Re: [libvirt][PATCH v13 0/6] Support query and use SGX

On 7/21/22 15:24, Daniel P. Berrangé wrote: > On Thu, Jul 21, 2022 at 03:12:05PM +0200, Michal Prívozník wrote: >> On 7/21/22 10:06, Daniel P. Berrangé wrote: >> Agreed. While libvirt can allow /dev/sgx* in CGroups (we do that for >> other devices, including NVDIMM and virtio-pmem types of <memory/>), >> it's more tricky with relabelling. >> >> By default, when available, libvirt creates a separate mount namespace >> for each QEMU process and creates a very small /dev there, with only >> those nodes that QEMU needs. Now, if libvirt is fixed (I have follow up >> patches on top of this series) the /dev/sgx* nodes are created there AND >> I have another patch that sets DAC/SELinux label on them so that uid=0 >> is no longer needed. What I worry about though, is the case when this >> namespace feature is disabled. Then libvirt should not touch /dev/sgx* >> because that might compromise security in the system. > > That might in turn require the ability to pass in pre-opened FDs for > the devices to QEMU. Yeah, that might be the perfect solution, but IIUC there's currently no way to achieve that, or is it? Is it something we should do in QEMU first?