External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-07-01 15:42:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

conf: expose SGX feature in domain capabilities

Browse Source 
Extend hypervisor capabilities to include sgx feature. When available,
the hypervisor supports launching an VM with SGX on Intel platfrom.
The SGX feature tag privides additional details like section size and
sgx1 or sgx2.

Signed-off-by: Haibin Huang <haibin.huang@intel.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
Haibin Huang 2022-11-10 17:21:22 -08:00 committed by Michal Privoznik
parent 6b7c36c8c2
commit 8db09767a9
62 changed files with 220 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
docs/formatdomaincaps.rst
View File

@ -614,6 +614,16 @@ capabilities. All features occur as children of the main ``features`` element.
<cbitpos>47</cbitpos>
<reduced-phys-bits>1</reduced-phys-bits>
</sev>
<sgx supported='yes'>
<flc>no</flc>
<sgx1>yes</sgx1>
<sgx2>no</sgx2>
<section_size unit='KiB'>524288</section_size>
<sections>
<section node='0' size='262144' unit='KiB'/>
<section node='1' size='262144' unit='KiB'/>
</sections>
</sgx>
</features>
</domainCapabilities>
@ -693,3 +703,33 @@ in domain XML <formatdomain.html#launch-security>`__
``maxESGuests``
The maximum number of SEV-ES guests that can be launched on the host. This
value may be configurable in the firmware for some hosts.
SGX capabilities
^^^^^^^^^^^^^^^^
Intel Software Guard Extensions (Intel SGX) capabilities are exposed under the
``sgx`` element.
Intel SGX helps protect data in use via unique application isolation technology.
Protect selected code and data from modification using hardened enclaves with
Intel SGX.
For more details on the SGX feature, please follow resources in the SGX developer's
document store. In order to use SGX with libvirt have a look at `SGX in domain XML
<formatdomain.html#memory-devices>`__
``flc``
FLC (Flexible Launch Control), not strictly part of SGX2, but was not part of
original SGX hardware either.
``sgx1``
the sgx version 1.
``sgx2``
The sgx version 2.
``section_size``
The size of the SGX enclave page cache (called EPC).
``sections``
The sections of the SGX enclave page cache (called EPC).

36
src/conf/domain_capabilities.c
View File

@ -99,6 +99,7 @@ virDomainCapsDispose(void *obj)
virObjectUnref(caps->cpu.custom);
virCPUDefFree(caps->cpu.hostModel);
virSEVCapabilitiesFree(caps->sev);
virSGXCapabilitiesFree(caps->sgx);
values = &caps->os.loader.values;
for (i = 0; i < values->nvalues; i++)
@ -648,6 +649,40 @@ virDomainCapsFeatureSEVFormat(virBuffer *buf,
virBufferAddLit(buf, "</sev>\n");
}
static void
virDomainCapsFeatureSGXFormat(virBuffer *buf,
const virSGXCapability *sgx)
{
if (!sgx) {
virBufferAddLit(buf, "<sgx supported='no'/>\n");
return;
}
virBufferAddLit(buf, "<sgx supported='yes'>\n");
virBufferAdjustIndent(buf, 2);
virBufferAsprintf(buf, "<flc>%s</flc>\n", sgx->flc ? "yes" : "no");
virBufferAsprintf(buf, "<sgx1>%s</sgx1>\n", sgx->sgx1 ? "yes" : "no");
virBufferAsprintf(buf, "<sgx2>%s</sgx2>\n", sgx->sgx2 ? "yes" : "no");
virBufferAsprintf(buf, "<section_size unit='KiB'>%llu</section_size>\n", sgx->section_size);
if (sgx->nSgxSections > 0) {
size_t i;
virBufferAddLit(buf, "<sections>\n");
for (i = 0; i < sgx->nSgxSections; i++) {
virBufferAdjustIndent(buf, 2);
virBufferAsprintf(buf, "<section node='%d' ", sgx->sgxSections[i].node);
virBufferAsprintf(buf, "size='%llu' ", sgx->sgxSections[i].size);
virBufferAddLit(buf, "unit='KiB'/>\n");
virBufferAdjustIndent(buf, -2);
}
virBufferAddLit(buf, "</sections>\n");
}
virBufferAdjustIndent(buf, -2);
virBufferAddLit(buf, "</sgx>\n");
}
static void
virDomainCapsFormatFeatures(const virDomainCaps *caps,
@ -668,6 +703,7 @@ virDomainCapsFormatFeatures(const virDomainCaps *caps,
}
virDomainCapsFeatureSEVFormat(&childBuf, caps->sev);
virDomainCapsFeatureSGXFormat(&childBuf, caps->sgx);
virXMLFormatElement(buf, "features", NULL, &childBuf);
}

43
src/conf/schemas/domaincaps.rng
View File

@ -293,6 +293,9 @@
<optional>
<ref name="sev"/>
</optional>
<optional>
<ref name="sgx"/>
</optional>
</element>
</define>
@ -353,6 +356,46 @@
</element>
</define>
<define name="sgx">
<element name="sgx">
<ref name="supported"/>
<optional>
<element name="flc">
<ref name="virYesNo"/>
</element>
<element name="sgx1">
<ref name="virYesNo"/>
</element>
<element name="sgx2">
<ref name="virYesNo"/>
</element>
<element name="section_size">
<attribute name="unit">
<value>KiB</value>
</attribute>
<data type="unsignedLong"/>
</element>
<optional>
<element name="sections">
<zeroOrMore>
<element name="section">
<attribute name="node">
<data type="unsignedInt"/>
</attribute>
<attribute name="size">
<data type="unsignedLong"/>
</attribute>
<attribute name="unit">
<value>KiB</value>
</attribute>
</element>
</zeroOrMore>
</element>
</optional>
</optional>
</element>
</define>
<define name="value">
<zeroOrMore>
<element name="value">

16
src/qemu/qemu_capabilities.c
View File

@ -6633,6 +6633,21 @@ virQEMUCapsFillDomainFeatureS390PVCaps(virQEMUCaps *qemuCaps,
}
}
/**
* virQEMUCapsFillDomainFeatureSGXCaps:
* @qemuCaps: QEMU capabilities
* @domCaps: domain capabilities
*
* Take the information about SGX capabilities that has been obtained
* using the 'query-sgx-capabilities' QMP command and stored in @qemuCaps
* and convert it to a form suitable for @domCaps.
*/
static void
virQEMUCapsFillDomainFeatureSGXCaps(virQEMUCaps *qemuCaps,
virDomainCaps *domCaps)
{
virQEMUCapsSGXInfoCopy(&domCaps->sgx, qemuCaps->sgxCapabilities);
}
int
virQEMUCapsFillDomainCaps(virQEMUCaps *qemuCaps,
@ -6689,6 +6704,7 @@ virQEMUCapsFillDomainCaps(virQEMUCaps *qemuCaps,
virQEMUCapsFillDomainFeatureGICCaps(qemuCaps, domCaps);
virQEMUCapsFillDomainFeatureSEVCaps(qemuCaps, domCaps);
virQEMUCapsFillDomainFeatureS390PVCaps(qemuCaps, domCaps);
virQEMUCapsFillDomainFeatureSGXCaps(qemuCaps, domCaps);
return 0;
}

1
tests/domaincapsdata/bhyve_basic.x86_64.xml
View File

@ -33,5 +33,6 @@
<vmcoreinfo supported='no'/>
<genid supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/bhyve_fbuf.x86_64.xml
View File

@ -50,5 +50,6 @@
<vmcoreinfo supported='no'/>
<genid supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/bhyve_uefi.x86_64.xml
View File

@ -42,5 +42,6 @@
<vmcoreinfo supported='no'/>
<genid supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/empty.xml
View File

@ -13,5 +13,6 @@
</devices>
<features>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/libxl-xenfv.xml
View File

@ -76,5 +76,6 @@
<vmcoreinfo supported='no'/>
<genid supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/libxl-xenpv.xml
View File

@ -66,5 +66,6 @@
<vmcoreinfo supported='no'/>
<genid supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
View File

@ -236,5 +236,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_4.2.0-tcg.x86_64.xml
View File

@ -251,5 +251,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_4.2.0-virt.aarch64.xml
View File

@ -184,5 +184,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_4.2.0.aarch64.xml
View File

@ -178,5 +178,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_4.2.0.ppc64.xml
View File

@ -151,5 +151,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_4.2.0.s390x.xml
View File

@ -258,5 +258,6 @@
<backup supported='no'/>
<s390-pv supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_4.2.0.x86_64.xml
View File

@ -236,5 +236,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_5.0.0-q35.x86_64.xml
View File

@ -238,5 +238,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_5.0.0-tcg.x86_64.xml
View File

@ -253,5 +253,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_5.0.0-virt.aarch64.xml
View File

@ -196,5 +196,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_5.0.0.aarch64.xml
View File

@ -190,5 +190,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_5.0.0.ppc64.xml
View File

@ -157,5 +157,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_5.0.0.x86_64.xml
View File

@ -238,5 +238,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_5.1.0-q35.x86_64.xml
View File

@ -239,5 +239,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_5.1.0-tcg.x86_64.xml
View File

@ -253,5 +253,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_5.1.0.sparc.xml
View File

@ -125,5 +125,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_5.1.0.x86_64.xml
View File

@ -239,5 +239,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_5.2.0-q35.x86_64.xml
View File

@ -239,5 +239,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_5.2.0-tcg.x86_64.xml
View File

@ -253,5 +253,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_5.2.0-virt.aarch64.xml
View File

@ -196,5 +196,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_5.2.0.aarch64.xml
View File

@ -190,5 +190,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_5.2.0.ppc64.xml
View File

@ -157,5 +157,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_5.2.0.s390x.xml
View File

@ -260,5 +260,6 @@
<backup supported='no'/>
<s390-pv supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_5.2.0.x86_64.xml
View File

@ -239,5 +239,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_6.0.0-q35.x86_64.xml
View File

@ -246,5 +246,6 @@
<maxGuests>59</maxGuests>
<maxESGuests>450</maxESGuests>
</sev>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_6.0.0-tcg.x86_64.xml
View File

@ -261,5 +261,6 @@
<maxGuests>59</maxGuests>
<maxESGuests>450</maxESGuests>
</sev>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_6.0.0-virt.aarch64.xml
View File

@ -198,5 +198,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_6.0.0.aarch64.xml
View File

@ -192,5 +192,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_6.0.0.s390x.xml
View File

@ -261,5 +261,6 @@
<backup supported='no'/>
<s390-pv supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_6.0.0.x86_64.xml
View File

@ -246,5 +246,6 @@
<maxGuests>59</maxGuests>
<maxESGuests>450</maxESGuests>
</sev>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_6.1.0-q35.x86_64.xml
View File

@ -242,5 +242,6 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_6.1.0-tcg.x86_64.xml
View File

@ -256,5 +256,6 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_6.1.0.x86_64.xml
View File

@ -242,5 +242,6 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_6.2.0-q35.x86_64.xml
View File

@ -242,5 +242,6 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_6.2.0-tcg.x86_64.xml
View File

@ -258,5 +258,6 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_6.2.0-virt.aarch64.xml
View File

@ -205,5 +205,6 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_6.2.0.aarch64.xml
View File

@ -199,5 +199,6 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_6.2.0.ppc64.xml
View File

@ -156,5 +156,6 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_6.2.0.x86_64.xml
View File

@ -242,5 +242,6 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

10
tests/domaincapsdata/qemu_7.0.0-q35.x86_64.xml
View File

@ -243,5 +243,15 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='yes'>
<flc>no</flc>
<sgx1>yes</sgx1>
<sgx2>no</sgx2>
<section_size unit='KiB'>524288</section_size>
<sections>
<section node='0' size='262144' unit='KiB'/>
<section node='1' size='262144' unit='KiB'/>
</sections>
</sgx>
</features>
</domainCapabilities>

10
tests/domaincapsdata/qemu_7.0.0-tcg.x86_64.xml
View File

@ -259,5 +259,15 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='yes'>
<flc>no</flc>
<sgx1>yes</sgx1>
<sgx2>no</sgx2>
<section_size unit='KiB'>524288</section_size>
<sections>
<section node='0' size='262144' unit='KiB'/>
<section node='1' size='262144' unit='KiB'/>
</sections>
</sgx>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_7.0.0-virt.aarch64.xml
View File

@ -204,5 +204,6 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_7.0.0.aarch64.xml
View File

@ -198,5 +198,6 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_7.0.0.ppc64.xml
View File

@ -161,5 +161,6 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

10
tests/domaincapsdata/qemu_7.0.0.x86_64.xml
View File

@ -243,5 +243,15 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='yes'>
<flc>no</flc>
<sgx1>yes</sgx1>
<sgx2>no</sgx2>
<section_size unit='KiB'>524288</section_size>
<sections>
<section node='0' size='262144' unit='KiB'/>
<section node='1' size='262144' unit='KiB'/>
</sections>
</sgx>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_7.1.0-q35.x86_64.xml
View File

@ -242,5 +242,6 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_7.1.0-tcg.x86_64.xml
View File

@ -257,5 +257,6 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_7.1.0.ppc64.xml
View File

@ -154,5 +154,6 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_7.1.0.x86_64.xml
View File

@ -242,5 +242,6 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_7.2.0-q35.x86_64.xml
View File

@ -247,5 +247,6 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_7.2.0-tcg.x86_64.xml
View File

@ -246,5 +246,6 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>

1
tests/domaincapsdata/qemu_7.2.0.x86_64.xml
View File

@ -247,5 +247,6 @@
<backingStoreInput supported='yes'/>
<backup supported='yes'/>
<sev supported='no'/>
<sgx supported='no'/>
</features>
</domainCapabilities>