[v10] Support query and use SGX

[libvirt][PATCH v10 0/5] Support query and use SGX

Haibin Huang posted 5 patches 2 years, 3 months ago

Diff against v4 v5 v6 v8 v9 v10 v11 v12 v12 v13 v14 v15 v16 v17
Download series mbox

Test syntax-check failed

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20220129015001.7781-1-haibin.huang@intel.com

There is a newer version of this series

docs/formatdomain.rst                         |   9 +-
docs/formatdomaincaps.html.in                 |  26 ++++
docs/schemas/domaincaps.rng                   |  22 ++-
docs/schemas/domaincommon.rng                 |   1 +
src/conf/domain_capabilities.c                |  29 ++++
src/conf/domain_capabilities.h                |  13 ++
src/conf/domain_conf.c                        |   6 +
src/conf/domain_conf.h                        |   1 +
src/conf/domain_validate.c                    |  16 ++
src/libvirt_private.syms                      |   1 +
src/qemu/qemu_alias.c                         |   3 +
src/qemu/qemu_capabilities.c                  | 137 ++++++++++++++++++
src/qemu/qemu_capabilities.h                  |   4 +
src/qemu/qemu_capspriv.h                      |   4 +
src/qemu/qemu_command.c                       |   1 +
src/qemu/qemu_domain.c                        |  38 +++--
src/qemu/qemu_domain_address.c                |   6 +
src/qemu/qemu_driver.c                        |   1 +
src/qemu/qemu_monitor.c                       |  10 ++
src/qemu/qemu_monitor.h                       |   3 +
src/qemu/qemu_monitor_json.c                  |  84 ++++++++++-
src/qemu/qemu_monitor_json.h                  |   9 ++
src/qemu/qemu_process.c                       |   2 +
src/qemu/qemu_validate.c                      |   8 +
src/security/security_apparmor.c              |   1 +
src/security/security_dac.c                   |   2 +
src/security/security_selinux.c               |   2 +
tests/domaincapsdata/bhyve_basic.x86_64.xml   |   1 +
tests/domaincapsdata/bhyve_fbuf.x86_64.xml    |   1 +
tests/domaincapsdata/bhyve_uefi.x86_64.xml    |   1 +
tests/domaincapsdata/empty.xml                |   1 +
tests/domaincapsdata/libxl-xenfv.xml          |   1 +
tests/domaincapsdata/libxl-xenpv.xml          |   1 +
.../domaincapsdata/qemu_2.11.0-q35.x86_64.xml |   1 +
.../domaincapsdata/qemu_2.11.0-tcg.x86_64.xml |   1 +
tests/domaincapsdata/qemu_2.11.0.s390x.xml    |   1 +
tests/domaincapsdata/qemu_2.11.0.x86_64.xml   |   1 +
.../domaincapsdata/qemu_2.12.0-q35.x86_64.xml |   1 +
.../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml |   1 +
.../qemu_2.12.0-virt.aarch64.xml              |   1 +
tests/domaincapsdata/qemu_2.12.0.aarch64.xml  |   1 +
tests/domaincapsdata/qemu_2.12.0.ppc64.xml    |   1 +
tests/domaincapsdata/qemu_2.12.0.s390x.xml    |   1 +
tests/domaincapsdata/qemu_2.12.0.x86_64.xml   |   1 +
.../domaincapsdata/qemu_2.4.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_2.4.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_2.4.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_2.5.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_2.5.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_2.5.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_2.6.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_2.6.0-tcg.x86_64.xml  |   1 +
.../qemu_2.6.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_2.6.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_2.6.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_2.6.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_2.7.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_2.7.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_2.7.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_2.7.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_2.8.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_2.8.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_2.8.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_2.8.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_2.9.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_2.9.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_2.9.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_2.9.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_2.9.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_3.0.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_3.0.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_3.0.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_3.0.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_3.0.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_3.1.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_3.1.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_3.1.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_3.1.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_4.0.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_4.0.0-tcg.x86_64.xml  |   1 +
.../qemu_4.0.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_4.0.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_4.0.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_4.0.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_4.0.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_4.1.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_4.1.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_4.1.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_4.2.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml  |   1 +
.../qemu_4.2.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_4.2.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_4.2.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_4.2.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_4.2.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_5.0.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml  |   1 +
.../qemu_5.0.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_5.0.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_5.0.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_5.0.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_5.1.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_5.1.0.sparc.xml     |   1 +
tests/domaincapsdata/qemu_5.1.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_5.2.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_5.2.0-tcg.x86_64.xml  |   1 +
.../qemu_5.2.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_5.2.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_5.2.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_5.2.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_5.2.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_6.0.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_6.0.0-tcg.x86_64.xml  |   1 +
.../qemu_6.0.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_6.0.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_6.0.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_6.0.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_6.1.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_6.1.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_6.1.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_6.2.0-q35.x86_64.xml  |   4 +
.../domaincapsdata/qemu_6.2.0-tcg.x86_64.xml  |   4 +
.../qemu_6.2.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_6.2.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_6.2.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_6.2.0.x86_64.xml    |   4 +
.../domaincapsdata/qemu_7.0.0-q35.x86_64.xml  |   4 +
.../domaincapsdata/qemu_7.0.0-tcg.x86_64.xml  |   4 +
tests/domaincapsdata/qemu_7.0.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_7.0.0.x86_64.xml    |   4 +
.../caps_6.2.0.x86_64.replies                 |  22 ++-
.../caps_6.2.0.x86_64.xml                     |   5 +
.../caps_7.0.0.x86_64.replies                 |  22 ++-
.../caps_7.0.0.x86_64.xml                     |   5 +
tests/qemuxml2argvdata/sgx-epc.xml            |  36 +++++
.../sgx-epc.x86_64-latest.xml                 |  52 +++++++
tests/qemuxml2xmltest.c                       |   2 +
138 files changed, 675 insertions(+), 30 deletions(-)
create mode 100644 tests/qemuxml2argvdata/sgx-epc.xml
create mode 100644 tests/qemuxml2xmloutdata/sgx-epc.x86_64-latest.xml

Expand all Fold all

[libvirt][PATCH v10 0/5] Support query and use SGX

Posted by Haibin Huang 2 years, 3 months ago

This patch series provides support for enabling Intel's Software 
Guard Extensions (SGX) feature in guest VM.
Giving the SGX support in QEMU had been merged. Intel SGX is a
set of instructions that increases the security of application code
 and data, giving them more protection from disclosure or modification.
Developers can partition sensitive information into enclaves, which 
are areas of execution in memory with more security protection.

It depends on QEMU fixing[1], which will move cpu QOM object from 
/machine/unattached/device[nn] to /machine/cpu[nn]. It requires libvirt
to change the default cpu QOM object location once QEMU patch gets
accepted, but it is out of this SGX patch scope.

The typical flow looks below at very high level:

1. Calls virConnectGetDomainCapabilities API to domain capabilities 
that includes the following SGX information.

<feature>
   ...
   <sgx supported='yes'>
     <epc_size unit='KiB'>N</epc_size>
   </sgx>
   ...
 </feature>

2. User requests to start a guest calling virCreateXML() with SGX
requirement. It does not support NUMA yet, since latest QEMU 6.2
release does not support NUMA.
It should contain

<devices>
    ...
    <memory model='sgx-epc'>
       <target>
           <size unit='KiB'>N</size>
       </target>
    </memory>
    ...
</devices>

[1] https://lists.nongnu.org/archive/html/qemu-devel/2022-01/msg03534.html

Haibin Huang (3):
  qemu: provide support to query the SGX capability
  conf: expose SGX feature in domain capabilities
  Add unit test for domaincapsdata sgx

Lin Yang (2):
  conf: Introduce SGX EPC element into device memory xml
  Update default CPU location in qemu QOM tree

 docs/formatdomain.rst                         |   9 +-
 docs/formatdomaincaps.html.in                 |  26 ++++
 docs/schemas/domaincaps.rng                   |  22 ++-
 docs/schemas/domaincommon.rng                 |   1 +
 src/conf/domain_capabilities.c                |  29 ++++
 src/conf/domain_capabilities.h                |  13 ++
 src/conf/domain_conf.c                        |   6 +
 src/conf/domain_conf.h                        |   1 +
 src/conf/domain_validate.c                    |  16 ++
 src/libvirt_private.syms                      |   1 +
 src/qemu/qemu_alias.c                         |   3 +
 src/qemu/qemu_capabilities.c                  | 137 ++++++++++++++++++
 src/qemu/qemu_capabilities.h                  |   4 +
 src/qemu/qemu_capspriv.h                      |   4 +
 src/qemu/qemu_command.c                       |   1 +
 src/qemu/qemu_domain.c                        |  38 +++--
 src/qemu/qemu_domain_address.c                |   6 +
 src/qemu/qemu_driver.c                        |   1 +
 src/qemu/qemu_monitor.c                       |  10 ++
 src/qemu/qemu_monitor.h                       |   3 +
 src/qemu/qemu_monitor_json.c                  |  84 ++++++++++-
 src/qemu/qemu_monitor_json.h                  |   9 ++
 src/qemu/qemu_process.c                       |   2 +
 src/qemu/qemu_validate.c                      |   8 +
 src/security/security_apparmor.c              |   1 +
 src/security/security_dac.c                   |   2 +
 src/security/security_selinux.c               |   2 +
 tests/domaincapsdata/bhyve_basic.x86_64.xml   |   1 +
 tests/domaincapsdata/bhyve_fbuf.x86_64.xml    |   1 +
 tests/domaincapsdata/bhyve_uefi.x86_64.xml    |   1 +
 tests/domaincapsdata/empty.xml                |   1 +
 tests/domaincapsdata/libxl-xenfv.xml          |   1 +
 tests/domaincapsdata/libxl-xenpv.xml          |   1 +
 .../domaincapsdata/qemu_2.11.0-q35.x86_64.xml |   1 +
 .../domaincapsdata/qemu_2.11.0-tcg.x86_64.xml |   1 +
 tests/domaincapsdata/qemu_2.11.0.s390x.xml    |   1 +
 tests/domaincapsdata/qemu_2.11.0.x86_64.xml   |   1 +
 .../domaincapsdata/qemu_2.12.0-q35.x86_64.xml |   1 +
 .../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml |   1 +
 .../qemu_2.12.0-virt.aarch64.xml              |   1 +
 tests/domaincapsdata/qemu_2.12.0.aarch64.xml  |   1 +
 tests/domaincapsdata/qemu_2.12.0.ppc64.xml    |   1 +
 tests/domaincapsdata/qemu_2.12.0.s390x.xml    |   1 +
 tests/domaincapsdata/qemu_2.12.0.x86_64.xml   |   1 +
 .../domaincapsdata/qemu_2.4.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.4.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.4.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.5.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.5.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.5.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.6.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.6.0-tcg.x86_64.xml  |   1 +
 .../qemu_2.6.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_2.6.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_2.6.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_2.6.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.7.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.7.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.7.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_2.7.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.8.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.8.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.8.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_2.8.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.9.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.9.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.9.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_2.9.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_2.9.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_3.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_3.0.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_3.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_3.0.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_3.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_3.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_3.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_3.1.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_3.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_4.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_4.0.0-tcg.x86_64.xml  |   1 +
 .../qemu_4.0.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_4.0.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_4.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_4.0.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_4.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_4.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_4.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_4.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_4.2.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml  |   1 +
 .../qemu_4.2.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_4.2.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_4.2.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_4.2.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_4.2.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_5.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml  |   1 +
 .../qemu_5.0.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_5.0.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_5.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_5.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_5.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_5.1.0.sparc.xml     |   1 +
 tests/domaincapsdata/qemu_5.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_5.2.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_5.2.0-tcg.x86_64.xml  |   1 +
 .../qemu_5.2.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_5.2.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_5.2.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_5.2.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_5.2.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_6.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_6.0.0-tcg.x86_64.xml  |   1 +
 .../qemu_6.0.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_6.0.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_6.0.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_6.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_6.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_6.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_6.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_6.2.0-q35.x86_64.xml  |   4 +
 .../domaincapsdata/qemu_6.2.0-tcg.x86_64.xml  |   4 +
 .../qemu_6.2.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_6.2.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_6.2.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_6.2.0.x86_64.xml    |   4 +
 .../domaincapsdata/qemu_7.0.0-q35.x86_64.xml  |   4 +
 .../domaincapsdata/qemu_7.0.0-tcg.x86_64.xml  |   4 +
 tests/domaincapsdata/qemu_7.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_7.0.0.x86_64.xml    |   4 +
 .../caps_6.2.0.x86_64.replies                 |  22 ++-
 .../caps_6.2.0.x86_64.xml                     |   5 +
 .../caps_7.0.0.x86_64.replies                 |  22 ++-
 .../caps_7.0.0.x86_64.xml                     |   5 +
 tests/qemuxml2argvdata/sgx-epc.xml            |  36 +++++
 .../sgx-epc.x86_64-latest.xml                 |  52 +++++++
 tests/qemuxml2xmltest.c                       |   2 +
 138 files changed, 675 insertions(+), 30 deletions(-)
 create mode 100644 tests/qemuxml2argvdata/sgx-epc.xml
 create mode 100644 tests/qemuxml2xmloutdata/sgx-epc.x86_64-latest.xml

-- 
2.17.1