This patch series provides support for enabling Intel's Software Guard
Extensions (SGX) feature in guest VM.
Giving the SGX support in QEMU is still pending for reviewing, this
patch series is not submmited for code review, but only describe the
SGX enabling solution design that contains changes to
virConnectGetDomainCapabilities API response and domain definition. All
comments/suggestions would be highly appreciated.
Intel Software Guard Extensions (Intel® SGX) is a set of instructions
that increases the security of application code and data, giving them
more protection from disclosure or modification. Developers can partition
sensitive information into enclaves, which are areas of execution in memory
with more security protection.
The typical flow looks below at very high level:
1. Calls virConnectGetDomainCapabilities API to domain capabilities that
includes the following SGX information.
<feature>
...
<sgx supported='yes'>
<epc_size unit=’KiB’>N</epc_size>
</sgx>
</feature>
2. User requests to start a guest calling virCreateXML() with SGX requirement.
It should contain
<devices>
...
<memory model='sgx-epc'>
<target>
<size unit='KiB'>N</size>
</target>
</memory>
...
</devices>
Haibin Huang (3):
Support to query SGX capability
Add dommaincaps unit test
add qemu capabilities version 5.2.0
Lin Yang (3):
conf: Introduce SGX EPC element into device memory xml
qemu: Add command-line to generate SGX EPC memory backend
Add unit tests for guest VM creation command with SGX EPC
docs/schemas/domaincaps.rng | 17 +
docs/schemas/domaincommon.rng | 1 +
src/conf/domain_capabilities.c | 29 +
src/conf/domain_capabilities.h | 13 +
src/conf/domain_conf.c | 4 +
src/conf/domain_conf.h | 1 +
src/libvirt_private.syms | 2 +-
src/qemu/qemu_alias.c | 8 +-
src/qemu/qemu_capabilities.c | 146 +
src/qemu/qemu_capabilities.h | 6 +
src/qemu/qemu_command.c | 42 +-
src/qemu/qemu_domain.c | 10 +-
src/qemu/qemu_monitor.c | 10 +
src/qemu/qemu_monitor.h | 3 +
src/qemu/qemu_monitor_json.c | 91 +
src/qemu/qemu_monitor_json.h | 3 +
src/security/security_apparmor.c | 1 +
src/security/security_dac.c | 2 +
src/security/security_selinux.c | 2 +
tests/domaincapsdata/bhyve_basic.x86_64.xml | 1 +
tests/domaincapsdata/bhyve_fbuf.x86_64.xml | 1 +
tests/domaincapsdata/bhyve_uefi.x86_64.xml | 1 +
tests/domaincapsdata/empty.xml | 1 +
tests/domaincapsdata/libxl-xenfv.xml | 1 +
tests/domaincapsdata/libxl-xenpv.xml | 1 +
.../domaincapsdata/qemu_1.5.3-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.5.3-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_1.5.3.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.6.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.6.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_1.6.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.7.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.7.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_1.7.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.1.1-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.1.1-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.1.1.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.10.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.10.0-tcg.x86_64.xml | 1 +
.../qemu_2.10.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.11.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.11.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.11.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.11.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.12.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml | 1 +
.../qemu_2.12.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.4.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.4.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.4.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.5.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.5.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.5.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.6.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.6.0-tcg.x86_64.xml | 1 +
.../qemu_2.6.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.6.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.6.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.6.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.7.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.7.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.7.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.7.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.8.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.8.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.8.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.8.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.9.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.9.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.9.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.9.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.9.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.0.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_3.1.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_3.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.0.0-tcg.x86_64.xml | 1 +
.../qemu_4.0.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_4.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.2.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml | 1 +
.../qemu_4.2.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml | 1 +
.../qemu_5.0.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_5.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.2.0-q35.x86_64.xml | 207 +
.../domaincapsdata/qemu_5.2.0-tcg.x86_64.xml | 201 +
tests/domaincapsdata/qemu_5.2.0.x86_64.xml | 207 +
.../caps_5.2.0.x86_64.replies | 29649 ++++++++++++++++
.../caps_5.2.0.x86_64.xml | 3189 ++
.../sgx-epc.x86_64-5.1.0.args | 41 +
tests/qemuxml2argvdata/sgx-epc.xml | 40 +
tests/qemuxml2argvtest.c | 1 +
123 files changed, 34013 insertions(+), 9 deletions(-)
create mode 100644 tests/domaincapsdata/qemu_5.2.0-q35.x86_64.xml
create mode 100644 tests/domaincapsdata/qemu_5.2.0-tcg.x86_64.xml
create mode 100644 tests/domaincapsdata/qemu_5.2.0.x86_64.xml
create mode 100644 tests/qemucapabilitiesdata/caps_5.2.0.x86_64.replies
create mode 100644 tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml
create mode 100644 tests/qemuxml2argvdata/sgx-epc.x86_64-5.1.0.args
create mode 100644 tests/qemuxml2argvdata/sgx-epc.xml
--
2.17.1
