domain_capabilities.h | 24 ++
src/conf/domain_conf.c | 27 ++
src/conf/domain_conf.h | 1 +
src/conf/domain_validate.c | 9 +
src/conf/schemas/domaincaps.rng | 42 +++
src/conf/schemas/domaincommon.rng | 1 +
src/libvirt_private.syms | 1 +
src/qemu/qemu_alias.c | 6 +-
src/qemu/qemu_capabilities.c | 258 ++++++++++++++++++
src/qemu/qemu_capabilities.h | 4 +
src/qemu/qemu_command.c | 87 +++++-
src/qemu/qemu_domain.c | 48 +++-
src/qemu/qemu_domain_address.c | 6 +
src/qemu/qemu_driver.c | 1 +
src/qemu/qemu_monitor.c | 10 +
src/qemu/qemu_monitor.h | 3 +
src/qemu/qemu_monitor_json.c | 154 ++++++++++-
src/qemu/qemu_monitor_json.h | 4 +
src/qemu/qemu_process.c | 2 +
src/qemu/qemu_validate.c | 8 +
src/security/security_apparmor.c | 1 +
src/security/security_dac.c | 2 +
src/security/security_selinux.c | 2 +
tests/domaincapsdata/bhyve_basic.x86_64.xml | 1 +
tests/domaincapsdata/bhyve_fbuf.x86_64.xml | 1 +
tests/domaincapsdata/bhyve_uefi.x86_64.xml | 1 +
tests/domaincapsdata/empty.xml | 1 +
tests/domaincapsdata/libxl-xenfv.xml | 1 +
tests/domaincapsdata/libxl-xenpv.xml | 1 +
.../domaincapsdata/qemu_2.11.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.11.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.11.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.11.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.12.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml | 1 +
.../qemu_2.12.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.0.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_3.1.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_3.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.0.0-tcg.x86_64.xml | 1 +
.../qemu_4.0.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_4.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.2.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml | 1 +
.../qemu_4.2.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml | 1 +
.../qemu_5.0.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_5.1.0.sparc.xml | 1 +
tests/domaincapsdata/qemu_5.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.2.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.2.0-tcg.x86_64.xml | 1 +
.../qemu_5.2.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_5.2.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_5.2.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_5.2.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_5.2.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_6.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_6.0.0-tcg.x86_64.xml | 1 +
.../qemu_6.0.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_6.0.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_6.0.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_6.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_6.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_6.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_6.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_6.2.0-q35.x86_64.xml | 6 +
.../domaincapsdata/qemu_6.2.0-tcg.x86_64.xml | 6 +
.../qemu_6.2.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_6.2.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_6.2.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_6.2.0.x86_64.xml | 6 +
.../domaincapsdata/qemu_7.0.0-q35.x86_64.xml | 10 +
.../domaincapsdata/qemu_7.0.0-tcg.x86_64.xml | 10 +
.../qemu_7.0.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_7.0.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_7.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_7.0.0.x86_64.xml | 10 +
.../domaincapsdata/qemu_7.1.0-q35.x86_64.xml | 10 +
.../domaincapsdata/qemu_7.1.0-tcg.x86_64.xml | 10 +
tests/domaincapsdata/qemu_7.1.0.x86_64.xml | 10 +
.../caps_6.2.0.x86_64.replies | 30 +-
.../caps_6.2.0.x86_64.xml | 7 +
.../caps_7.0.0.x86_64.replies | 34 ++-
.../caps_7.0.0.x86_64.xml | 11 +
.../caps_7.1.0.x86_64.replies | 34 ++-
.../caps_7.1.0.x86_64.xml | 11 +
.../sgx-epc-numa.x86_64-latest.args | 40 +++
tests/qemuxml2argvdata/sgx-epc-numa.xml | 50 ++++
.../sgx-epc.x86_64-6.2.0.args | 37 +++
tests/qemuxml2argvdata/sgx-epc.xml | 36 +++
tests/qemuxml2argvtest.c | 3 +
.../sgx-epc-numa.x86_64-latest.xml | 64 +++++
.../sgx-epc.x86_64-6.2.0.xml | 52 ++++
tests/qemuxml2xmltest.c | 3 +
124 files changed, 1349 insertions(+), 42 deletions(-)
create mode 100644 tests/qemuxml2argvdata/sgx-epc-numa.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/sgx-epc-numa.xml
create mode 100644 tests/qemuxml2argvdata/sgx-epc.x86_64-6.2.0.args
create mode 100644 tests/qemuxml2argvdata/sgx-epc.xml
create mode 100644 tests/qemuxml2xmloutdata/sgx-epc-numa.x86_64-latest.xml
create mode 100644 tests/qemuxml2xmloutdata/sgx-epc.x86_64-6.2.0.xml
--
2.25.1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20220718/6ecd5271/attachment-0001.htm>
More information about the libvir-list
mailing list