[v8] Support query and use SGX

[libvirt][PATCH v8 0/5] Support query and use SGX

Haibin Huang posted 5 patches 2 years, 4 months ago

Diff against v4 v5 v6 v9 v10 v10 v11 v12 v12 v13 v14 v15 v16 v17
Download series mbox

Failed in applying to current master (apply log)

There is a newer version of this series

docs/schemas/domaincaps.rng                   |  22 ++-
docs/schemas/domaincommon.rng                 |   1 +
src/conf/domain_capabilities.c                |  29 ++++
src/conf/domain_capabilities.h                |  13 ++
src/conf/domain_conf.c                        |   6 +
src/conf/domain_conf.h                        |   1 +
src/conf/domain_validate.c                    |   1 +
src/libvirt_private.syms                      |   1 +
src/qemu/qemu_alias.c                         |   6 +-
src/qemu/qemu_capabilities.c                  | 143 +++++++++++++++++-
src/qemu/qemu_capabilities.h                  |   4 +
src/qemu/qemu_command.c                       |  41 ++++-
src/qemu/qemu_domain.c                        |  12 +-
src/qemu/qemu_domain_address.c                |   6 +
src/qemu/qemu_driver.c                        |   1 +
src/qemu/qemu_monitor.c                       |  10 ++
src/qemu/qemu_monitor.h                       |   3 +
src/qemu/qemu_monitor_json.c                  |  83 ++++++++++
src/qemu/qemu_monitor_json.h                  |   3 +
src/qemu/qemu_process.c                       |   2 +
src/qemu/qemu_validate.c                      |   8 +
src/security/security_apparmor.c              |   1 +
src/security/security_dac.c                   |   2 +
src/security/security_selinux.c               |   2 +
tests/domaincapsdata/bhyve_basic.x86_64.xml   |   1 +
tests/domaincapsdata/bhyve_fbuf.x86_64.xml    |   1 +
tests/domaincapsdata/bhyve_uefi.x86_64.xml    |   1 +
tests/domaincapsdata/empty.xml                |   1 +
tests/domaincapsdata/libxl-xenfv.xml          |   1 +
tests/domaincapsdata/libxl-xenpv.xml          |   1 +
.../domaincapsdata/qemu_2.11.0-q35.x86_64.xml |   1 +
.../domaincapsdata/qemu_2.11.0-tcg.x86_64.xml |   1 +
tests/domaincapsdata/qemu_2.11.0.s390x.xml    |   1 +
tests/domaincapsdata/qemu_2.11.0.x86_64.xml   |   1 +
.../domaincapsdata/qemu_2.12.0-q35.x86_64.xml |   1 +
.../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml |   1 +
.../qemu_2.12.0-virt.aarch64.xml              |   1 +
tests/domaincapsdata/qemu_2.12.0.aarch64.xml  |   1 +
tests/domaincapsdata/qemu_2.12.0.ppc64.xml    |   1 +
tests/domaincapsdata/qemu_2.12.0.s390x.xml    |   1 +
tests/domaincapsdata/qemu_2.12.0.x86_64.xml   |   1 +
.../domaincapsdata/qemu_2.4.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_2.4.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_2.4.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_2.5.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_2.5.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_2.5.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_2.6.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_2.6.0-tcg.x86_64.xml  |   1 +
.../qemu_2.6.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_2.6.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_2.6.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_2.6.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_2.7.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_2.7.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_2.7.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_2.7.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_2.8.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_2.8.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_2.8.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_2.8.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_2.9.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_2.9.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_2.9.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_2.9.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_2.9.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_3.0.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_3.0.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_3.0.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_3.0.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_3.0.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_3.1.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_3.1.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_3.1.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_3.1.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_4.0.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_4.0.0-tcg.x86_64.xml  |   1 +
.../qemu_4.0.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_4.0.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_4.0.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_4.0.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_4.0.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_4.1.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_4.1.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_4.1.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_4.2.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml  |   1 +
.../qemu_4.2.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_4.2.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_4.2.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_4.2.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_4.2.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_5.0.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml  |   1 +
.../qemu_5.0.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_5.0.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_5.0.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_5.0.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_5.1.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_5.1.0.sparc.xml     |   1 +
tests/domaincapsdata/qemu_5.1.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_5.2.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_5.2.0-tcg.x86_64.xml  |   1 +
.../qemu_5.2.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_5.2.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_5.2.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_5.2.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_5.2.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_6.0.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_6.0.0-tcg.x86_64.xml  |   1 +
.../qemu_6.0.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_6.0.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_6.0.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_6.0.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_6.1.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_6.1.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_6.1.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_6.2.0-q35.x86_64.xml  |   4 +
.../domaincapsdata/qemu_6.2.0-tcg.x86_64.xml  |   4 +
tests/domaincapsdata/qemu_6.2.0.x86_64.xml    |   4 +
.../caps_6.2.0.x86_64.replies                 |  22 ++-
.../caps_6.2.0.x86_64.xml                     |   5 +
.../sgx-epc.x86_64-6.2.0.args                 |  37 +++++
tests/qemuxml2argvdata/sgx-epc.xml            |  36 +++++
tests/qemuxml2argvtest.c                      |   2 +
126 files changed, 597 insertions(+), 12 deletions(-)
create mode 100644 tests/qemuxml2argvdata/sgx-epc.x86_64-6.2.0.args
create mode 100644 tests/qemuxml2argvdata/sgx-epc.xml

Expand all Fold all

[libvirt][PATCH v8 0/5] Support query and use SGX

Posted by Haibin Huang 2 years, 4 months ago

This patch series provides support for enabling Intel's Software Guard Extensions (SGX) 
feature in guest VM.
Giving the SGX support in QEMU be accepted and will be merged in two days Intel 
Software Guard Extensions (Intel SGX) is a set of instructions that increases the security
of application code and data, giving them more protection from disclosure or modification. 
Developers can partition sensitive information into enclaves, which are areas of execution
in memory with more security protection.
 
The typical flow looks below at very high level:
 
1. Calls virConnectGetDomainCapabilities API to domain capabilities that 
includes the following SGX information.
 
<feature>
...
  <sgx supported='yes'> 
    <epc_size unit='KiB'>N</epc_size>
  </sgx>
</feature>
 
2. User requests to start a guest calling virCreateXML() with SGX requirement. 
It should contain
 
 <devices>
      ...
      <memory model='sgx-epc'>
        <target>
          <size unit='KiB'>N</size>
        </target>
      </memory>
      ...
  </devices>

Haibin Huang (2):
  Get SGX Capabilities from QEMU
  Transfer Qemu SGX Capabilities to XML

Lin Yang (3):
  conf: Introduce SGX EPC element into device memory xml
  qemu: Add command-line to generate SGX EPC memory backend
  Add unit tests for guest VM creation command with SGX EPC

 docs/schemas/domaincaps.rng                   |  22 ++-
 docs/schemas/domaincommon.rng                 |   1 +
 src/conf/domain_capabilities.c                |  29 ++++
 src/conf/domain_capabilities.h                |  13 ++
 src/conf/domain_conf.c                        |   6 +
 src/conf/domain_conf.h                        |   1 +
 src/conf/domain_validate.c                    |   1 +
 src/libvirt_private.syms                      |   1 +
 src/qemu/qemu_alias.c                         |   6 +-
 src/qemu/qemu_capabilities.c                  | 143 +++++++++++++++++-
 src/qemu/qemu_capabilities.h                  |   4 +
 src/qemu/qemu_command.c                       |  41 ++++-
 src/qemu/qemu_domain.c                        |  12 +-
 src/qemu/qemu_domain_address.c                |   6 +
 src/qemu/qemu_driver.c                        |   1 +
 src/qemu/qemu_monitor.c                       |  10 ++
 src/qemu/qemu_monitor.h                       |   3 +
 src/qemu/qemu_monitor_json.c                  |  83 ++++++++++
 src/qemu/qemu_monitor_json.h                  |   3 +
 src/qemu/qemu_process.c                       |   2 +
 src/qemu/qemu_validate.c                      |   8 +
 src/security/security_apparmor.c              |   1 +
 src/security/security_dac.c                   |   2 +
 src/security/security_selinux.c               |   2 +
 tests/domaincapsdata/bhyve_basic.x86_64.xml   |   1 +
 tests/domaincapsdata/bhyve_fbuf.x86_64.xml    |   1 +
 tests/domaincapsdata/bhyve_uefi.x86_64.xml    |   1 +
 tests/domaincapsdata/empty.xml                |   1 +
 tests/domaincapsdata/libxl-xenfv.xml          |   1 +
 tests/domaincapsdata/libxl-xenpv.xml          |   1 +
 .../domaincapsdata/qemu_2.11.0-q35.x86_64.xml |   1 +
 .../domaincapsdata/qemu_2.11.0-tcg.x86_64.xml |   1 +
 tests/domaincapsdata/qemu_2.11.0.s390x.xml    |   1 +
 tests/domaincapsdata/qemu_2.11.0.x86_64.xml   |   1 +
 .../domaincapsdata/qemu_2.12.0-q35.x86_64.xml |   1 +
 .../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml |   1 +
 .../qemu_2.12.0-virt.aarch64.xml              |   1 +
 tests/domaincapsdata/qemu_2.12.0.aarch64.xml  |   1 +
 tests/domaincapsdata/qemu_2.12.0.ppc64.xml    |   1 +
 tests/domaincapsdata/qemu_2.12.0.s390x.xml    |   1 +
 tests/domaincapsdata/qemu_2.12.0.x86_64.xml   |   1 +
 .../domaincapsdata/qemu_2.4.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.4.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.4.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.5.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.5.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.5.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.6.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.6.0-tcg.x86_64.xml  |   1 +
 .../qemu_2.6.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_2.6.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_2.6.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_2.6.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.7.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.7.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.7.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_2.7.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.8.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.8.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.8.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_2.8.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_2.9.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_2.9.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_2.9.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_2.9.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_2.9.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_3.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_3.0.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_3.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_3.0.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_3.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_3.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_3.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_3.1.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_3.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_4.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_4.0.0-tcg.x86_64.xml  |   1 +
 .../qemu_4.0.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_4.0.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_4.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_4.0.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_4.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_4.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_4.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_4.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_4.2.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml  |   1 +
 .../qemu_4.2.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_4.2.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_4.2.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_4.2.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_4.2.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_5.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml  |   1 +
 .../qemu_5.0.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_5.0.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_5.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_5.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_5.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_5.1.0.sparc.xml     |   1 +
 tests/domaincapsdata/qemu_5.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_5.2.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_5.2.0-tcg.x86_64.xml  |   1 +
 .../qemu_5.2.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_5.2.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_5.2.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_5.2.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_5.2.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_6.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_6.0.0-tcg.x86_64.xml  |   1 +
 .../qemu_6.0.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_6.0.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_6.0.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_6.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_6.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_6.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_6.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_6.2.0-q35.x86_64.xml  |   4 +
 .../domaincapsdata/qemu_6.2.0-tcg.x86_64.xml  |   4 +
 tests/domaincapsdata/qemu_6.2.0.x86_64.xml    |   4 +
 .../caps_6.2.0.x86_64.replies                 |  22 ++-
 .../caps_6.2.0.x86_64.xml                     |   5 +
 .../sgx-epc.x86_64-6.2.0.args                 |  37 +++++
 tests/qemuxml2argvdata/sgx-epc.xml            |  36 +++++
 tests/qemuxml2argvtest.c                      |   2 +
 126 files changed, 597 insertions(+), 12 deletions(-)
 create mode 100644 tests/qemuxml2argvdata/sgx-epc.x86_64-6.2.0.args
 create mode 100644 tests/qemuxml2argvdata/sgx-epc.xml

-- 
2.17.1