SGX memory backend needs to access /dev/sgx_vepc (which allows
userspace to allocate "raw" EPC without an associated enclave)
and /dev/sgx_provision (which allows creating provisioning
enclaves). Allow these two devices in CGroups if a domain is
configured so.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/qemu/qemu_cgroup.c | 76 +++++++++++++++++++++++++++++++++++-------
src/qemu/qemu_domain.h | 2 ++
2 files changed, 66 insertions(+), 12 deletions(-)
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index d6f27a5a4d..6b1d9afd5f 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -120,6 +120,28 @@ qemuCgroupDenyDevicePath(virDomainObj *vm,
}
+static int
+qemuCgroupDenyDevicesPaths(virDomainObj *vm,
+ const char *const *paths,
+ int perms,
+ bool ignoreEacces)
+{
+ size_t i;
+
+ for (i = 0; paths[i] != NULL; i++) {
+ if (!virFileExists(paths[i])) {
+ VIR_DEBUG("Ignoring non-existent device %s", paths[i]);
+ continue;
+ }
+
+ if (qemuCgroupDenyDevicePath(vm, paths[i], perms, ignoreEacces) < 0)
+ return -1;
+ }
+
+ return 0;
+}
+
+
static int
qemuSetupImagePathCgroup(virDomainObj *vm,
const char *path,
@@ -520,16 +542,31 @@ qemuSetupMemoryDevicesCgroup(virDomainObj *vm,
virDomainMemoryDef *mem)
{
qemuDomainObjPrivate *priv = vm->privateData;
-
- if (mem->model != VIR_DOMAIN_MEMORY_MODEL_NVDIMM &&
- mem->model != VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM)
- return 0;
+ const char *const sgxPaths[] = { QEMU_DEV_SGX_VEPVC,
+ QEMU_DEV_SGX_PROVISION, NULL };
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
return 0;
- return qemuCgroupAllowDevicePath(vm, mem->nvdimmPath,
- VIR_CGROUP_DEVICE_RW, false);
+ switch (mem->model) {
+ case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
+ case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM:
+ if (qemuCgroupAllowDevicePath(vm, mem->nvdimmPath,
+ VIR_CGROUP_DEVICE_RW, false) < 0)
+ return -1;
+ break;
+ case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+ if (qemuCgroupAllowDevicesPaths(vm, sgxPaths, VIR_CGROUP_DEVICE_RW, false) <
0)
+ return -1;
+ break;
+ case VIR_DOMAIN_MEMORY_MODEL_NONE:
+ case VIR_DOMAIN_MEMORY_MODEL_DIMM:
+ case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
+ case VIR_DOMAIN_MEMORY_MODEL_LAST:
+ break;
+ }
+
+ return 0;
}
@@ -538,16 +575,31 @@ qemuTeardownMemoryDevicesCgroup(virDomainObj *vm,
virDomainMemoryDef *mem)
{
qemuDomainObjPrivate *priv = vm->privateData;
-
- if (mem->model != VIR_DOMAIN_MEMORY_MODEL_NVDIMM &&
- mem->model != VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM)
- return 0;
+ const char *const sgxPaths[] = { QEMU_DEV_SGX_VEPVC,
+ QEMU_DEV_SGX_PROVISION, NULL };
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
return 0;
- return qemuCgroupDenyDevicePath(vm, mem->nvdimmPath,
- VIR_CGROUP_DEVICE_RWM, false);
+ switch (mem->model) {
+ case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
+ case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM:
+ if (qemuCgroupDenyDevicePath(vm, mem->nvdimmPath,
+ VIR_CGROUP_DEVICE_RWM, false) < 0)
+ return -1;
+ break;
+ case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+ if (qemuCgroupDenyDevicesPaths(vm, sgxPaths, VIR_CGROUP_DEVICE_RW, false) <
0)
+ return -1;
+ break;
+ case VIR_DOMAIN_MEMORY_MODEL_NONE:
+ case VIR_DOMAIN_MEMORY_MODEL_DIMM:
+ case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
+ case VIR_DOMAIN_MEMORY_MODEL_LAST:
+ break;
+ }
+
+ return 0;
}
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index 4680df1098..0fd5c87ae3 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -81,6 +81,8 @@ struct _qemuDomainUnpluggingDevice {
#define QEMU_DEVPREFIX "/dev/"
#define QEMU_DEV_VFIO "/dev/vfio/vfio"
#define QEMU_DEV_SEV "/dev/sev"
+#define QEMU_DEV_SGX_VEPVC "/dev/sgx_vepc"
+#define QEMU_DEV_SGX_PROVISION "/dev/sgx_provision"
#define QEMU_DEVICE_MAPPER_CONTROL_PATH "/dev/mapper/control"
--
2.35.1