** Description changed: + [ Impact ] + + * SGX EPC passthrough, cannot add memory module=sgx-epc + * Despite having SGX enabled on the host, a VM wont run with the memory-backend-epc module. + + * This is fixed (upstream) by allowing QEMU access some additional + files, if SGX memory model is configured for the domain: + + 1) /dev/sgx_vepc needs to be RW + 2) /dev/sgx_provision needs to be RO + + (This was already done in the SELinux driver before but was missing in + AppArmor.) + + [ Test Plan ] + + - Setup SGX on host machine + - Setup virsh and then configure vm, add XML tags for SGX in CPU and add memory-backend-epc module: + <memory model='sgx-epc'> + <target> + <size unit='KiB'>16384</size> + </target> + </memory> + + - Run the VM, it should NOT show this error: + "Error starting domain: internal error: QEMU unexpectedly closed the monitor (vm='ubuntu24.04'): 2025-02-21T17:27:05.276761Z qemu-system-x86_64: invalid object type: memory-backend-epc + " + + [ Where problems could occur ] + + * This change modifies src/security/virt-aa-helper.c – should anything + go wrong we could see generic AppArmor denials, blocking arbitrary + functionality. + + [ Other Info ] + + * Upstream bug: https://gitlab.com/libvirt/libvirt/-/issues/751 + * Upstream fix: https://gitlab.com/libvirt/libvirt/-/commit/291186daa39c7be8ac2960130dfd70cc8c62bb99 + + --- original bug report --- + Hello, I am trying to find out why my VM wont run with the memory-backend-epc module. Despite having SGX enabled on my host. I did a little bug issue on the upstream which was just merged into upstream: https://gitlab.com/libvirt/libvirt/-/issues/751 I am wondering if this can be backported to the stable release as well? I also have the question here : https://askubuntu.com/questions/1542027/sgx-passthrough-to-qemu-vm- ubuntu-24-04/1542366#1542366 For more information on the bug itself: Software environment - Architecture: x86_x64 - kernel version: 6.8.0-53-generic - libvirt version: libvirt 10.0.0 - Operating system: 24.04 LTS (Ubuntu 24.04.2 LTS) - Hypervisor and version: QEMU 8.2.2 Following the official documentation I add the module ``` <memory model='sgx-epc'> - <target> - <size unit='KiB'>16384</size> - </target> - </memory> + <target> + <size unit='KiB'>16384</size> + </target> + </memory> ``` But run into this error: ``` Error starting domain: internal error: QEMU unexpectedly closed the monitor (vm='ubuntu24.04'): 2025-02-21T17:27:05.276761Z qemu-system-x86_64: invalid object type: memory-backend-epc Traceback (most recent call last): - File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper - callback(asyncjob, *args, **kwargs) - File "/usr/share/virt-manager/virtManager/asyncjob.py", line 108, in tmpcb - callback(*args, **kwargs) - File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn - ret = fn(self, *args, **kwargs) - ^^^^^^^^^^^^^^^^^^^^^^^^^ - File "/usr/share/virt-manager/virtManager/object/domain.py", line 1402, in startup - self._backend.create() - File "/usr/lib/python3/dist-packages/libvirt.py", line 1379, in create - raise libvirtError('virDomainCreate() failed') + File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper + callback(asyncjob, *args, **kwargs) + File "/usr/share/virt-manager/virtManager/asyncjob.py", line 108, in tmpcb + callback(*args, **kwargs) + File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn + ret = fn(self, *args, **kwargs) + ^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/usr/share/virt-manager/virtManager/object/domain.py", line 1402, in startup + self._backend.create() + File "/usr/lib/python3/dist-packages/libvirt.py", line 1379, in create + raise libvirtError('virDomainCreate() failed') libvirt.libvirtError: internal error: QEMU unexpectedly closed the monitor (vm='ubuntu24.04'): 2025-02-21T17:27:05.276761Z qemu-system-x86_64: invalid object type: memory-backend-epc ``` Steps to reproduce - + - Setup SGX on host machine - Setup virsh and then configure vm, add XML tags for SGX in CPU and add memory-backend-epc module. - Run the VM. Additional Information: My XML config ``` <domain type="kvm"> - <name>ubuntu24.04</name> - <uuid>87cd126a-047f-4b41-938f-2d19ee19d198</uuid> - <metadata> - <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0";> - <libosinfo:os id="http://ubuntu.com/ubuntu/24.04"/> - </libosinfo:libosinfo> - </metadata> - <maxMemory slots="16" unit="KiB">82313216</maxMemory> - <memory unit="KiB">65650688</memory> - <currentMemory unit="KiB">65634304</currentMemory> - <vcpu placement="static">10</vcpu> - <os> - <type arch="x86_64" machine="pc-q35-8.2">hvm</type> - <boot dev="hd"/> - </os> - <features> - <acpi/> - <apic/> - <vmport state="off"/> - </features> - <cpu mode="host-passthrough" check="none" migratable="on"> - <feature policy="require" name="sgx"/> - <feature policy="require" name="sgxlc"/> - <feature policy="require" name="sgx1"/> - <feature policy="require" name="sgx2"/> - <feature policy="require" name="sgx-exinfo"/> - <feature policy="require" name="sgx-debug"/> - <feature policy="require" name="sgx-mode64"/> - <feature policy="require" name="sgx-provisionkey"/> - <feature policy="require" name="sgx-tokenkey"/> - <feature policy="require" name="sgx-kss"/> - <feature policy="require" name="sgx-edeccssa"/> - <feature policy="require" name="sgx-aex-notify"/> - <numa> - <cell id="0" cpus="0-9" memory="65634304" unit="KiB"/> - </numa> - </cpu> - <clock offset="utc"> - <timer name="rtc" tickpolicy="catchup"/> - <timer name="pit" tickpolicy="delay"/> - <timer name="hpet" present="no"/> - </clock> - <on_poweroff>destroy</on_poweroff> - <on_reboot>restart</on_reboot> - <on_crash>destroy</on_crash> - <pm> - <suspend-to-mem enabled="no"/> - <suspend-to-disk enabled="no"/> - </pm> - <devices> - <emulator>/usr/bin/qemu-system-x86_64</emulator> - <disk type="file" device="disk"> - <driver name="qemu" type="qcow2" discard="unmap"/> - <source file="/var/lib/libvirt/images/ubuntu24.04.qcow2"/> - <target dev="vda" bus="virtio"/> - <address type="pci" domain="0x0000" bus="0x04" slot="0x00" function="0x0"/> - </disk> - <disk type="file" device="cdrom"> - <driver name="qemu" type="raw"/> - <target dev="sda" bus="sata"/> - <readonly/> - <address type="drive" controller="0" bus="0" target="0" unit="0"/> - </disk> - <controller type="usb" index="0" model="qemu-xhci" ports="15"> - <address type="pci" domain="0x0000" bus="0x02" slot="0x00" function="0x0"/> - </controller> - <controller type="pci" index="0" model="pcie-root"/> - <controller type="pci" index="1" model="pcie-root-port"> - <model name="pcie-root-port"/> - <target chassis="1" port="0x10"/> - <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0" multifunction="on"/> - </controller> - <controller type="pci" index="2" model="pcie-root-port"> - <model name="pcie-root-port"/> - <target chassis="2" port="0x11"/> - <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x1"/> - </controller> - <controller type="pci" index="3" model="pcie-root-port"> - <model name="pcie-root-port"/> - <target chassis="3" port="0x12"/> - <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x2"/> - </controller> - <controller type="pci" index="4" model="pcie-root-port"> - <model name="pcie-root-port"/> - <target chassis="4" port="0x13"/> - <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x3"/> - </controller> - <controller type="pci" index="5" model="pcie-root-port"> - <model name="pcie-root-port"/> - <target chassis="5" port="0x14"/> - <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x4"/> - </controller> - <controller type="pci" index="6" model="pcie-root-port"> - <model name="pcie-root-port"/> - <target chassis="6" port="0x15"/> - <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x5"/> - </controller> - <controller type="pci" index="7" model="pcie-root-port"> - <model name="pcie-root-port"/> - <target chassis="7" port="0x16"/> - <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x6"/> - </controller> - <controller type="pci" index="8" model="pcie-root-port"> - <model name="pcie-root-port"/> - <target chassis="8" port="0x17"/> - <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x7"/> - </controller> - <controller type="pci" index="9" model="pcie-root-port"> - <model name="pcie-root-port"/> - <target chassis="9" port="0x18"/> - <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x0" multifunction="on"/> - </controller> - <controller type="pci" index="10" model="pcie-root-port"> - <model name="pcie-root-port"/> - <target chassis="10" port="0x19"/> - <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x1"/> - </controller> - <controller type="pci" index="11" model="pcie-root-port"> - <model name="pcie-root-port"/> - <target chassis="11" port="0x1a"/> - <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x2"/> - </controller> - <controller type="pci" index="12" model="pcie-root-port"> - <model name="pcie-root-port"/> - <target chassis="12" port="0x1b"/> - <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x3"/> - </controller> - <controller type="pci" index="13" model="pcie-root-port"> - <model name="pcie-root-port"/> - <target chassis="13" port="0x1c"/> - <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x4"/> - </controller> - <controller type="pci" index="14" model="pcie-root-port"> - <model name="pcie-root-port"/> - <target chassis="14" port="0x1d"/> - <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x5"/> - </controller> - <controller type="sata" index="0"> - <address type="pci" domain="0x0000" bus="0x00" slot="0x1f" function="0x2"/> - </controller> - <controller type="virtio-serial" index="0"> - <address type="pci" domain="0x0000" bus="0x03" slot="0x00" function="0x0"/> - </controller> - <interface type="network"> - <mac address="52:54:00:1b:f4:13"/> - <source network="default"/> - <model type="virtio"/> - <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/> - </interface> - <serial type="pty"> - <target type="isa-serial" port="0"> - <model name="isa-serial"/> - </target> - </serial> - <console type="pty"> - <target type="serial" port="0"/> - </console> - <channel type="unix"> - <target type="virtio" name="org.qemu.guest_agent.0"/> - <address type="virtio-serial" controller="0" bus="0" port="1"/> - </channel> - <channel type="spicevmc"> - <target type="virtio" name="com.redhat.spice.0"/> - <address type="virtio-serial" controller="0" bus="0" port="2"/> - </channel> - <input type="tablet" bus="usb"> - <address type="usb" bus="0" port="1"/> - </input> - <input type="mouse" bus="ps2"/> - <input type="keyboard" bus="ps2"/> - <graphics type="spice" autoport="yes"> - <listen type="address"/> - </graphics> - <sound model="ich9"> - <address type="pci" domain="0x0000" bus="0x00" slot="0x1b" function="0x0"/> - </sound> - <audio id="1" type="spice"/> - <video> - <model type="qxl" ram="65536" vram="65536" vgamem="16384" heads="1" primary="yes"/> - <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x0"/> - </video> - <redirdev bus="usb" type="spicevmc"> - <address type="usb" bus="0" port="2"/> - </redirdev> - <redirdev bus="usb" type="spicevmc"> - <address type="usb" bus="0" port="3"/> - </redirdev> - <watchdog model="itco" action="reset"/> - <memballoon model="virtio"> - <address type="pci" domain="0x0000" bus="0x05" slot="0x00" function="0x0"/> - </memballoon> - <rng model="virtio"> - <backend model="random">/dev/urandom</backend> - <address type="pci" domain="0x0000" bus="0x06" slot="0x00" function="0x0"/> - </rng> - <memory model="sgx-epc"> - <target> - <size unit="KiB">16384</size> - </target> - </memory> - </devices> + <name>ubuntu24.04</name> + <uuid>87cd126a-047f-4b41-938f-2d19ee19d198</uuid> + <metadata> + <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0";> + <libosinfo:os id="http://ubuntu.com/ubuntu/24.04"/> + </libosinfo:libosinfo> + </metadata> + <maxMemory slots="16" unit="KiB">82313216</maxMemory> + <memory unit="KiB">65650688</memory> + <currentMemory unit="KiB">65634304</currentMemory> + <vcpu placement="static">10</vcpu> + <os> + <type arch="x86_64" machine="pc-q35-8.2">hvm</type> + <boot dev="hd"/> + </os> + <features> + <acpi/> + <apic/> + <vmport state="off"/> + </features> + <cpu mode="host-passthrough" check="none" migratable="on"> + <feature policy="require" name="sgx"/> + <feature policy="require" name="sgxlc"/> + <feature policy="require" name="sgx1"/> + <feature policy="require" name="sgx2"/> + <feature policy="require" name="sgx-exinfo"/> + <feature policy="require" name="sgx-debug"/> + <feature policy="require" name="sgx-mode64"/> + <feature policy="require" name="sgx-provisionkey"/> + <feature policy="require" name="sgx-tokenkey"/> + <feature policy="require" name="sgx-kss"/> + <feature policy="require" name="sgx-edeccssa"/> + <feature policy="require" name="sgx-aex-notify"/> + <numa> + <cell id="0" cpus="0-9" memory="65634304" unit="KiB"/> + </numa> + </cpu> + <clock offset="utc"> + <timer name="rtc" tickpolicy="catchup"/> + <timer name="pit" tickpolicy="delay"/> + <timer name="hpet" present="no"/> + </clock> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <pm> + <suspend-to-mem enabled="no"/> + <suspend-to-disk enabled="no"/> + </pm> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <disk type="file" device="disk"> + <driver name="qemu" type="qcow2" discard="unmap"/> + <source file="/var/lib/libvirt/images/ubuntu24.04.qcow2"/> + <target dev="vda" bus="virtio"/> + <address type="pci" domain="0x0000" bus="0x04" slot="0x00" function="0x0"/> + </disk> + <disk type="file" device="cdrom"> + <driver name="qemu" type="raw"/> + <target dev="sda" bus="sata"/> + <readonly/> + <address type="drive" controller="0" bus="0" target="0" unit="0"/> + </disk> + <controller type="usb" index="0" model="qemu-xhci" ports="15"> + <address type="pci" domain="0x0000" bus="0x02" slot="0x00" function="0x0"/> + </controller> + <controller type="pci" index="0" model="pcie-root"/> + <controller type="pci" index="1" model="pcie-root-port"> + <model name="pcie-root-port"/> + <target chassis="1" port="0x10"/> + <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0" multifunction="on"/> + </controller> + <controller type="pci" index="2" model="pcie-root-port"> + <model name="pcie-root-port"/> + <target chassis="2" port="0x11"/> + <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x1"/> + </controller> + <controller type="pci" index="3" model="pcie-root-port"> + <model name="pcie-root-port"/> + <target chassis="3" port="0x12"/> + <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x2"/> + </controller> + <controller type="pci" index="4" model="pcie-root-port"> + <model name="pcie-root-port"/> + <target chassis="4" port="0x13"/> + <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x3"/> + </controller> + <controller type="pci" index="5" model="pcie-root-port"> + <model name="pcie-root-port"/> + <target chassis="5" port="0x14"/> + <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x4"/> + </controller> + <controller type="pci" index="6" model="pcie-root-port"> + <model name="pcie-root-port"/> + <target chassis="6" port="0x15"/> + <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x5"/> + </controller> + <controller type="pci" index="7" model="pcie-root-port"> + <model name="pcie-root-port"/> + <target chassis="7" port="0x16"/> + <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x6"/> + </controller> + <controller type="pci" index="8" model="pcie-root-port"> + <model name="pcie-root-port"/> + <target chassis="8" port="0x17"/> + <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x7"/> + </controller> + <controller type="pci" index="9" model="pcie-root-port"> + <model name="pcie-root-port"/> + <target chassis="9" port="0x18"/> + <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x0" multifunction="on"/> + </controller> + <controller type="pci" index="10" model="pcie-root-port"> + <model name="pcie-root-port"/> + <target chassis="10" port="0x19"/> + <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x1"/> + </controller> + <controller type="pci" index="11" model="pcie-root-port"> + <model name="pcie-root-port"/> + <target chassis="11" port="0x1a"/> + <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x2"/> + </controller> + <controller type="pci" index="12" model="pcie-root-port"> + <model name="pcie-root-port"/> + <target chassis="12" port="0x1b"/> + <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x3"/> + </controller> + <controller type="pci" index="13" model="pcie-root-port"> + <model name="pcie-root-port"/> + <target chassis="13" port="0x1c"/> + <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x4"/> + </controller> + <controller type="pci" index="14" model="pcie-root-port"> + <model name="pcie-root-port"/> + <target chassis="14" port="0x1d"/> + <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x5"/> + </controller> + <controller type="sata" index="0"> + <address type="pci" domain="0x0000" bus="0x00" slot="0x1f" function="0x2"/> + </controller> + <controller type="virtio-serial" index="0"> + <address type="pci" domain="0x0000" bus="0x03" slot="0x00" function="0x0"/> + </controller> + <interface type="network"> + <mac address="52:54:00:1b:f4:13"/> + <source network="default"/> + <model type="virtio"/> + <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/> + </interface> + <serial type="pty"> + <target type="isa-serial" port="0"> + <model name="isa-serial"/> + </target> + </serial> + <console type="pty"> + <target type="serial" port="0"/> + </console> + <channel type="unix"> + <target type="virtio" name="org.qemu.guest_agent.0"/> + <address type="virtio-serial" controller="0" bus="0" port="1"/> + </channel> + <channel type="spicevmc"> + <target type="virtio" name="com.redhat.spice.0"/> + <address type="virtio-serial" controller="0" bus="0" port="2"/> + </channel> + <input type="tablet" bus="usb"> + <address type="usb" bus="0" port="1"/> + </input> + <input type="mouse" bus="ps2"/> + <input type="keyboard" bus="ps2"/> + <graphics type="spice" autoport="yes"> + <listen type="address"/> + </graphics> + <sound model="ich9"> + <address type="pci" domain="0x0000" bus="0x00" slot="0x1b" function="0x0"/> + </sound> + <audio id="1" type="spice"/> + <video> + <model type="qxl" ram="65536" vram="65536" vgamem="16384" heads="1" primary="yes"/> + <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x0"/> + </video> + <redirdev bus="usb" type="spicevmc"> + <address type="usb" bus="0" port="2"/> + </redirdev> + <redirdev bus="usb" type="spicevmc"> + <address type="usb" bus="0" port="3"/> + </redirdev> + <watchdog model="itco" action="reset"/> + <memballoon model="virtio"> + <address type="pci" domain="0x0000" bus="0x05" slot="0x00" function="0x0"/> + </memballoon> + <rng model="virtio"> + <backend model="random">/dev/urandom</backend> + <address type="pci" domain="0x0000" bus="0x06" slot="0x00" function="0x0"/> + </rng> + <memory model="sgx-epc"> + <target> + <size unit="KiB">16384</size> + </target> + </memory> + </devices> </domain> ```
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2100024 Title: apparmor: SGX EPC passthrough, cannot add memory module=sgx-epc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/2100024/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
