[libvirt][PATCH v13 0/6] Support query and use SGX
Yang, Lin A
lin.a.yang at intel.com
Fri Jul 22 18:29:54 UTC 2022
> Well, as discussed with Daniel earlier, libvirt creates a separate mount
> namespace for each QEMU and inside it creates a very thin /dev with only a
> handful of nodes (per guest config). And what my patch does (and what we
> already do for /dev/sev) is mknod() /dev/sgx_provision and /dev/sgx_vepc inside
> that thin /dev and chown() it to the user under which QEMU is about to run.
>
> This namespace feature can be turned off though, in which case libvirt won't
> chown() those files (well, my patch is written that way). I think this is acceptable
> trade off between security and usability. Namespaces are enabled by default (if
> kernel supports them).
>
> Alright, so here's what we'll do. I'll polish my patches, fix up yours and send for
> review. Does this work for you?
Definitely Yes! This is awesome!
Really appreciated your help.
Good to know libvirt creates separate mount namespace and thin /dev for each
QEMU.
Lin.
More information about the libvir-list
mailing list