[libvirt][PATCH v13 0/6] Support query and use SGX

[Yang, Lin A]

> BTW: I can see in QEMU sources /dev/sgx_vepc and /dev/sgx_provision being
> opened, but not sgx_enclave. And I see the former two on my system but not
> the last one. Can you Yang, share more info on this please?

True, QEMU only need read and write access to /dev/sgx_vepc and /dev/sgx_provision. 

/dev/sgx_vepc allows userspace to allocate "raw" EPC without an associated enclave.
The only known use case for raw EPC allocation is to expose EPC to a KVM guest, 
hence call it 'vepc'.

/dev/sgx_enclave allows creating host enclave. It is not suitable for allocating EPC for
KVM guest. Having separate device nodes, /dev/sgx_vepc and /dev/sgx_enclave,
allows separate permission control for creating host SGX enclaves and KVM SGX guests.

/dev/sgx_provision allows creating provisioning enclaves, which typically have more 
strict permissions than the plain enclave device /dev/sgx_enclave.

Usually /dev/sgx_enclave and /dev/sgx_provision should exist together on your system. 
Set "CONFIG_X86_SGX=y" in Kconfig and enable SGX in bios should enable SGX driver
and create /dev/sgx_enclave and /dev/sgx_provision device nodes.
"CONFIG_X86_SGX_KVM=y" will create /dev/sgx_vepc device node.

Regrading to permission control, one suggested way is making /dev/sgx_enclave is
accessible to all userspace applications to create its enclave. Having strict permissions
on /dev/sgx_vepc and /dev/sgx_provision only for user in specific group "XYZ".

# ls -l /dev/sgx*
crw-rw-rw- 1 root root 10, 125 Nov 16  2021 /dev/sgx_enclave
crw-rw---- 1 root XYZ  10, 126 Nov 16  2021 /dev/sgx_provision
crw-rw---- 1 root XYZ  10, 124 Nov 16  2021 /dev/sgx_vepc

Instead of running QEMU by root, one straightforward way is admin create a
dedicated "qemu" user and add it to "XYZ" group. In /etc/libvirt/qemu.conf,

user = "qemu"

Any concerns about this solution?

Thanks,
Lin.