RE: [libvirt][PATCH RESEND v10 0/5] Support query and use SGX

-----Original Message----- From: Michal Prívozník <mprivozn(a)redhat.com&gt; Sent: Wednesday, February 16, 2022 6:25 PM To: Huang, Haibin <haibin.huang(a)intel.com>; libvir-list(a)redhat.com; berrange(a)redhat.com; Ding, Jian-feng <jian-feng.ding(a)intel.com>; Yang, Lin A <lin.a.yang(a)intel.com>; Lu, Lianhao <lianhao.lu(a)intel.com&gt; Subject: Re: [libvirt][PATCH RESEND v10 0/5] Support query and use SGX On 2/8/22 06:21, Haibin Huang wrote: > Because the 5th patch was sent by mistake, so replace the 5th patch > and send it again. > > This patch series provides support for enabling Intel's Software Guard > Extensions (SGX) feature in guest VM. > Giving the SGX support in QEMU had been merged. Intel SGX is a set of > instructions that increases the security of application code and > data, giving them more protection from disclosure or modification. > Developers can partition sensitive information into enclaves, which > are areas of execution in memory with more security protection. > > It depends on QEMU fixing[1], which will move cpu QOM object from > /machine/unattached/device[nn] to /machine/cpu[nn]. It requires > libvirt to change the default cpu QOM object location once QEMU patch > gets accepted, but it is out of this SGX patch scope. > > The typical flow looks below at very high level: > > 1. Calls virConnectGetDomainCapabilities API to domain capabilities > that includes the following SGX information. > > <feature> > ... > <sgx supported='yes'> > <epc_size unit='KiB'>N</epc_size> > </sgx> > ... > </feature> > > 2. User requests to start a guest calling virCreateXML() with SGX > requirement. It does not support NUMA yet, since latest QEMU 6.2 > release does not support NUMA. > It should contain > > <devices> > ... > <memory model='sgx-epc'> > <target> > <size unit='KiB'>N</size> > </target> > </memory> > ... > </devices> > > [1] > https://lists.nongnu.org/archive/html/qemu-devel/2022- 01/msg03534.html > > Haibin Huang (3): > qemu: provide support to query the SGX capability > conf: expose SGX feature in domain capabilities > Add unit test for domaincapsdata sgx > > Lin Yang (2): > conf: Introduce SGX EPC element into device memory xml > Update default CPU location in qemu QOM tree > Hey, so I've done review and found mostly small issues. I would squash them in and push, but the point I'm raising in 5/5 (about -M vs -machine) ruined my confidence in doing so. Nevertheless, I've uploaded the changes I would make here: https://gitlab.com/MichalPrivoznik/libvirt/-/commits/sgx/ I hope you'll find it helpful. Michal