[v15] Support query and use SGX

[libvirt][PATCH v15 0/9] Support query and use SGX

Lin Yang posted 9 patches 1 year, 8 months ago

Diff against v4 v5 v6 v8 v9 v10 v10 v11 v12 v12 v13 v14 v16 v17

Only 0 patches received!

There is a newer version of this series

docs/formatdomain.rst                         |  25 +-
docs/formatdomaincaps.rst                     |  40 ++++
src/conf/domain_capabilities.c                |  46 ++++
src/conf/domain_capabilities.h                |  21 ++
src/conf/domain_conf.c                        |  30 +++
src/conf/domain_conf.h                        |   1 +
src/conf/domain_postparse.c                   |   1 +
src/conf/domain_validate.c                    |   9 +
src/conf/schemas/domaincaps.rng               |  37 +++
src/conf/schemas/domaincommon.rng             |   1 +
src/libvirt_private.syms                      |   1 +
src/qemu/qemu_alias.c                         |   6 +-
src/qemu/qemu_capabilities.c                  | 219 ++++++++++++++++++
src/qemu/qemu_capabilities.h                  |   6 +
src/qemu/qemu_cgroup.c                        |  76 +++++-
src/qemu/qemu_command.c                       |  66 +++++-
src/qemu/qemu_domain.c                        |  48 ++--
src/qemu/qemu_domain.h                        |   2 +
src/qemu/qemu_domain_address.c                |   6 +
src/qemu/qemu_driver.c                        |   1 +
src/qemu/qemu_monitor.c                       |  10 +
src/qemu/qemu_monitor.h                       |   3 +
src/qemu/qemu_monitor_json.c                  | 137 ++++++++++-
src/qemu/qemu_monitor_json.h                  |   4 +
src/qemu/qemu_namespace.c                     |  20 +-
src/qemu/qemu_process.c                       |   2 +
src/qemu/qemu_validate.c                      |  40 ++++
src/security/security_apparmor.c              |   1 +
src/security/security_dac.c                   |  46 ++--
src/security/security_selinux.c               |   2 +
tests/domaincapsdata/bhyve_basic.x86_64.xml   |   1 +
tests/domaincapsdata/bhyve_fbuf.x86_64.xml    |   1 +
tests/domaincapsdata/bhyve_uefi.x86_64.xml    |   1 +
tests/domaincapsdata/empty.xml                |   1 +
tests/domaincapsdata/libxl-xenfv.xml          |   1 +
tests/domaincapsdata/libxl-xenpv.xml          |   1 +
.../domaincapsdata/qemu_4.2.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml  |   1 +
.../qemu_4.2.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_4.2.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_4.2.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_4.2.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_4.2.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_5.0.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml  |   1 +
.../qemu_5.0.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_5.0.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_5.0.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_5.0.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_5.1.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_5.1.0.sparc.xml     |   1 +
tests/domaincapsdata/qemu_5.1.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_5.2.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_5.2.0-tcg.x86_64.xml  |   1 +
.../qemu_5.2.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_5.2.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_5.2.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_5.2.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_5.2.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_6.0.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_6.0.0-tcg.x86_64.xml  |   1 +
.../qemu_6.0.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_6.0.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_6.0.0.s390x.xml     |   1 +
tests/domaincapsdata/qemu_6.0.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_6.1.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_6.1.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_6.1.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_6.2.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_6.2.0-tcg.x86_64.xml  |   1 +
.../qemu_6.2.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_6.2.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_6.2.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_6.2.0.x86_64.xml    |   1 +
.../domaincapsdata/qemu_7.0.0-q35.x86_64.xml  |   9 +
.../domaincapsdata/qemu_7.0.0-tcg.x86_64.xml  |   9 +
.../qemu_7.0.0-virt.aarch64.xml               |   1 +
tests/domaincapsdata/qemu_7.0.0.aarch64.xml   |   1 +
tests/domaincapsdata/qemu_7.0.0.ppc64.xml     |   1 +
tests/domaincapsdata/qemu_7.0.0.x86_64.xml    |   9 +
.../domaincapsdata/qemu_7.1.0-q35.x86_64.xml  |   1 +
.../domaincapsdata/qemu_7.1.0-tcg.x86_64.xml  |   1 +
tests/domaincapsdata/qemu_7.1.0.x86_64.xml    |   1 +
.../caps_6.2.0.x86_64.replies                 |  27 ++-
.../caps_7.0.0.x86_64.replies                 |  34 ++-
.../caps_7.0.0.x86_64.xml                     |  10 +
.../caps_7.1.0.x86_64.replies                 |  21 +-
.../sgx-epc.x86_64-7.0.0.args                 |  40 ++++
tests/qemuxml2argvdata/sgx-epc.xml            |  64 +++++
tests/qemuxml2argvtest.c                      |   2 +
.../sgx-epc.x86_64-7.0.0.xml                  |   1 +
tests/qemuxml2xmltest.c                       |   2 +
93 files changed, 1107 insertions(+), 79 deletions(-)
create mode 100644 tests/qemuxml2argvdata/sgx-epc.x86_64-7.0.0.args
create mode 100644 tests/qemuxml2argvdata/sgx-epc.xml
create mode 120000 tests/qemuxml2xmloutdata/sgx-epc.x86_64-7.0.0.xml

Expand all Fold all

[libvirt][PATCH v15 0/9] Support query and use SGX

Posted by Lin Yang 1 year, 8 months ago

The previous v14 version can be found here:

https://listman.redhat.com/archives/libvir-list/2022-July/233257.html

Diff to v14:
- Dropped SGX support for QEMU 6.2.0, only focus on QEMU 7.0.0 (BTW, I
  noticed the default QEMU version in RHEL9 is still 6.2.0, so those
  user cannot access this feature unless manually upgrade QEMU)
- Removed total EPC size from domain capability, since the corresponding
  attribute is marked as deprecated in QMP command 
  "query-sgx-capabilities"
- Some cleanups to address comments (pin test to 7.0.0, more validations
  on qemu_validate.c, name issue, use built-in functions, ...)

BTW, it still adds SGX EPC as memory device, since basically SGX EPC is
one kind of memory. More specifically, a private region of memory, so
didn't add additional general memory. QEMU allocate part of them and
pass through to guest VM. I don't have a better alternative to represent
it in domain definition.

Haibin Huang (4):
  domain_capabilities: Define SGX capabilities structs
  qemu: Get SGX capabilities form QMP
  Convert QMP capabilities to domain capabilities
  conf: expose SGX feature in domain capabilities

Lin Yang (2):
  conf: Introduce SGX EPC element into device memory xml
  qemu: Add command-line to generate SGX EPC memory backend

Michal Prívozník (3):
  qemu_cgroup: Allow SGX in devices controller
  qemu_namespace: Create SGX related nodes in domain's namespace
  security_dac: Set DAC label on SGX /dev nodes

 docs/formatdomain.rst                         |  25 +-
 docs/formatdomaincaps.rst                     |  40 ++++
 src/conf/domain_capabilities.c                |  46 ++++
 src/conf/domain_capabilities.h                |  21 ++
 src/conf/domain_conf.c                        |  30 +++
 src/conf/domain_conf.h                        |   1 +
 src/conf/domain_postparse.c                   |   1 +
 src/conf/domain_validate.c                    |   9 +
 src/conf/schemas/domaincaps.rng               |  37 +++
 src/conf/schemas/domaincommon.rng             |   1 +
 src/libvirt_private.syms                      |   1 +
 src/qemu/qemu_alias.c                         |   6 +-
 src/qemu/qemu_capabilities.c                  | 219 ++++++++++++++++++
 src/qemu/qemu_capabilities.h                  |   6 +
 src/qemu/qemu_cgroup.c                        |  76 +++++-
 src/qemu/qemu_command.c                       |  66 +++++-
 src/qemu/qemu_domain.c                        |  48 ++--
 src/qemu/qemu_domain.h                        |   2 +
 src/qemu/qemu_domain_address.c                |   6 +
 src/qemu/qemu_driver.c                        |   1 +
 src/qemu/qemu_monitor.c                       |  10 +
 src/qemu/qemu_monitor.h                       |   3 +
 src/qemu/qemu_monitor_json.c                  | 137 ++++++++++-
 src/qemu/qemu_monitor_json.h                  |   4 +
 src/qemu/qemu_namespace.c                     |  20 +-
 src/qemu/qemu_process.c                       |   2 +
 src/qemu/qemu_validate.c                      |  40 ++++
 src/security/security_apparmor.c              |   1 +
 src/security/security_dac.c                   |  46 ++--
 src/security/security_selinux.c               |   2 +
 tests/domaincapsdata/bhyve_basic.x86_64.xml   |   1 +
 tests/domaincapsdata/bhyve_fbuf.x86_64.xml    |   1 +
 tests/domaincapsdata/bhyve_uefi.x86_64.xml    |   1 +
 tests/domaincapsdata/empty.xml                |   1 +
 tests/domaincapsdata/libxl-xenfv.xml          |   1 +
 tests/domaincapsdata/libxl-xenpv.xml          |   1 +
 .../domaincapsdata/qemu_4.2.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml  |   1 +
 .../qemu_4.2.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_4.2.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_4.2.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_4.2.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_4.2.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_5.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml  |   1 +
 .../qemu_5.0.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_5.0.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_5.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_5.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_5.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_5.1.0.sparc.xml     |   1 +
 tests/domaincapsdata/qemu_5.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_5.2.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_5.2.0-tcg.x86_64.xml  |   1 +
 .../qemu_5.2.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_5.2.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_5.2.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_5.2.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_5.2.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_6.0.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_6.0.0-tcg.x86_64.xml  |   1 +
 .../qemu_6.0.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_6.0.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_6.0.0.s390x.xml     |   1 +
 tests/domaincapsdata/qemu_6.0.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_6.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_6.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_6.1.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_6.2.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_6.2.0-tcg.x86_64.xml  |   1 +
 .../qemu_6.2.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_6.2.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_6.2.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_6.2.0.x86_64.xml    |   1 +
 .../domaincapsdata/qemu_7.0.0-q35.x86_64.xml  |   9 +
 .../domaincapsdata/qemu_7.0.0-tcg.x86_64.xml  |   9 +
 .../qemu_7.0.0-virt.aarch64.xml               |   1 +
 tests/domaincapsdata/qemu_7.0.0.aarch64.xml   |   1 +
 tests/domaincapsdata/qemu_7.0.0.ppc64.xml     |   1 +
 tests/domaincapsdata/qemu_7.0.0.x86_64.xml    |   9 +
 .../domaincapsdata/qemu_7.1.0-q35.x86_64.xml  |   1 +
 .../domaincapsdata/qemu_7.1.0-tcg.x86_64.xml  |   1 +
 tests/domaincapsdata/qemu_7.1.0.x86_64.xml    |   1 +
 .../caps_6.2.0.x86_64.replies                 |  27 ++-
 .../caps_7.0.0.x86_64.replies                 |  34 ++-
 .../caps_7.0.0.x86_64.xml                     |  10 +
 .../caps_7.1.0.x86_64.replies                 |  21 +-
 .../sgx-epc.x86_64-7.0.0.args                 |  40 ++++
 tests/qemuxml2argvdata/sgx-epc.xml            |  64 +++++
 tests/qemuxml2argvtest.c                      |   2 +
 .../sgx-epc.x86_64-7.0.0.xml                  |   1 +
 tests/qemuxml2xmltest.c                       |   2 +
 93 files changed, 1107 insertions(+), 79 deletions(-)
 create mode 100644 tests/qemuxml2argvdata/sgx-epc.x86_64-7.0.0.args
 create mode 100644 tests/qemuxml2argvdata/sgx-epc.xml
 create mode 120000 tests/qemuxml2xmloutdata/sgx-epc.x86_64-7.0.0.xml

-- 
2.25.1

Re: [libvirt][PATCH v15 0/9] Support query and use SGX

Posted by Yang, Lin A 1 year, 7 months ago

On 8/31/22, 12:43 AM, "Yang, Lin A" <lin.a.yang@intel.com> wrote:

> The previous v14 version can be found here:
>
> https://listman.redhat.com/archives/libvir-list/2022-July/233257.html
>
> Diff to v14:
> - Dropped SGX support for QEMU 6.2.0, only focus on QEMU 7.0.0 (BTW, I
>   noticed the default QEMU version in RHEL9 is still 6.2.0, so those
>   user cannot access this feature unless manually upgrade QEMU)
> - Removed total EPC size from domain capability, since the corresponding
>   attribute is marked as deprecated in QMP command
>   "query-sgx-capabilities"
> - Some cleanups to address comments (pin test to 7.0.0, more validations
>   on qemu_validate.c, name issue, use built-in functions, ...)
>
> BTW, it still adds SGX EPC as memory device, since basically SGX EPC is
> one kind of memory. More specifically, a private region of memory, so
> didn't add additional general memory. QEMU allocate part of them and
> pass through to guest VM. I don't have a better alternative to represent
> it in domain definition.

Any comments will be highly appreciated!

Thanks,
Lin Yang.