[libvirt][PATCH v4 0/4] Support query and use SGX

Haibin Huang Thu, 01 Jul 2021 08:14:31 -0700

This patch series provides support for enabling Intel's Software Guard 
Extensions (SGX) feature in guest VM.
 
Giving the SGX support in QEMU is still pending for reviewing, this patch 
series is not submmited for code
review, but only describe the SGX enabling solution design that contains 
changes to virConnectGetDomainCapabilities
API response and domain definition. All comments/suggestions would be highly 
appreciated.
 
Intel Software Guard Extensions (Intel® SGX) is a set of instructions that 
increases the security of application
code and data, giving them more protection from disclosure or modification. 
Developers can partition sensitive
information into enclaves, which are areas of execution in memory with more 
security protection.
 
The typical flow looks below at very high level:
 
1. Calls virConnectGetDomainCapabilities API to domain capabilities that 
includes the following SGX information.
 
<feature>
...
  <sgx supported='yes'> 
    <epc_size unit=’KiB’>N</epc_size>
  </sgx>
</feature> 
 
2. User requests to start a guest calling virCreateXML() with SGX requirement. 
It should contain
 
<launchSecurity type='sgx'>
  <epc_size unit='KiB'>N</epc_size>
</launchSecurity>



Haibin Huang (1):
  Support to query SGX capability

Lin Yang (3):
  conf: Introduce SGX related element into domain xml
  qemu: Add command-line to generate SGX EPC memory backend
  qemu: Add command-line to enable SGX

 src/conf/domain_capabilities.c                |  29 ++++
 src/conf/domain_capabilities.h                |  13 ++
 src/conf/domain_conf.c                        | 106 +++++++++----
 src/conf/domain_conf.h                        |  10 ++
 src/conf/virconftypes.h                       |   3 +
 src/libvirt_private.syms                      |   2 +-
 src/qemu/qemu_capabilities.c                  | 146 ++++++++++++++++++
 src/qemu/qemu_capabilities.h                  |   6 +
 src/qemu/qemu_command.c                       |  30 ++++
 src/qemu/qemu_monitor.c                       |  10 ++
 src/qemu/qemu_monitor.h                       |   3 +
 src/qemu/qemu_monitor_json.c                  |  91 +++++++++++
 src/qemu/qemu_monitor_json.h                  |   3 +
 tests/domaincapsdata/bhyve_basic.x86_64.xml   |   1 +
 tests/domaincapsdata/bhyve_fbuf.x86_64.xml    |   1 +
 tests/domaincapsdata/bhyve_uefi.x86_64.xml    |   1 +
 tests/domaincapsdata/empty.xml                |   1 +
 tests/domaincapsdata/libxl-xenfv.xml          |   1 +
 tests/domaincapsdata/libxl-xenpv.xml          |   1 +
 .../domaincapsdata/qemu_1.5.3-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_1.5.3-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_1.5.3.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_1.6.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_1.6.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_1.6.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_1.7.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_1.7.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_1.7.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.1.1-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.1.1-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.1.1.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.10.0-q35.x86_64.xml |   1 +
 .../domaincapsdata/qemu_2.10.0-tcg.x86_64.xml |   1 +
 .../qemu_2.10.0-virt.aarch64.xml              |   1 +
 tests/domaincapsdata/qemu_2.10.0.aarch64.xml  |   1 +
 tests/domaincapsdata/qemu_2.10.0.ppc64.xml    |   1 +
 tests/domaincapsdata/qemu_2.10.0.s390x.xml    |   1 +
 tests/domaincapsdata/qemu_2.10.0.x86_64.xml   |   1 +
 .../domaincapsdata/qemu_2.11.0-q35.x86_64.xml |   1 +
 .../domaincapsdata/qemu_2.11.0-tcg.x86_64.xml |   1 +
 tests/domaincapsdata/qemu_2.11.0.s390x.xml    |   1 +
 tests/domaincapsdata/qemu_2.11.0.x86_64.xml   |   1 +
 .../domaincapsdata/qemu_2.12.0-q35.x86_64.xml |   1 +
 .../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml |   1 +
 .../qemu_2.12.0-virt.aarch64.xml              |   1 +
 tests/domaincapsdata/qemu_2.12.0.aarch64.xml  |   1 +
 tests/domaincapsdata/qemu_2.12.0.ppc64.xml    |   1 +
 tests/domaincapsdata/qemu_2.12.0.s390x.xml    |   1 +
 tests/domaincapsdata/qemu_2.12.0.x86_64.xml   |   1 +
 .../domaincapsdata/qemu_2.4.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.4.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.4.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.5.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.5.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.5.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.6.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.6.0-tcg.x86_64.xml  |   1 +
 .../qemu_2.6.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_2.6.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_2.6.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_2.6.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.7.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.7.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.7.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_2.7.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.8.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.8.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.8.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_2.8.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.9.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.9.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.9.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_2.9.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_2.9.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_3.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_3.0.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_3.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_3.0.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_3.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_3.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_3.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_3.1.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_3.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_4.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_4.0.0-tcg.x86_64.xml  |   1 +
 .../qemu_4.0.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_4.0.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_4.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_4.0.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_4.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_4.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_4.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_4.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_4.2.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml  |   1 +
 .../qemu_4.2.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_4.2.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_4.2.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_4.2.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_4.2.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_5.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml  |   1 +
 .../qemu_5.0.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_5.0.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_5.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_5.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_5.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_5.1.0.x86_64.xml    |   1 +
 109 files changed, 519 insertions(+), 29 deletions(-)

-- 
2.17.1

[libvirt][PATCH v4 0/4] Support query and use SGX

Reply via email to