vmm: Enable provisioning for SGX guest

The guest can see that SGX supports provisioning as it is exposed
through the CPUID. This patch enables the proper backing of this
feature by having the host open the provisioning device and enable
this capability through the hypervisor.

Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>

vmm/src/memory_manager.rs

@@ -213,6 +213,14 @@ pub enum Error {
     #[cfg(target_arch = "x86_64")]
     SgxVirtEpcFileSetLen(io::Error),
 
+    /// Failed opening SGX provisioning device
+    #[cfg(target_arch = "x86_64")]
+    SgxProvisionOpen(io::Error),
+
+    /// Failed enabling SGX provisioning
+    #[cfg(target_arch = "x86_64")]
+    SgxEnableProvisioning(hypervisor::HypervisorVmError),
+
     /// Failed creating a new MmapRegion instance.
     #[cfg(target_arch = "x86_64")]
     NewMmapRegion(vm_memory::mmap::MmapRegionError),
@@ -1370,7 +1378,18 @@ impl MemoryManager {
     }
 
     #[cfg(target_arch = "x86_64")]
-    pub fn setup_sgx(&mut self, sgx_epc_config: Vec<SgxEpcConfig>) -> Result<(), Error> {
+    pub fn setup_sgx(
+        &mut self,
+        sgx_epc_config: Vec<SgxEpcConfig>,
+        vm: &Arc<dyn hypervisor::Vm>,
+    ) -> Result<(), Error> {
+        let file = OpenOptions::new()
+            .read(true)
+            .open("/dev/sgx_provision")
+            .map_err(Error::SgxProvisionOpen)?;
+        vm.enable_sgx_attribute(file)
+            .map_err(Error::SgxEnableProvisioning)?;
+
         // Go over each EPC section and verify its size is a 4k multiple. At
         // the same time, calculate the total size needed for the contiguous
         // EPC region.

vmm/src/vm.rs

@@ -724,7 +724,7 @@ impl Vm {
                 memory_manager
                     .lock()
                     .unwrap()
-                    .setup_sgx(sgx_epc_config)
+                    .setup_sgx(sgx_epc_config, &vm)
                     .map_err(Error::MemoryManager)?;
             }
         }