Re: [libvirt] New Feature: Intel MKTME Support

Hi Daniel, MKTME supports encryption of memory(NVRAM) for Virtual Machines(hardware based encryption). This features uses Linux kernel key ring services, i.e. Operations like, allocation and clearing of secret/keys. These keys are used in encryption of memory in Virtual machines. So MKTME provided encryption of entire RAM of a VM, allocated to it, thereby supporting VM isolation feature. So to implement this functionality in openstack 1. Nova executes host capability command, to identify if the hardware support for MKTME (openstack xml host_capabilities command request -->> libvirt ->> QEMU)-- qemu monitoring commands 2. Once the hardware is identified and if user configures mktme policy to launch a VM in openstack, Nova a. Sends a new xml command request to libvirt, then libvirt makes a syscall to Linux kernel key ring services to get/retrieve a key/key-handle for this VM ( we are not sure at this point whether to make this syscall directly in libvirt or through QEMU)

b. Once the key is retrieved , Nova compute executes a VM launch xml command request to libvirt with a new argument called mktme- keyhandle , which will send a command request to QEMU to launch the VM( We are in process of supporting this functionality in QEMU for VM launch operation, with new mktme-key argument) We are not sure , where to make this(2a) kernel system calls at present and looking for suggestions.