[libvirt][PATCH v17 6/9] qemu_cgroup: Allow SGX in devices controller
Lin Yang
lin.a.yang at intel.com
Fri Nov 11 01:21:24 UTC 2022
From: Michal Privoznik <mprivozn at redhat.com>
SGX memory backend needs to access /dev/sgx_vepc (which allows
userspace to allocate "raw" EPC without an associated enclave)
and /dev/sgx_provision (which allows creating provisioning
enclaves). Allow these two devices in CGroups if a domain is
configured so.
Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
Signed-off-by: Haibin Huang <haibin.huang at intel.com>
---
src/qemu/qemu_cgroup.c | 78 +++++++++++++++++++++++++++++++++++-------
src/qemu/qemu_domain.h | 2 ++
2 files changed, 68 insertions(+), 12 deletions(-)
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index d6f27a5a4d..9cd4bf8b98 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -120,6 +120,28 @@ qemuCgroupDenyDevicePath(virDomainObj *vm,
}
+static int
+qemuCgroupDenyDevicesPaths(virDomainObj *vm,
+ const char *const *paths,
+ int perms,
+ bool ignoreEacces)
+{
+ size_t i;
+
+ for (i = 0; paths[i] != NULL; i++) {
+ if (!virFileExists(paths[i])) {
+ VIR_DEBUG("Ignoring non-existent device %s", paths[i]);
+ continue;
+ }
+
+ if (qemuCgroupDenyDevicePath(vm, paths[i], perms, ignoreEacces) < 0)
+ return -1;
+ }
+
+ return 0;
+}
+
+
static int
qemuSetupImagePathCgroup(virDomainObj *vm,
const char *path,
@@ -520,16 +542,32 @@ qemuSetupMemoryDevicesCgroup(virDomainObj *vm,
virDomainMemoryDef *mem)
{
qemuDomainObjPrivate *priv = vm->privateData;
-
- if (mem->model != VIR_DOMAIN_MEMORY_MODEL_NVDIMM &&
- mem->model != VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM)
- return 0;
+ const char *const sgxPaths[] = { QEMU_DEV_SGX_VEPVC,
+ QEMU_DEV_SGX_PROVISION, NULL };
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
return 0;
- return qemuCgroupAllowDevicePath(vm, mem->nvdimmPath,
- VIR_CGROUP_DEVICE_RW, false);
+ switch (mem->model) {
+ case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
+ case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM:
+ if (qemuCgroupAllowDevicePath(vm, mem->nvdimmPath,
+ VIR_CGROUP_DEVICE_RW, false) < 0)
+ return -1;
+ break;
+ case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+ if (qemuCgroupAllowDevicesPaths(vm, sgxPaths,
+ VIR_CGROUP_DEVICE_RW, false) < 0)
+ return -1;
+ break;
+ case VIR_DOMAIN_MEMORY_MODEL_NONE:
+ case VIR_DOMAIN_MEMORY_MODEL_DIMM:
+ case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
+ case VIR_DOMAIN_MEMORY_MODEL_LAST:
+ break;
+ }
+
+ return 0;
}
@@ -538,16 +576,32 @@ qemuTeardownMemoryDevicesCgroup(virDomainObj *vm,
virDomainMemoryDef *mem)
{
qemuDomainObjPrivate *priv = vm->privateData;
-
- if (mem->model != VIR_DOMAIN_MEMORY_MODEL_NVDIMM &&
- mem->model != VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM)
- return 0;
+ const char *const sgxPaths[] = { QEMU_DEV_SGX_VEPVC,
+ QEMU_DEV_SGX_PROVISION, NULL };
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
return 0;
- return qemuCgroupDenyDevicePath(vm, mem->nvdimmPath,
- VIR_CGROUP_DEVICE_RWM, false);
+ switch (mem->model) {
+ case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
+ case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM:
+ if (qemuCgroupDenyDevicePath(vm, mem->nvdimmPath,
+ VIR_CGROUP_DEVICE_RWM, false) < 0)
+ return -1;
+ break;
+ case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+ if (qemuCgroupDenyDevicesPaths(vm, sgxPaths,
+ VIR_CGROUP_DEVICE_RW, false) < 0)
+ return -1;
+ break;
+ case VIR_DOMAIN_MEMORY_MODEL_NONE:
+ case VIR_DOMAIN_MEMORY_MODEL_DIMM:
+ case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
+ case VIR_DOMAIN_MEMORY_MODEL_LAST:
+ break;
+ }
+
+ return 0;
}
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index 7950c4c2da..d5f4fbad12 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -81,6 +81,8 @@ struct _qemuDomainUnpluggingDevice {
#define QEMU_DEVPREFIX "/dev/"
#define QEMU_DEV_VFIO "/dev/vfio/vfio"
#define QEMU_DEV_SEV "/dev/sev"
+#define QEMU_DEV_SGX_VEPVC "/dev/sgx_vepc"
+#define QEMU_DEV_SGX_PROVISION "/dev/sgx_provision"
#define QEMU_DEVICE_MAPPER_CONTROL_PATH "/dev/mapper/control"
--
2.25.1
More information about the libvir-list
mailing list