7:10 a.m.
This patch series provides support for enabling Intel's Software Guard Extensions
(SGX) feature in guest VM.
Giving the SGX support in QEMU is still pending for reviewing, this patch series is not
submmited for code
review, but only describe the SGX enabling solution design that contains changes to
virConnectGetDomainCapabilities
API response and domain definition. All comments/suggestions would be highly appreciated.
Intel Software Guard Extensions (Intel® SGX) is a set of instructions that increases the
security of application
code and data, giving them more protection from disclosure or modification. Developers can
partition sensitive
information into enclaves, which are areas of execution in memory with more security
protection.
The typical flow looks below at very high level:
1. Calls virConnectGetDomainCapabilities API to domain capabilities that includes the
following SGX information.
<feature>
...
<sgx supported='yes'>
<epc_size unit=’KiB’>N</epc_size>
</sgx>
</feature>
2. User requests to start a guest calling virCreateXML() with SGX requirement.
It should contain
<launchSecurity type='sgx'>
<epc_size unit='KiB'>N</epc_size>
</launchSecurity>
Haibin Huang (1):
Support to query SGX capability
Lin Yang (3):
conf: Introduce SGX related element into domain xml
qemu: Add command-line to generate SGX EPC memory backend
qemu: Add command-line to enable SGX
src/conf/domain_capabilities.c | 29 ++++
src/conf/domain_capabilities.h | 13 ++
src/conf/domain_conf.c | 106 +++++++++----
src/conf/domain_conf.h | 10 ++
src/conf/virconftypes.h | 3 +
src/libvirt_private.syms | 2 +-
src/qemu/qemu_capabilities.c | 146 ++++++++++++++++++
src/qemu/qemu_capabilities.h | 6 +
src/qemu/qemu_command.c | 30 ++++
src/qemu/qemu_monitor.c | 10 ++
src/qemu/qemu_monitor.h | 3 +
src/qemu/qemu_monitor_json.c | 91 +++++++++++
src/qemu/qemu_monitor_json.h | 3 +
tests/domaincapsdata/bhyve_basic.x86_64.xml | 1 +
tests/domaincapsdata/bhyve_fbuf.x86_64.xml | 1 +
tests/domaincapsdata/bhyve_uefi.x86_64.xml | 1 +
tests/domaincapsdata/empty.xml | 1 +
tests/domaincapsdata/libxl-xenfv.xml | 1 +
tests/domaincapsdata/libxl-xenpv.xml | 1 +
.../domaincapsdata/qemu_1.5.3-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.5.3-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_1.5.3.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.6.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.6.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_1.6.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.7.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.7.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_1.7.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.1.1-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.1.1-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.1.1.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.10.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.10.0-tcg.x86_64.xml | 1 +
.../qemu_2.10.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.11.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.11.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.11.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.11.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.12.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml | 1 +
.../qemu_2.12.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.4.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.4.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.4.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.5.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.5.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.5.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.6.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.6.0-tcg.x86_64.xml | 1 +
.../qemu_2.6.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.6.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.6.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.6.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.7.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.7.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.7.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.7.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.8.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.8.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.8.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.8.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.9.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.9.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.9.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.9.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.9.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.0.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_3.1.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_3.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.0.0-tcg.x86_64.xml | 1 +
.../qemu_4.0.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_4.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.2.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml | 1 +
.../qemu_4.2.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml | 1 +
.../qemu_5.0.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_5.1.0.x86_64.xml | 1 +
109 files changed, 519 insertions(+), 29 deletions(-)
--
2.17.1
7:10 a.m.
New subject: [libvirt][PATCH v4 1/4] conf: Introduce SGX related element into domain xml
From: Lin Yang <lin.a.yang(a)intel.com>
<launchSecurity type='sgx'>
<epc_size unit='KiB'>1024</epc_size>
</launchSecurity>
---
src/conf/domain_conf.c | 106 +++++++++++++++++++++++++++++-----------
src/conf/domain_conf.h | 10 ++++
src/conf/virconftypes.h | 3 ++
3 files changed, 91 insertions(+), 28 deletions(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index ef67efa1da..4336dafd82 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -1336,6 +1336,7 @@ VIR_ENUM_IMPL(virDomainLaunchSecurity,
VIR_DOMAIN_LAUNCH_SECURITY_LAST,
"",
"sev",
+ "sgx",
);
static virClassPtr virDomainObjClass;
@@ -3409,6 +3410,16 @@ virDomainSEVDefFree(virDomainSEVDefPtr def)
}
+static void
+virDomainSGXDefFree(virDomainSGXDefPtr def)
+{
+ if (!def)
+ return;
+
+ VIR_FREE(def);
+}
+
+
void virDomainDefFree(virDomainDefPtr def)
{
size_t i;
@@ -3597,6 +3608,7 @@ void virDomainDefFree(virDomainDefPtr def)
(def->ns.free)(def->namespaceData);
virDomainSEVDefFree(def->sev);
+ virDomainSGXDefFree(def->sgx);
xmlFreeNode(def->metadata);
@@ -16700,39 +16712,17 @@ virDomainMemoryTargetDefParseXML(xmlNodePtr node,
return 0;
}
-
static virDomainSEVDefPtr
-virDomainSEVDefParseXML(xmlNodePtr sevNode,
- xmlXPathContextPtr ctxt)
+virDomainSEVDefParseXML(xmlXPathContextPtr ctxt)
{
VIR_XPATH_NODE_AUTORESTORE(ctxt);
virDomainSEVDefPtr def;
unsigned long policy;
- g_autofree char *type = NULL;
if (VIR_ALLOC(def) < 0)
return NULL;
- ctxt->node = sevNode;
-
- if (!(type = virXMLPropString(sevNode, "type"))) {
- virReportError(VIR_ERR_XML_ERROR, "%s",
- _("missing launch security type"));
- goto error;
- }
-
- def->sectype = virDomainLaunchSecurityTypeFromString(type);
- switch ((virDomainLaunchSecurity) def->sectype) {
- case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
- break;
- case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
- case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
- default:
- virReportError(VIR_ERR_XML_ERROR,
- _("unsupported launch security type '%s'"),
- type);
- goto error;
- }
+ def->sectype = VIR_DOMAIN_LAUNCH_SECURITY_SEV;
if (virXPathUInt("string(./cbitpos)", ctxt, &def->cbitpos) < 0)
{
virReportError(VIR_ERR_XML_ERROR, "%s",
@@ -16764,6 +16754,63 @@ virDomainSEVDefParseXML(xmlNodePtr sevNode,
return NULL;
}
+static virDomainSGXDefPtr
+virDomainSGXDefParseXML(xmlXPathContextPtr ctxt)
+{
+ VIR_XPATH_NODE_AUTORESTORE(ctxt);
+ virDomainSGXDefPtr def;
+
+ if (VIR_ALLOC(def) < 0)
+ return NULL;
+
+ def->sectype = VIR_DOMAIN_LAUNCH_SECURITY_SGX;
+
+ if (virDomainParseMemory("./epc_size", "./epc_size/@unit", ctxt,
+ &def->epc_size, false, false) < 0)
+ goto error;
+
+ return def;
+
+ error:
+ virDomainSGXDefFree(def);
+ return NULL;
+}
+
+static int
+virDomainLaunchSecurityDefParseXML(xmlNodePtr launchSecurityNode,
+ xmlXPathContextPtr ctxt,
+ virDomainDefPtr def)
+{
+ VIR_XPATH_NODE_AUTORESTORE(ctxt);
+ g_autofree char *type = NULL;
+
+ ctxt->node = launchSecurityNode;
+
+ if (!(type = virXMLPropString(launchSecurityNode, "type"))) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("missing launch security type"));
+ return -1;
+ }
+
+ switch ((virDomainLaunchSecurity) virDomainLaunchSecurityTypeFromString(type)) {
+ case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+ def->sev = virDomainSEVDefParseXML(ctxt);
+ break;
+ case VIR_DOMAIN_LAUNCH_SECURITY_SGX:
+ def->sgx = virDomainSGXDefParseXML(ctxt);
+ break;
+ case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
+ case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
+ default:
+ virReportError(VIR_ERR_XML_ERROR,
+ _("unsupported launch security type '%s'"),
+ type);
+ return -1;
+ }
+
+ return 0;
+}
+
static virDomainMemoryDefPtr
virDomainMemoryDefParseXML(virDomainXMLOptionPtr xmlopt,
xmlNodePtr memdevNode,
@@ -22227,12 +22274,15 @@ virDomainDefParseXML(xmlDocPtr xml,
ctxt->node = node;
VIR_FREE(nodes);
- /* Check for SEV feature */
- if ((node = virXPathNode("./launchSecurity", ctxt)) != NULL) {
- def->sev = virDomainSEVDefParseXML(node, ctxt);
- if (!def->sev)
+ /* analysis of launch security */
+ if ((n = virXPathNodeSet("./launchSecurity", ctxt, &nodes)) < 0)
+ goto error;
+
+ for (i = 0; i < n; i++) {
+ if (virDomainLaunchSecurityDefParseXML(nodes[i], ctxt, def) != 0)
goto error;
}
+ VIR_FREE(nodes);
/* analysis of memory devices */
if ((n = virXPathNodeSet("./devices/memory", ctxt, &nodes)) < 0)
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 011bf66cb4..88adf461df 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2447,6 +2447,7 @@ struct _virDomainKeyWrapDef {
typedef enum {
VIR_DOMAIN_LAUNCH_SECURITY_NONE,
VIR_DOMAIN_LAUNCH_SECURITY_SEV,
+ VIR_DOMAIN_LAUNCH_SECURITY_SGX,
VIR_DOMAIN_LAUNCH_SECURITY_LAST,
} virDomainLaunchSecurity;
@@ -2462,6 +2463,12 @@ struct _virDomainSEVDef {
};
+struct _virDomainSGXDef {
+ int sectype; /* enum virDomainLaunchSecurity */
+ unsigned long long epc_size; /* kibibytes */
+};
+
+
typedef enum {
VIR_DOMAIN_IOMMU_MODEL_INTEL,
VIR_DOMAIN_IOMMU_MODEL_SMMUV3,
@@ -2670,6 +2677,9 @@ struct _virDomainDef {
/* SEV-specific domain */
virDomainSEVDefPtr sev;
+ /* SGX-specific domain */
+ virDomainSGXDefPtr sgx;
+
/* Application-specific custom metadata */
xmlNodePtr metadata;
diff --git a/src/conf/virconftypes.h b/src/conf/virconftypes.h
index 1c62cde251..084bcc7687 100644
--- a/src/conf/virconftypes.h
+++ b/src/conf/virconftypes.h
@@ -291,6 +291,9 @@ typedef virDomainResourceDef *virDomainResourceDefPtr;
typedef struct _virDomainSEVDef virDomainSEVDef;
typedef virDomainSEVDef *virDomainSEVDefPtr;
+typedef struct _virDomainSGXDef virDomainSGXDef;
+typedef virDomainSGXDef *virDomainSGXDefPtr;
+
typedef struct _virDomainShmemDef virDomainShmemDef;
typedef virDomainShmemDef *virDomainShmemDefPtr;
--
2.17.1
6:32 a.m.
New subject: [libvirt][PATCH v4 1/4] conf: Introduce SGX related element into domain xml
On Thu, 2021-07-01 at 20:10 +0800, Haibin Huang wrote:
From: Lin Yang <lin.a.yang(a)intel.com>
<launchSecurity type='sgx'>
<epc_size unit='KiB'>1024</epc_size>
</launchSecurity>
Please also update "docs/schemas/domaincommon.rng".
---
src/conf/domain_conf.c | 106 +++++++++++++++++++++++++++++---------
--
src/conf/domain_conf.h | 10 ++++
src/conf/virconftypes.h | 3 ++
3 files changed, 91 insertions(+), 28 deletions(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index ef67efa1da..4336dafd82 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -1336,6 +1336,7 @@ VIR_ENUM_IMPL(virDomainLaunchSecurity,
VIR_DOMAIN_LAUNCH_SECURITY_LAST,
"",
"sev",
+ "sgx",
);
static virClassPtr virDomainObjClass;
@@ -3409,6 +3410,16 @@ virDomainSEVDefFree(virDomainSEVDefPtr def)
}
+static void
+virDomainSGXDefFree(virDomainSGXDefPtr def)
+{
+ if (!def)
+ return;
+
+ VIR_FREE(def);
+}
+
+
void virDomainDefFree(virDomainDefPtr def)
{
size_t i;
@@ -3597,6 +3608,7 @@ void virDomainDefFree(virDomainDefPtr def)
(def->ns.free)(def->namespaceData);
virDomainSEVDefFree(def->sev);
+ virDomainSGXDefFree(def->sgx);
xmlFreeNode(def->metadata);
@@ -16700,39 +16712,17 @@ virDomainMemoryTargetDefParseXML(xmlNodePtr
node,
return 0;
}
-
static virDomainSEVDefPtr
-virDomainSEVDefParseXML(xmlNodePtr sevNode,
- xmlXPathContextPtr ctxt)
+virDomainSEVDefParseXML(xmlXPathContextPtr ctxt)
{
VIR_XPATH_NODE_AUTORESTORE(ctxt);
virDomainSEVDefPtr def;
unsigned long policy;
- g_autofree char *type = NULL;
if (VIR_ALLOC(def) < 0)
return NULL;
- ctxt->node = sevNode;
-
- if (!(type = virXMLPropString(sevNode, "type"))) {
- virReportError(VIR_ERR_XML_ERROR, "%s",
- _("missing launch security type"));
- goto error;
- }
-
- def->sectype = virDomainLaunchSecurityTypeFromString(type);
- switch ((virDomainLaunchSecurity) def->sectype) {
- case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
- break;
- case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
- case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
- default:
- virReportError(VIR_ERR_XML_ERROR,
- _("unsupported launch security type '%s'"),
- type);
- goto error;
- }
+ def->sectype = VIR_DOMAIN_LAUNCH_SECURITY_SEV;
if (virXPathUInt("string(./cbitpos)", ctxt, &def->cbitpos) < 0)
{
virReportError(VIR_ERR_XML_ERROR, "%s",
@@ -16764,6 +16754,63 @@ virDomainSEVDefParseXML(xmlNodePtr sevNode,
return NULL;
}
+static virDomainSGXDefPtr
+virDomainSGXDefParseXML(xmlXPathContextPtr ctxt)
+{
+ VIR_XPATH_NODE_AUTORESTORE(ctxt);
I do not believe that this is necessary.
+ virDomainSGXDefPtr def;
+
+ if (VIR_ALLOC(def) < 0)
+ return NULL;
+
+ def->sectype = VIR_DOMAIN_LAUNCH_SECURITY_SGX;
+
+ if (virDomainParseMemory("./epc_size", "./epc_size/@unit",
ctxt,
+ &def->epc_size, false, false) < 0)
+ goto error;
+
+ return def;
+
+ error:
+ virDomainSGXDefFree(def);
+ return NULL;
+}
+
+static int
+virDomainLaunchSecurityDefParseXML(xmlNodePtr launchSecurityNode,
+ xmlXPathContextPtr ctxt,
+ virDomainDefPtr def)
+{
+ VIR_XPATH_NODE_AUTORESTORE(ctxt);
+ g_autofree char *type = NULL;
+
+ ctxt->node = launchSecurityNode;
+
+ if (!(type = virXMLPropString(launchSecurityNode, "type"))) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("missing launch security type"));
+ return -1;
+ }
+
+ switch ((virDomainLaunchSecurity)
virDomainLaunchSecurityTypeFromString(type)) {
+ case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+ def->sev = virDomainSEVDefParseXML(ctxt);
I believe this should return "-1" when "def->sev == NULL".
+ break;
+ case VIR_DOMAIN_LAUNCH_SECURITY_SGX:
+ def->sgx = virDomainSGXDefParseXML(ctxt);
Similar.
Regards,
Tim
+ break;
+ case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
+ case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
+ default:
+ virReportError(VIR_ERR_XML_ERROR,
+ _("unsupported launch security type '%s'"),
+ type);
+ return -1;
+ }
+
+ return 0;
+}
+
static virDomainMemoryDefPtr
virDomainMemoryDefParseXML(virDomainXMLOptionPtr xmlopt,
xmlNodePtr memdevNode,
@@ -22227,12 +22274,15 @@ virDomainDefParseXML(xmlDocPtr xml,
ctxt->node = node;
VIR_FREE(nodes);
- /* Check for SEV feature */
- if ((node = virXPathNode("./launchSecurity", ctxt)) != NULL) {
- def->sev = virDomainSEVDefParseXML(node, ctxt);
- if (!def->sev)
+ /* analysis of launch security */
+ if ((n = virXPathNodeSet("./launchSecurity", ctxt, &nodes)) < 0)
+ goto error;
+
+ for (i = 0; i < n; i++) {
+ if (virDomainLaunchSecurityDefParseXML(nodes[i], ctxt, def)
!= 0)
goto error;
}
+ VIR_FREE(nodes);
/* analysis of memory devices */
if ((n = virXPathNodeSet("./devices/memory", ctxt, &nodes)) < 0)
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 011bf66cb4..88adf461df 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2447,6 +2447,7 @@ struct _virDomainKeyWrapDef {
typedef enum {
VIR_DOMAIN_LAUNCH_SECURITY_NONE,
VIR_DOMAIN_LAUNCH_SECURITY_SEV,
+ VIR_DOMAIN_LAUNCH_SECURITY_SGX,
VIR_DOMAIN_LAUNCH_SECURITY_LAST,
} virDomainLaunchSecurity;
@@ -2462,6 +2463,12 @@ struct _virDomainSEVDef {
};
+struct _virDomainSGXDef {
+ int sectype; /* enum virDomainLaunchSecurity */
+ unsigned long long epc_size; /* kibibytes */
+};
+
+
typedef enum {
VIR_DOMAIN_IOMMU_MODEL_INTEL,
VIR_DOMAIN_IOMMU_MODEL_SMMUV3,
@@ -2670,6 +2677,9 @@ struct _virDomainDef {
/* SEV-specific domain */
virDomainSEVDefPtr sev;
+ /* SGX-specific domain */
+ virDomainSGXDefPtr sgx;
+
/* Application-specific custom metadata */
xmlNodePtr metadata;
diff --git a/src/conf/virconftypes.h b/src/conf/virconftypes.h
index 1c62cde251..084bcc7687 100644
--- a/src/conf/virconftypes.h
+++ b/src/conf/virconftypes.h
@@ -291,6 +291,9 @@ typedef virDomainResourceDef
*virDomainResourceDefPtr;
typedef struct _virDomainSEVDef virDomainSEVDef;
typedef virDomainSEVDef *virDomainSEVDefPtr;
+typedef struct _virDomainSGXDef virDomainSGXDef;
+typedef virDomainSGXDef *virDomainSGXDefPtr;
+
typedef struct _virDomainShmemDef virDomainShmemDef;
typedef virDomainShmemDef *virDomainShmemDefPtr;
7:25 p.m.
New subject: [libvirt][PATCH v4 1/4] conf: Introduce SGX related element into domain xml
-----Original Message-----
From: Tim Wiederhake <twiederh(a)redhat.com>
Sent: Monday, July 5, 2021 7:32 PM
To: Huang, Haibin <haibin.huang(a)intel.com>
Cc: libvir-list(a)redhat.com; Ding, Jian-feng <jian-feng.ding(a)intel.com>; Yang,
Lin A <lin.a.yang(a)intel.com>; Lu, Lianhao <lianhao.lu(a)intel.com>
Subject: Re: [libvirt][PATCH v4 1/4] conf: Introduce SGX related element into
domain xml
On Thu, 2021-07-01 at 20:10 +0800, Haibin Huang wrote:
> From: Lin Yang <lin.a.yang(a)intel.com>
>
> <launchSecurity type='sgx'>
> <epc_size unit='KiB'>1024</epc_size>
> </launchSecurity>
Please also update "docs/schemas/domaincommon.rng".
[Haibin] ok, I will
do it.
> ---
> src/conf/domain_conf.c | 106 +++++++++++++++++++++++++++++-------
--
> --
> src/conf/domain_conf.h | 10 ++++
> src/conf/virconftypes.h | 3 ++
> 3 files changed, 91 insertions(+), 28 deletions(-)
>
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index
> ef67efa1da..4336dafd82 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -1336,6 +1336,7 @@ VIR_ENUM_IMPL(virDomainLaunchSecurity,
> VIR_DOMAIN_LAUNCH_SECURITY_LAST,
> "",
> "sev",
> + "sgx",
> );
>
> static virClassPtr virDomainObjClass; @@ -3409,6 +3410,16 @@
> virDomainSEVDefFree(virDomainSEVDefPtr def)
> }
>
>
> +static void
> +virDomainSGXDefFree(virDomainSGXDefPtr def) {
> + if (!def)
> + return;
> +
> + VIR_FREE(def);
> +}
> +
> +
> void virDomainDefFree(virDomainDefPtr def)
> {
> size_t i;
> @@ -3597,6 +3608,7 @@ void virDomainDefFree(virDomainDefPtr def)
> (def->ns.free)(def->namespaceData);
>
> virDomainSEVDefFree(def->sev);
> + virDomainSGXDefFree(def->sgx);
>
> xmlFreeNode(def->metadata);
>
> @@ -16700,39 +16712,17 @@
virDomainMemoryTargetDefParseXML(xmlNodePtr
> node,
> return 0;
> }
>
> -
> static virDomainSEVDefPtr
> -virDomainSEVDefParseXML(xmlNodePtr sevNode,
> - xmlXPathContextPtr ctxt)
> +virDomainSEVDefParseXML(xmlXPathContextPtr ctxt)
> {
> VIR_XPATH_NODE_AUTORESTORE(ctxt);
> virDomainSEVDefPtr def;
> unsigned long policy;
> - g_autofree char *type = NULL;
>
> if (VIR_ALLOC(def) < 0)
> return NULL;
>
> - ctxt->node = sevNode;
> -
> - if (!(type = virXMLPropString(sevNode, "type"))) {
> - virReportError(VIR_ERR_XML_ERROR, "%s",
> - _("missing launch security type"));
> - goto error;
> - }
> -
> - def->sectype = virDomainLaunchSecurityTypeFromString(type);
> - switch ((virDomainLaunchSecurity) def->sectype) {
> - case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
> - break;
> - case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
> - case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
> - default:
> - virReportError(VIR_ERR_XML_ERROR,
> - _("unsupported launch security type
'%s'"),
> - type);
> - goto error;
> - }
> + def->sectype = VIR_DOMAIN_LAUNCH_SECURITY_SEV;
>
> if (virXPathUInt("string(./cbitpos)", ctxt, &def->cbitpos)
< 0) {
> virReportError(VIR_ERR_XML_ERROR, "%s", @@ -16764,6 +16754,63
> @@ virDomainSEVDefParseXML(xmlNodePtr sevNode,
> return NULL;
> }
>
> +static virDomainSGXDefPtr
> +virDomainSGXDefParseXML(xmlXPathContextPtr ctxt) {
> + VIR_XPATH_NODE_AUTORESTORE(ctxt);
I do not believe that this is necessary.
[Haibin] ok, I will remove "
VIR_XPATH_NODE_AUTORESTORE(ctxt);"
> + virDomainSGXDefPtr def;
> +
> + if (VIR_ALLOC(def) < 0)
> + return NULL;
> +
> + def->sectype = VIR_DOMAIN_LAUNCH_SECURITY_SGX;
> +
> + if (virDomainParseMemory("./epc_size", "./epc_size/@unit",
ctxt,
> + &def->epc_size, false, false) < 0)
> + goto error;
> +
> + return def;
> +
> + error:
> + virDomainSGXDefFree(def);
> + return NULL;
> +}
> +
> +static int
> +virDomainLaunchSecurityDefParseXML(xmlNodePtr launchSecurityNode,
> + xmlXPathContextPtr ctxt,
> + virDomainDefPtr def) {
> + VIR_XPATH_NODE_AUTORESTORE(ctxt);
> + g_autofree char *type = NULL;
> +
> + ctxt->node = launchSecurityNode;
> +
> + if (!(type = virXMLPropString(launchSecurityNode, "type"))) {
> + virReportError(VIR_ERR_XML_ERROR, "%s",
> + _("missing launch security type"));
> + return -1;
> + }
> +
> + switch ((virDomainLaunchSecurity)
> virDomainLaunchSecurityTypeFromString(type)) {
> + case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
> + def->sev = virDomainSEVDefParseXML(ctxt);
I believe this should return "-1" when "def->sev == NULL".
[Haibin] ok, I will add check code for def->sev.
> + break;
> + case VIR_DOMAIN_LAUNCH_SECURITY_SGX:
> + def->sgx = virDomainSGXDefParseXML(ctxt);
Similar.
[Haibin] ok, I will add check code for def->sgx.
Regards,
Tim
> + break;
> + case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
> + case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
> + default:
> + virReportError(VIR_ERR_XML_ERROR,
> + _("unsupported launch security type
'%s'"),
> + type);
> + return -1;
> + }
> +
> + return 0;
> +}
> +
> static virDomainMemoryDefPtr
> virDomainMemoryDefParseXML(virDomainXMLOptionPtr xmlopt,
> xmlNodePtr memdevNode, @@ -22227,12
> +22274,15 @@ virDomainDefParseXML(xmlDocPtr xml,
> ctxt->node = node;
> VIR_FREE(nodes);
>
> - /* Check for SEV feature */
> - if ((node = virXPathNode("./launchSecurity", ctxt)) != NULL) {
> - def->sev = virDomainSEVDefParseXML(node, ctxt);
> - if (!def->sev)
> + /* analysis of launch security */
> + if ((n = virXPathNodeSet("./launchSecurity", ctxt, &nodes)) <
0)
> + goto error;
> +
> + for (i = 0; i < n; i++) {
> + if (virDomainLaunchSecurityDefParseXML(nodes[i], ctxt, def)
> != 0)
> goto error;
> }
> + VIR_FREE(nodes);
>
> /* analysis of memory devices */
> if ((n = virXPathNodeSet("./devices/memory", ctxt, &nodes)) <
0)
> diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index
> 011bf66cb4..88adf461df 100644
> --- a/src/conf/domain_conf.h
> +++ b/src/conf/domain_conf.h
> @@ -2447,6 +2447,7 @@ struct _virDomainKeyWrapDef {
> typedef enum {
> VIR_DOMAIN_LAUNCH_SECURITY_NONE,
> VIR_DOMAIN_LAUNCH_SECURITY_SEV,
> + VIR_DOMAIN_LAUNCH_SECURITY_SGX,
>
> VIR_DOMAIN_LAUNCH_SECURITY_LAST,
> } virDomainLaunchSecurity;
> @@ -2462,6 +2463,12 @@ struct _virDomainSEVDef {
> };
>
>
> +struct _virDomainSGXDef {
> + int sectype; /* enum virDomainLaunchSecurity */
> + unsigned long long epc_size; /* kibibytes */ };
> +
> +
> typedef enum {
> VIR_DOMAIN_IOMMU_MODEL_INTEL,
> VIR_DOMAIN_IOMMU_MODEL_SMMUV3,
> @@ -2670,6 +2677,9 @@ struct _virDomainDef {
> /* SEV-specific domain */
> virDomainSEVDefPtr sev;
>
> + /* SGX-specific domain */
> + virDomainSGXDefPtr sgx;
> +
> /* Application-specific custom metadata */
> xmlNodePtr metadata;
>
> diff --git a/src/conf/virconftypes.h b/src/conf/virconftypes.h index
> 1c62cde251..084bcc7687 100644
> --- a/src/conf/virconftypes.h
> +++ b/src/conf/virconftypes.h
> @@ -291,6 +291,9 @@ typedef virDomainResourceDef
> *virDomainResourceDefPtr;
> typedef struct _virDomainSEVDef virDomainSEVDef;
> typedef virDomainSEVDef *virDomainSEVDefPtr;
>
> +typedef struct _virDomainSGXDef virDomainSGXDef; typedef
> +virDomainSGXDef *virDomainSGXDefPtr;
> +
> typedef struct _virDomainShmemDef virDomainShmemDef;
> typedef virDomainShmemDef *virDomainShmemDefPtr;
>
3:35 a.m.
New subject: [libvirt][PATCH v4 1/4] conf: Introduce SGX related element into domain xml
On Thu, Jul 01, 2021 at 08:10:26PM +0800, Haibin Huang wrote:
From: Lin Yang <lin.a.yang(a)intel.com>
<launchSecurity type='sgx'>
<epc_size unit='KiB'>1024</epc_size>
</launchSecurity>
---
src/conf/domain_conf.c | 106 +++++++++++++++++++++++++++++-----------
src/conf/domain_conf.h | 10 ++++
src/conf/virconftypes.h | 3 ++
3 files changed, 91 insertions(+), 28 deletions(-)
Not commenting the code for now as there is already ongoing work adding
s390-pv-guest support that refactors exactly the same functions as this
patch so we should coordinate the work to not introduce merge conflicts
and unnecessary work for both contributors.
https://listman.redhat.com/archives/libvir-list/2021-June/msg00653.html
Pavel
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index ef67efa1da..4336dafd82 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -1336,6 +1336,7 @@ VIR_ENUM_IMPL(virDomainLaunchSecurity,
VIR_DOMAIN_LAUNCH_SECURITY_LAST,
"",
"sev",
+ "sgx",
);
static virClassPtr virDomainObjClass;
@@ -3409,6 +3410,16 @@ virDomainSEVDefFree(virDomainSEVDefPtr def)
}
+static void
+virDomainSGXDefFree(virDomainSGXDefPtr def)
+{
+ if (!def)
+ return;
+
+ VIR_FREE(def);
+}
+
+
void virDomainDefFree(virDomainDefPtr def)
{
size_t i;
@@ -3597,6 +3608,7 @@ void virDomainDefFree(virDomainDefPtr def)
(def->ns.free)(def->namespaceData);
virDomainSEVDefFree(def->sev);
+ virDomainSGXDefFree(def->sgx);
xmlFreeNode(def->metadata);
@@ -16700,39 +16712,17 @@ virDomainMemoryTargetDefParseXML(xmlNodePtr node,
return 0;
}
-
static virDomainSEVDefPtr
-virDomainSEVDefParseXML(xmlNodePtr sevNode,
- xmlXPathContextPtr ctxt)
+virDomainSEVDefParseXML(xmlXPathContextPtr ctxt)
{
VIR_XPATH_NODE_AUTORESTORE(ctxt);
virDomainSEVDefPtr def;
unsigned long policy;
- g_autofree char *type = NULL;
if (VIR_ALLOC(def) < 0)
return NULL;
- ctxt->node = sevNode;
-
- if (!(type = virXMLPropString(sevNode, "type"))) {
- virReportError(VIR_ERR_XML_ERROR, "%s",
- _("missing launch security type"));
- goto error;
- }
-
- def->sectype = virDomainLaunchSecurityTypeFromString(type);
- switch ((virDomainLaunchSecurity) def->sectype) {
- case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
- break;
- case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
- case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
- default:
- virReportError(VIR_ERR_XML_ERROR,
- _("unsupported launch security type '%s'"),
- type);
- goto error;
- }
+ def->sectype = VIR_DOMAIN_LAUNCH_SECURITY_SEV;
if (virXPathUInt("string(./cbitpos)", ctxt, &def->cbitpos) < 0)
{
virReportError(VIR_ERR_XML_ERROR, "%s",
@@ -16764,6 +16754,63 @@ virDomainSEVDefParseXML(xmlNodePtr sevNode,
return NULL;
}
+static virDomainSGXDefPtr
+virDomainSGXDefParseXML(xmlXPathContextPtr ctxt)
+{
+ VIR_XPATH_NODE_AUTORESTORE(ctxt);
+ virDomainSGXDefPtr def;
+
+ if (VIR_ALLOC(def) < 0)
+ return NULL;
+
+ def->sectype = VIR_DOMAIN_LAUNCH_SECURITY_SGX;
+
+ if (virDomainParseMemory("./epc_size", "./epc_size/@unit",
ctxt,
+ &def->epc_size, false, false) < 0)
+ goto error;
+
+ return def;
+
+ error:
+ virDomainSGXDefFree(def);
+ return NULL;
+}
+
+static int
+virDomainLaunchSecurityDefParseXML(xmlNodePtr launchSecurityNode,
+ xmlXPathContextPtr ctxt,
+ virDomainDefPtr def)
+{
+ VIR_XPATH_NODE_AUTORESTORE(ctxt);
+ g_autofree char *type = NULL;
+
+ ctxt->node = launchSecurityNode;
+
+ if (!(type = virXMLPropString(launchSecurityNode, "type"))) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("missing launch security type"));
+ return -1;
+ }
+
+ switch ((virDomainLaunchSecurity) virDomainLaunchSecurityTypeFromString(type)) {
+ case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+ def->sev = virDomainSEVDefParseXML(ctxt);
+ break;
+ case VIR_DOMAIN_LAUNCH_SECURITY_SGX:
+ def->sgx = virDomainSGXDefParseXML(ctxt);
+ break;
+ case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
+ case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
+ default:
+ virReportError(VIR_ERR_XML_ERROR,
+ _("unsupported launch security type '%s'"),
+ type);
+ return -1;
+ }
+
+ return 0;
+}
+
static virDomainMemoryDefPtr
virDomainMemoryDefParseXML(virDomainXMLOptionPtr xmlopt,
xmlNodePtr memdevNode,
@@ -22227,12 +22274,15 @@ virDomainDefParseXML(xmlDocPtr xml,
ctxt->node = node;
VIR_FREE(nodes);
- /* Check for SEV feature */
- if ((node = virXPathNode("./launchSecurity", ctxt)) != NULL) {
- def->sev = virDomainSEVDefParseXML(node, ctxt);
- if (!def->sev)
+ /* analysis of launch security */
+ if ((n = virXPathNodeSet("./launchSecurity", ctxt, &nodes)) < 0)
+ goto error;
+
+ for (i = 0; i < n; i++) {
+ if (virDomainLaunchSecurityDefParseXML(nodes[i], ctxt, def) != 0)
goto error;
}
+ VIR_FREE(nodes);
/* analysis of memory devices */
if ((n = virXPathNodeSet("./devices/memory", ctxt, &nodes)) < 0)
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 011bf66cb4..88adf461df 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2447,6 +2447,7 @@ struct _virDomainKeyWrapDef {
typedef enum {
VIR_DOMAIN_LAUNCH_SECURITY_NONE,
VIR_DOMAIN_LAUNCH_SECURITY_SEV,
+ VIR_DOMAIN_LAUNCH_SECURITY_SGX,
VIR_DOMAIN_LAUNCH_SECURITY_LAST,
} virDomainLaunchSecurity;
@@ -2462,6 +2463,12 @@ struct _virDomainSEVDef {
};
+struct _virDomainSGXDef {
+ int sectype; /* enum virDomainLaunchSecurity */
+ unsigned long long epc_size; /* kibibytes */
+};
+
+
typedef enum {
VIR_DOMAIN_IOMMU_MODEL_INTEL,
VIR_DOMAIN_IOMMU_MODEL_SMMUV3,
@@ -2670,6 +2677,9 @@ struct _virDomainDef {
/* SEV-specific domain */
virDomainSEVDefPtr sev;
+ /* SGX-specific domain */
+ virDomainSGXDefPtr sgx;
+
/* Application-specific custom metadata */
xmlNodePtr metadata;
diff --git a/src/conf/virconftypes.h b/src/conf/virconftypes.h
index 1c62cde251..084bcc7687 100644
--- a/src/conf/virconftypes.h
+++ b/src/conf/virconftypes.h
@@ -291,6 +291,9 @@ typedef virDomainResourceDef *virDomainResourceDefPtr;
typedef struct _virDomainSEVDef virDomainSEVDef;
typedef virDomainSEVDef *virDomainSEVDefPtr;
+typedef struct _virDomainSGXDef virDomainSGXDef;
+typedef virDomainSGXDef *virDomainSGXDefPtr;
+
typedef struct _virDomainShmemDef virDomainShmemDef;
typedef virDomainShmemDef *virDomainShmemDefPtr;
--
2.17.1
6 a.m.
New subject: [libvirt][PATCH v4 1/4] conf: Introduce SGX related element into domain xml
Ok, got it. Thanks.
-----Original Message-----
From: Pavel Hrdina <phrdina(a)redhat.com>
Sent: Wednesday, July 7, 2021 4:36 PM
To: Huang, Haibin <haibin.huang(a)intel.com>
Cc: libvir-list(a)redhat.com; Ding, Jian-feng <jian-feng.ding(a)intel.com>; Yang,
Lin A <lin.a.yang(a)intel.com>; Lu, Lianhao <lianhao.lu(a)intel.com>
Subject: Re: [libvirt][PATCH v4 1/4] conf: Introduce SGX related element into
domain xml
On Thu, Jul 01, 2021 at 08:10:26PM +0800, Haibin Huang wrote:
> From: Lin Yang <lin.a.yang(a)intel.com>
>
> <launchSecurity type='sgx'>
> <epc_size unit='KiB'>1024</epc_size>
> </launchSecurity>
> ---
> src/conf/domain_conf.c | 106
> +++++++++++++++++++++++++++++-----------
> src/conf/domain_conf.h | 10 ++++
> src/conf/virconftypes.h | 3 ++
> 3 files changed, 91 insertions(+), 28 deletions(-)
Not commenting the code for now as there is already ongoing work adding
s390-pv-guest support that refactors exactly the same functions as this patch so
we should coordinate the work to not introduce merge conflicts and
unnecessary work for both contributors.
https://listman.redhat.com/archives/libvir-list/2021-June/msg00653.html
Pavel
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index
> ef67efa1da..4336dafd82 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -1336,6 +1336,7 @@ VIR_ENUM_IMPL(virDomainLaunchSecurity,
> VIR_DOMAIN_LAUNCH_SECURITY_LAST,
> "",
> "sev",
> + "sgx",
> );
>
> static virClassPtr virDomainObjClass; @@ -3409,6 +3410,16 @@
> virDomainSEVDefFree(virDomainSEVDefPtr def) }
>
>
> +static void
> +virDomainSGXDefFree(virDomainSGXDefPtr def) {
> + if (!def)
> + return;
> +
> + VIR_FREE(def);
> +}
> +
> +
> void virDomainDefFree(virDomainDefPtr def) {
> size_t i;
> @@ -3597,6 +3608,7 @@ void virDomainDefFree(virDomainDefPtr def)
> (def->ns.free)(def->namespaceData);
>
> virDomainSEVDefFree(def->sev);
> + virDomainSGXDefFree(def->sgx);
>
> xmlFreeNode(def->metadata);
>
> @@ -16700,39 +16712,17 @@
virDomainMemoryTargetDefParseXML(xmlNodePtr node,
> return 0;
> }
>
> -
> static virDomainSEVDefPtr
> -virDomainSEVDefParseXML(xmlNodePtr sevNode,
> - xmlXPathContextPtr ctxt)
> +virDomainSEVDefParseXML(xmlXPathContextPtr ctxt)
> {
> VIR_XPATH_NODE_AUTORESTORE(ctxt);
> virDomainSEVDefPtr def;
> unsigned long policy;
> - g_autofree char *type = NULL;
>
> if (VIR_ALLOC(def) < 0)
> return NULL;
>
> - ctxt->node = sevNode;
> -
> - if (!(type = virXMLPropString(sevNode, "type"))) {
> - virReportError(VIR_ERR_XML_ERROR, "%s",
> - _("missing launch security type"));
> - goto error;
> - }
> -
> - def->sectype = virDomainLaunchSecurityTypeFromString(type);
> - switch ((virDomainLaunchSecurity) def->sectype) {
> - case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
> - break;
> - case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
> - case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
> - default:
> - virReportError(VIR_ERR_XML_ERROR,
> - _("unsupported launch security type
'%s'"),
> - type);
> - goto error;
> - }
> + def->sectype = VIR_DOMAIN_LAUNCH_SECURITY_SEV;
>
> if (virXPathUInt("string(./cbitpos)", ctxt, &def->cbitpos)
< 0) {
> virReportError(VIR_ERR_XML_ERROR, "%s", @@ -16764,6 +16754,63
> @@ virDomainSEVDefParseXML(xmlNodePtr sevNode,
> return NULL;
> }
>
> +static virDomainSGXDefPtr
> +virDomainSGXDefParseXML(xmlXPathContextPtr ctxt) {
> + VIR_XPATH_NODE_AUTORESTORE(ctxt);
> + virDomainSGXDefPtr def;
> +
> + if (VIR_ALLOC(def) < 0)
> + return NULL;
> +
> + def->sectype = VIR_DOMAIN_LAUNCH_SECURITY_SGX;
> +
> + if (virDomainParseMemory("./epc_size", "./epc_size/@unit",
ctxt,
> + &def->epc_size, false, false) < 0)
> + goto error;
> +
> + return def;
> +
> + error:
> + virDomainSGXDefFree(def);
> + return NULL;
> +}
> +
> +static int
> +virDomainLaunchSecurityDefParseXML(xmlNodePtr launchSecurityNode,
> + xmlXPathContextPtr ctxt,
> + virDomainDefPtr def) {
> + VIR_XPATH_NODE_AUTORESTORE(ctxt);
> + g_autofree char *type = NULL;
> +
> + ctxt->node = launchSecurityNode;
> +
> + if (!(type = virXMLPropString(launchSecurityNode, "type"))) {
> + virReportError(VIR_ERR_XML_ERROR, "%s",
> + _("missing launch security type"));
> + return -1;
> + }
> +
> + switch ((virDomainLaunchSecurity)
virDomainLaunchSecurityTypeFromString(type)) {
> + case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
> + def->sev = virDomainSEVDefParseXML(ctxt);
> + break;
> + case VIR_DOMAIN_LAUNCH_SECURITY_SGX:
> + def->sgx = virDomainSGXDefParseXML(ctxt);
> + break;
> + case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
> + case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
> + default:
> + virReportError(VIR_ERR_XML_ERROR,
> + _("unsupported launch security type
'%s'"),
> + type);
> + return -1;
> + }
> +
> + return 0;
> +}
> +
> static virDomainMemoryDefPtr
> virDomainMemoryDefParseXML(virDomainXMLOptionPtr xmlopt,
> xmlNodePtr memdevNode, @@ -22227,12
> +22274,15 @@ virDomainDefParseXML(xmlDocPtr xml,
> ctxt->node = node;
> VIR_FREE(nodes);
>
> - /* Check for SEV feature */
> - if ((node = virXPathNode("./launchSecurity", ctxt)) != NULL) {
> - def->sev = virDomainSEVDefParseXML(node, ctxt);
> - if (!def->sev)
> + /* analysis of launch security */
> + if ((n = virXPathNodeSet("./launchSecurity", ctxt, &nodes)) <
0)
> + goto error;
> +
> + for (i = 0; i < n; i++) {
> + if (virDomainLaunchSecurityDefParseXML(nodes[i], ctxt, def)
> + != 0)
> goto error;
> }
> + VIR_FREE(nodes);
>
> /* analysis of memory devices */
> if ((n = virXPathNodeSet("./devices/memory", ctxt, &nodes)) <
0)
> diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index
> 011bf66cb4..88adf461df 100644
> --- a/src/conf/domain_conf.h
> +++ b/src/conf/domain_conf.h
> @@ -2447,6 +2447,7 @@ struct _virDomainKeyWrapDef { typedef enum {
> VIR_DOMAIN_LAUNCH_SECURITY_NONE,
> VIR_DOMAIN_LAUNCH_SECURITY_SEV,
> + VIR_DOMAIN_LAUNCH_SECURITY_SGX,
>
> VIR_DOMAIN_LAUNCH_SECURITY_LAST,
> } virDomainLaunchSecurity;
> @@ -2462,6 +2463,12 @@ struct _virDomainSEVDef { };
>
>
> +struct _virDomainSGXDef {
> + int sectype; /* enum virDomainLaunchSecurity */
> + unsigned long long epc_size; /* kibibytes */ };
> +
> +
> typedef enum {
> VIR_DOMAIN_IOMMU_MODEL_INTEL,
> VIR_DOMAIN_IOMMU_MODEL_SMMUV3,
> @@ -2670,6 +2677,9 @@ struct _virDomainDef {
> /* SEV-specific domain */
> virDomainSEVDefPtr sev;
>
> + /* SGX-specific domain */
> + virDomainSGXDefPtr sgx;
> +
> /* Application-specific custom metadata */
> xmlNodePtr metadata;
>
> diff --git a/src/conf/virconftypes.h b/src/conf/virconftypes.h index
> 1c62cde251..084bcc7687 100644
> --- a/src/conf/virconftypes.h
> +++ b/src/conf/virconftypes.h
> @@ -291,6 +291,9 @@ typedef virDomainResourceDef
> *virDomainResourceDefPtr; typedef struct _virDomainSEVDef
> virDomainSEVDef; typedef virDomainSEVDef *virDomainSEVDefPtr;
>
> +typedef struct _virDomainSGXDef virDomainSGXDef; typedef
> +virDomainSGXDef *virDomainSGXDefPtr;
> +
> typedef struct _virDomainShmemDef virDomainShmemDef; typedef
> virDomainShmemDef *virDomainShmemDefPtr;
>
> --
> 2.17.1
>
7:10 a.m.
New subject: [libvirt][PATCH v4 2/4] qemu: Add command-line to generate SGX EPC memory backend
From: Lin Yang <lin.a.yang(a)intel.com>
According to the result parsing from xml, add the argument of
SGX EPC memory backend into QEMU command line:
-object memory-backend-epc,id=mem1,size=<epc_size>K,prealloc \
-sgx-epc id=epc1,memdev=mem1
---
src/qemu/qemu_command.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 01812cd39b..2c3785886c 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -9869,6 +9869,27 @@ qemuBuildVsockCommandLine(virCommandPtr cmd,
}
+static int
+qemuBuildSGXCommandLine(virCommandPtr cmd, virDomainSGXDefPtr sgx)
+{
+ g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+
+ if (!sgx)
+ return 0;
+
+ VIR_DEBUG("sgx->epc_size=%lluKiB", sgx->epc_size);
+
+ virBufferAsprintf(&buf,
"memory-backend-epc,id=mem1,size=%lluK,prealloc", sgx->epc_size);
+ virCommandAddArg(cmd, "-object");
+ virCommandAddArgBuffer(cmd, &buf);
+
+ virCommandAddArg(cmd, "-sgx-epc");
+ virCommandAddArg(cmd, "id=epc1,memdev=mem1");
+
+ return 0;
+}
+
+
/*
* Constructs a argv suitable for launching qemu with config defined
* for a given virtual machine.
@@ -10154,6 +10175,9 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
cfg->logTimestamp)
virCommandAddArgList(cmd, "-msg", "timestamp=on", NULL);
+ if (qemuBuildSGXCommandLine(cmd, def->sgx) < 0)
+ return NULL;
+
return g_steal_pointer(&cmd);
}
--
2.17.1
6:32 a.m.
New subject: [libvirt][PATCH v4 2/4] qemu: Add command-line to generate SGX EPC memory backend
On Thu, 2021-07-01 at 20:10 +0800, Haibin Huang wrote:
From: Lin Yang <lin.a.yang(a)intel.com>
According to the result parsing from xml, add the argument of
SGX EPC memory backend into QEMU command line:
-object memory-backend-epc,id=mem1,size=<epc_size>K,prealloc \
-sgx-epc id=epc1,memdev=mem1
---
src/qemu/qemu_command.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 01812cd39b..2c3785886c 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -9869,6 +9869,27 @@ qemuBuildVsockCommandLine(virCommandPtr cmd,
}
+static int
+qemuBuildSGXCommandLine(virCommandPtr cmd, virDomainSGXDefPtr sgx)
+{
+ g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+
+ if (!sgx)
+ return 0;
+
+ VIR_DEBUG("sgx->epc_size=%lluKiB", sgx->epc_size);
+
+ virBufferAsprintf(&buf, "memory-backend-
epc,id=mem1,size=%lluK,prealloc", sgx->epc_size);
+ virCommandAddArg(cmd, "-object");
+ virCommandAddArgBuffer(cmd, &buf);
virCommandAddArgFormat?
+
+ virCommandAddArg(cmd, "-sgx-epc");
+ virCommandAddArg(cmd, "id=epc1,memdev=mem1");
+
+ return 0;
+}
+
+
/*
* Constructs a argv suitable for launching qemu with config defined
* for a given virtual machine.
@@ -10154,6 +10175,9 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
cfg->logTimestamp)
virCommandAddArgList(cmd, "-msg", "timestamp=on", NULL);
+ if (qemuBuildSGXCommandLine(cmd, def->sgx) < 0)
+ return NULL;
+
Personal opinion: I would not add this to the end of the function, but
place it next to the call to "qemuBuildSEVCommandLine(...)". Or replace
the call to qemuBuildSEVCommandLine() with a
"qemuBuildSecurityCommandLine()", which in turn calls
qemuBuild{SEV,SGX}CommandLine().
Regards,
Tim
return g_steal_pointer(&cmd);
}
7:27 p.m.
New subject: [libvirt][PATCH v4 2/4] qemu: Add command-line to generate SGX EPC memory backend
-----Original Message-----
From: Tim Wiederhake <twiederh(a)redhat.com>
Sent: Monday, July 5, 2021 7:32 PM
To: Huang, Haibin <haibin.huang(a)intel.com>
Cc: libvir-list(a)redhat.com; Ding, Jian-feng <jian-feng.ding(a)intel.com>; Yang,
Lin A <lin.a.yang(a)intel.com>; Lu, Lianhao <lianhao.lu(a)intel.com>
Subject: Re: [libvirt][PATCH v4 2/4] qemu: Add command-line to generate
SGX EPC memory backend
On Thu, 2021-07-01 at 20:10 +0800, Haibin Huang wrote:
> From: Lin Yang <lin.a.yang(a)intel.com>
>
> According to the result parsing from xml, add the argument of SGX EPC
> memory backend into QEMU command line:
>
> -object memory-backend-epc,id=mem1,size=<epc_size>K,prealloc \
> -sgx-epc id=epc1,memdev=mem1
> ---
> src/qemu/qemu_command.c | 24 ++++++++++++++++++++++++
> 1 file changed, 24 insertions(+)
>
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index
> 01812cd39b..2c3785886c 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -9869,6 +9869,27 @@ qemuBuildVsockCommandLine(virCommandPtr
cmd,
> }
>
>
> +static int
> +qemuBuildSGXCommandLine(virCommandPtr cmd, virDomainSGXDefPtr
sgx) {
> + g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
> +
> + if (!sgx)
> + return 0;
> +
> + VIR_DEBUG("sgx->epc_size=%lluKiB", sgx->epc_size);
> +
> + virBufferAsprintf(&buf, "memory-backend-
> epc,id=mem1,size=%lluK,prealloc", sgx->epc_size);
> + virCommandAddArg(cmd, "-object");
> + virCommandAddArgBuffer(cmd, &buf);
virCommandAddArgFormat?
[Haibin] ok, I will change to virCommandAddArgFormat
> +
> + virCommandAddArg(cmd, "-sgx-epc");
> + virCommandAddArg(cmd, "id=epc1,memdev=mem1");
> +
> + return 0;
> +}
> +
> +
> /*
> * Constructs a argv suitable for launching qemu with config defined
> * for a given virtual machine.
> @@ -10154,6 +10175,9 @@ qemuBuildCommandLine(virQEMUDriverPtr
driver,
> cfg->logTimestamp)
> virCommandAddArgList(cmd, "-msg", "timestamp=on",
NULL);
>
> + if (qemuBuildSGXCommandLine(cmd, def->sgx) < 0)
> + return NULL;
> +
Personal opinion: I would not add this to the end of the function, but place it
next to the call to "qemuBuildSEVCommandLine(...)". Or replace the call to
qemuBuildSEVCommandLine() with a "qemuBuildSecurityCommandLine()",
which in turn calls qemuBuild{SEV,SGX}CommandLine().
[Haibin] ok, good point.
Regards,
Tim
> return g_steal_pointer(&cmd);
> }
>
7:10 a.m.
New subject: [libvirt][PATCH v4 3/4] qemu: Add command-line to enable SGX
From: Lin Yang <lin.a.yang(a)intel.com>
If SGX is defined in domain, add the argument to enable
SGX in -cpu <model>:
-cpu <model>,+sgx,+sgx-debug,+sgx1,+sgx-encls-c,
+sgx-enclv,+sgx-exinfo,+sgx-kss,+sgx-mode64,
+sgx-provisionkey,+sgx-tokenkey,+sgx2,+sgxlc
---
src/qemu/qemu_command.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 2c3785886c..fb05acbc94 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -6405,6 +6405,12 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver,
case VIR_CPU_MODE_CUSTOM:
virBufferAdd(buf, cpu->model, -1);
+ if(def->sgx)
+ virBufferAdd(buf,
+
",+sgx,+sgx-debug,+sgx1,+sgx-encls-c,+sgx-enclv,+sgx-exinfo,"
+
"+sgx-kss,+sgx-mode64,+sgx-provisionkey,+sgx-tokenkey,+sgx2,"
+ "+sgxlc",
+ -1);
break;
case VIR_CPU_MODE_LAST:
--
2.17.1
6:32 a.m.
New subject: [libvirt][PATCH v4 3/4] qemu: Add command-line to enable SGX
On Thu, 2021-07-01 at 20:10 +0800, Haibin Huang wrote:
From: Lin Yang <lin.a.yang(a)intel.com>
If SGX is defined in domain, add the argument to enable
SGX in -cpu <model>:
-cpu <model>,+sgx,+sgx-debug,+sgx1,+sgx-encls-c,
+sgx-enclv,+sgx-exinfo,+sgx-kss,+sgx-mode64,
+sgx-provisionkey,+sgx-tokenkey,+sgx2,+sgxlc
---
src/qemu/qemu_command.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 2c3785886c..fb05acbc94 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -6405,6 +6405,12 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr
driver,
case VIR_CPU_MODE_CUSTOM:
virBufferAdd(buf, cpu->model, -1);
+ if(def->sgx)
Space between "if" and "(".
Regards,
Tim
+ virBufferAdd(buf,
+ ",+sgx,+sgx-debug,+sgx1,+sgx-encls-c,+sgx-
enclv,+sgx-exinfo,"
+ "+sgx-kss,+sgx-mode64,+sgx-
provisionkey,+sgx-tokenkey,+sgx2,"
+ "+sgxlc",
+ -1);
break;
case VIR_CPU_MODE_LAST:
7:34 p.m.
New subject: [libvirt][PATCH v4 3/4] qemu: Add command-line to enable SGX
-----Original Message-----
From: Tim Wiederhake <twiederh(a)redhat.com>
Sent: Monday, July 5, 2021 7:32 PM
To: Huang, Haibin <haibin.huang(a)intel.com>
Cc: libvir-list(a)redhat.com; Ding, Jian-feng <jian-feng.ding(a)intel.com>; Yang,
Lin A <lin.a.yang(a)intel.com>; Lu, Lianhao <lianhao.lu(a)intel.com>
Subject: Re: [libvirt][PATCH v4 3/4] qemu: Add command-line to enable SGX
On Thu, 2021-07-01 at 20:10 +0800, Haibin Huang wrote:
> From: Lin Yang <lin.a.yang(a)intel.com>
>
> If SGX is defined in domain, add the argument to enable SGX in -cpu
> <model>:
[Haibin] we will delete those fixed cpu feature, let user to
use <feature> in domain definition to control it.
>
> -cpu <model>,+sgx,+sgx-debug,+sgx1,+sgx-encls-c,
> +sgx-enclv,+sgx-exinfo,+sgx-kss,+sgx-mode64,
> +sgx-provisionkey,+sgx-tokenkey,+sgx2,+sgxlc
> ---
> src/qemu/qemu_command.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index
> 2c3785886c..fb05acbc94 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -6405,6 +6405,12 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr
> driver,
>
> case VIR_CPU_MODE_CUSTOM:
> virBufferAdd(buf, cpu->model, -1);
> + if(def->sgx)
Space between "if" and "(".
[Haibin] ok
Regards,
Tim
> + virBufferAdd(buf,
> + ",+sgx,+sgx-debug,+sgx1,+sgx-encls-c,+sgx-
> enclv,+sgx-exinfo,"
> + "+sgx-kss,+sgx-mode64,+sgx-
> provisionkey,+sgx-tokenkey,+sgx2,"
> + "+sgxlc",
> + -1);
> break;
>
> case VIR_CPU_MODE_LAST:
4:07 a.m.
New subject: [libvirt][PATCH v4 3/4] qemu: Add command-line to enable SGX
On Thu, Jul 01, 2021 at 08:10:28PM +0800, Haibin Huang wrote:
From: Lin Yang <lin.a.yang(a)intel.com>
If SGX is defined in domain, add the argument to enable
SGX in -cpu <model>:
-cpu <model>,+sgx,+sgx-debug,+sgx1,+sgx-encls-c,
+sgx-enclv,+sgx-exinfo,+sgx-kss,+sgx-mode64,
+sgx-provisionkey,+sgx-tokenkey,+sgx2,+sgxlc
---
src/qemu/qemu_command.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 2c3785886c..fb05acbc94 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -6405,6 +6405,12 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver,
case VIR_CPU_MODE_CUSTOM:
virBufferAdd(buf, cpu->model, -1);
+ if(def->sgx)
+ virBufferAdd(buf,
+
",+sgx,+sgx-debug,+sgx1,+sgx-encls-c,+sgx-enclv,+sgx-exinfo,"
+
"+sgx-kss,+sgx-mode64,+sgx-provisionkey,+sgx-tokenkey,+sgx2,"
+ "+sgxlc",
+ -1);
+feature syntax in QEMU is deprecated. It should be feature=on
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
9:25 p.m.
New subject: [libvirt][PATCH v4 3/4] qemu: Add command-line to enable SGX
-----Original Message-----
From: Daniel P. Berrangé <berrange(a)redhat.com>
Sent: Tuesday, July 20, 2021 5:08 PM
To: Huang, Haibin <haibin.huang(a)intel.com>
Cc: libvir-list(a)redhat.com; Ding, Jian-feng <jian-feng.ding(a)intel.com>; Yang,
Lin A <lin.a.yang(a)intel.com>; Lu, Lianhao <lianhao.lu(a)intel.com>
Subject: Re: [libvirt][PATCH v4 3/4] qemu: Add command-line to enable SGX
On Thu, Jul 01, 2021 at 08:10:28PM +0800, Haibin Huang wrote:
> From: Lin Yang <lin.a.yang(a)intel.com>
>
> If SGX is defined in domain, add the argument to enable SGX in -cpu
> <model>:
>
> -cpu <model>,+sgx,+sgx-debug,+sgx1,+sgx-encls-c,
> +sgx-enclv,+sgx-exinfo,+sgx-kss,+sgx-mode64,
> +sgx-provisionkey,+sgx-tokenkey,+sgx2,+sgxlc
> ---
> src/qemu/qemu_command.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index
> 2c3785886c..fb05acbc94 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -6405,6 +6405,12 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr
> driver,
>
> case VIR_CPU_MODE_CUSTOM:
> virBufferAdd(buf, cpu->model, -1);
> + if(def->sgx)
> + virBufferAdd(buf,
> +
",+sgx,+sgx-debug,+sgx1,+sgx-encls-c,+sgx-enclv,+sgx-exinfo,"
> + "+sgx-kss,+sgx-mode64,+sgx-provisionkey,+sgx-
tokenkey,+sgx2,"
> + "+sgxlc",
> + -1);
+feature syntax in QEMU is deprecated. It should be feature=on
[Haibin] ok, got it, I will modify it.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|
7:42 p.m.
New subject: [libvirt][PATCH v4 3/4] qemu: Add command-line to enable SGX
-----Original Message-----
From: Daniel P. Berrangé <berrange(a)redhat.com>
Sent: Tuesday, July 20, 2021 5:08 PM
To: Huang, Haibin <haibin.huang(a)intel.com>
Cc: libvir-list(a)redhat.com; Ding, Jian-feng <jian-feng.ding(a)intel.com>; Yang,
Lin A <lin.a.yang(a)intel.com>; Lu, Lianhao <lianhao.lu(a)intel.com>
Subject: Re: [libvirt][PATCH v4 3/4] qemu: Add command-line to enable SGX
On Thu, Jul 01, 2021 at 08:10:28PM +0800, Haibin Huang wrote:
> From: Lin Yang <lin.a.yang(a)intel.com>
>
> If SGX is defined in domain, add the argument to enable SGX in -cpu
> <model>:
>
> -cpu <model>,+sgx,+sgx-debug,+sgx1,+sgx-encls-c,
> +sgx-enclv,+sgx-exinfo,+sgx-kss,+sgx-mode64,
> +sgx-provisionkey,+sgx-tokenkey,+sgx2,+sgxlc
> ---
> src/qemu/qemu_command.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index
> 2c3785886c..fb05acbc94 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -6405,6 +6405,12 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr
> driver,
>
> case VIR_CPU_MODE_CUSTOM:
> virBufferAdd(buf, cpu->model, -1);
> + if(def->sgx)
> + virBufferAdd(buf,
> +
",+sgx,+sgx-debug,+sgx1,+sgx-encls-c,+sgx-enclv,+sgx-
exinfo,"
> + "+sgx-kss,+sgx-mode64,+sgx-provisionkey,+sgx-
tokenkey,+sgx2,"
> + "+sgxlc",
> + -1);
+feature syntax in QEMU is deprecated. It should be feature=on
[Haibin] we have
deleted it in v5 patch
[https://listman.redhat.com/archives/libvir-list/2021-July/msg00381.html]
Regards,
Daniel
--
|: https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|
7:10 a.m.
New subject: [libvirt][PATCH v4 4/4] Support to query SGX capability
1.Add SGX feature in domain capabilities
2.Get sgx capabilities by query-sgx-capabilities
3.Transfer the B to KB for epc_size
4.Delete sgx1 and sgx2
5.add unit test for get capabilities
Signed-off-by: Haibin Huang <haibin.huang(a)intel.com>
---
src/conf/domain_capabilities.c | 29 ++++
src/conf/domain_capabilities.h | 13 ++
src/libvirt_private.syms | 2 +-
src/qemu/qemu_capabilities.c | 146 ++++++++++++++++++
src/qemu/qemu_capabilities.h | 6 +
src/qemu/qemu_command.c | 2 +-
src/qemu/qemu_monitor.c | 10 ++
src/qemu/qemu_monitor.h | 3 +
src/qemu/qemu_monitor_json.c | 91 +++++++++++
src/qemu/qemu_monitor_json.h | 3 +
tests/domaincapsdata/bhyve_basic.x86_64.xml | 1 +
tests/domaincapsdata/bhyve_fbuf.x86_64.xml | 1 +
tests/domaincapsdata/bhyve_uefi.x86_64.xml | 1 +
tests/domaincapsdata/empty.xml | 1 +
tests/domaincapsdata/libxl-xenfv.xml | 1 +
tests/domaincapsdata/libxl-xenpv.xml | 1 +
.../domaincapsdata/qemu_1.5.3-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.5.3-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_1.5.3.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.6.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.6.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_1.6.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.7.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.7.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_1.7.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.1.1-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.1.1-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.1.1.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.10.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.10.0-tcg.x86_64.xml | 1 +
.../qemu_2.10.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.11.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.11.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.11.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.11.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.12.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml | 1 +
.../qemu_2.12.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.4.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.4.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.4.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.5.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.5.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.5.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.6.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.6.0-tcg.x86_64.xml | 1 +
.../qemu_2.6.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.6.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.6.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.6.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.7.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.7.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.7.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.7.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.8.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.8.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.8.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.8.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.9.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.9.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.9.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.9.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.9.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.0.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_3.1.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_3.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.0.0-tcg.x86_64.xml | 1 +
.../qemu_4.0.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_4.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.2.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml | 1 +
.../qemu_4.2.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml | 1 +
.../qemu_5.0.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_5.1.0.x86_64.xml | 1 +
106 files changed, 399 insertions(+), 2 deletions(-)
diff --git a/src/conf/domain_capabilities.c b/src/conf/domain_capabilities.c
index d61108e125..f83a462ca3 100644
--- a/src/conf/domain_capabilities.c
+++ b/src/conf/domain_capabilities.c
@@ -91,6 +91,16 @@ virSEVCapabilitiesFree(virSEVCapability *cap)
}
+void
+virSGXCapabilitiesFree(virSGXCapability *cap)
+{
+ if (!cap)
+ return;
+
+ VIR_FREE(cap);
+}
+
+
static void
virDomainCapsDispose(void *obj)
{
@@ -101,6 +111,7 @@ virDomainCapsDispose(void *obj)
virObjectUnref(caps->cpu.custom);
virCPUDefFree(caps->cpu.hostModel);
virSEVCapabilitiesFree(caps->sev);
+ virSGXCapabilitiesFree(caps->sgx);
virDomainCapsStringValuesFree(&caps->os.loader.values);
}
@@ -564,6 +575,23 @@ virDomainCapsFeatureSEVFormat(virBufferPtr buf,
return;
}
+static void
+virDomainCapsFeatureSGXFormat(virBufferPtr buf,
+ virSGXCapabilityPtr const sgx)
+{
+ if (!sgx) {
+ virBufferAddLit(buf, "<sgx supported='no'/>\n");
+ } else {
+ virBufferAddLit(buf, "<sgx supported='yes'>\n");
+ virBufferAdjustIndent(buf, 2);
+ virBufferAsprintf(buf, "<flc>%s</flc>\n", sgx->flc ?
"yes" : "no");
+ virBufferAsprintf(buf, "<epc_size
unit='KiB'>%d</epc_size>\n", sgx->epc_size);
+ virBufferAdjustIndent(buf, -2);
+ virBufferAddLit(buf, "</sgx>\n");
+ }
+
+ return;
+}
static void
virDomainCapsFormatFeatures(const virDomainCaps *caps,
@@ -584,6 +612,7 @@ virDomainCapsFormatFeatures(const virDomainCaps *caps,
}
virDomainCapsFeatureSEVFormat(&childBuf, caps->sev);
+ virDomainCapsFeatureSGXFormat(&childBuf, caps->sgx);
virXMLFormatElement(buf, "features", NULL, &childBuf);
}
diff --git a/src/conf/domain_capabilities.h b/src/conf/domain_capabilities.h
index 685d5e2a44..d63f2d4219 100644
--- a/src/conf/domain_capabilities.h
+++ b/src/conf/domain_capabilities.h
@@ -150,6 +150,13 @@ struct _virDomainCapsCPU {
virDomainCapsCPUModelsPtr custom;
};
+typedef struct _virSGXCapability virSGXCapability;
+typedef virSGXCapability *virSGXCapabilityPtr;
+struct _virSGXCapability {
+ bool flc;
+ unsigned int epc_size;
+};
+
typedef struct _virSEVCapability virSEVCapability;
typedef virSEVCapability *virSEVCapabilityPtr;
struct _virSEVCapability {
@@ -191,6 +198,7 @@ struct _virDomainCaps {
virDomainCapsFeatureGIC gic;
virSEVCapabilityPtr sev;
+ virSGXCapabilityPtr sgx;
/* add new domain features here */
virTristateBool features[VIR_DOMAIN_CAPS_FEATURE_LAST];
@@ -239,4 +247,9 @@ int virDomainCapsDeviceDefValidate(const virDomainCaps *caps,
void
virSEVCapabilitiesFree(virSEVCapability *capabilities);
+void
+virSGXCapabilitiesFree(virSGXCapability *capabilities);
+
G_DEFINE_AUTOPTR_CLEANUP_FUNC(virSEVCapability, virSEVCapabilitiesFree);
+
+G_DEFINE_AUTOPTR_CLEANUP_FUNC(virSGXCapability, virSGXCapabilitiesFree);
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 01c2e710cd..ea7aa897cc 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -215,6 +215,7 @@ virDomainCapsEnumSet;
virDomainCapsFormat;
virDomainCapsNew;
virSEVCapabilitiesFree;
+virSGXCapabilitiesFree;
# conf/domain_conf.h
@@ -1694,7 +1695,6 @@ virBitmapToDataBuf;
virBitmapToString;
virBitmapUnion;
-
# util/virbpf.h
virBPFAttachProg;
virBPFCreateMap;
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index ff6ba8c9e9..63f55480dd 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -597,6 +597,9 @@ VIR_ENUM_IMPL(virQEMUCaps,
"spapr-tpm-proxy",
"numa.hmat",
"blockdev-hostdev-scsi",
+
+ /* 380 */
+ "sgx-epc",
);
@@ -698,11 +701,14 @@ struct _virQEMUCaps {
virSEVCapability *sevCapabilities;
+ virSGXCapability *sgxCapabilities;
+
/* Capabilities which may differ depending on the accelerator. */
virQEMUCapsAccel kvm;
virQEMUCapsAccel tcg;
};
+
struct virQEMUCapsSearchData {
virArch arch;
const char *binaryFilter;
@@ -1323,6 +1329,7 @@ struct virQEMUCapsStringFlags virQEMUCapsObjectTypes[] = {
{ "tcg-accel", QEMU_CAPS_TCG },
{ "pvscsi", QEMU_CAPS_SCSI_PVSCSI },
{ "spapr-tpm-proxy", QEMU_CAPS_DEVICE_SPAPR_TPM_PROXY },
+ { "sgx-epc", QEMU_CAPS_SGX_EPC },
};
@@ -1870,6 +1877,23 @@ virQEMUCapsSEVInfoCopy(virSEVCapabilityPtr *dst,
}
+static int
+virQEMUCapsSGXInfoCopy(virSGXCapabilityPtr *dst,
+ virSGXCapabilityPtr src)
+{
+ g_autoptr(virSGXCapability) tmp = NULL;
+
+ if (VIR_ALLOC(tmp) < 0)
+ return -1;
+
+ tmp->flc = src->flc;
+ tmp->epc_size = src->epc_size;
+
+ *dst = g_steal_pointer(&tmp);
+ return 0;
+}
+
+
static void
virQEMUCapsAccelCopyMachineTypes(virQEMUCapsAccelPtr dst,
virQEMUCapsAccelPtr src)
@@ -1947,6 +1971,11 @@ virQEMUCapsPtr virQEMUCapsNewCopy(virQEMUCapsPtr qemuCaps)
qemuCaps->sevCapabilities) < 0)
goto error;
+ if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SGX_EPC) &&
+ virQEMUCapsSGXInfoCopy(&ret->sgxCapabilities,
+ qemuCaps->sgxCapabilities) < 0)
+ goto error;
+
return ret;
error:
@@ -1987,6 +2016,7 @@ void virQEMUCapsDispose(void *obj)
VIR_FREE(qemuCaps->gicCapabilities);
virSEVCapabilitiesFree(qemuCaps->sevCapabilities);
+ virSGXCapabilitiesFree(qemuCaps->sgxCapabilities);
virQEMUCapsAccelClear(&qemuCaps->kvm);
virQEMUCapsAccelClear(&qemuCaps->tcg);
@@ -2581,6 +2611,13 @@ virQEMUCapsGetSEVCapabilities(virQEMUCapsPtr qemuCaps)
}
+virSGXCapabilityPtr
+virQEMUCapsGetSGXCapabilities(virQEMUCapsPtr qemuCaps)
+{
+ return qemuCaps->sgxCapabilities;
+}
+
+
static int
virQEMUCapsProbeQMPCommands(virQEMUCapsPtr qemuCaps,
qemuMonitorPtr mon)
@@ -2640,6 +2677,7 @@ virQEMUCapsProbeQMPObjectTypes(virQEMUCapsPtr qemuCaps,
if ((nvalues = qemuMonitorGetObjectTypes(mon, &values)) < 0)
return -1;
+
virQEMUCapsProcessStringFlags(qemuCaps,
G_N_ELEMENTS(virQEMUCapsObjectTypes),
virQEMUCapsObjectTypes,
@@ -3405,6 +3443,31 @@ virQEMUCapsProbeQMPSEVCapabilities(virQEMUCapsPtr qemuCaps,
}
+static int
+virQEMUCapsProbeQMPSGXCapabilities(virQEMUCapsPtr qemuCaps,
+ qemuMonitorPtr mon)
+{
+ int rc = -1;
+ virSGXCapability *caps = NULL;
+
+ if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_SGX_EPC))
+ return 0;
+
+ if ((rc = qemuMonitorGetSGXCapabilities(mon, &caps)) < 0)
+ return -1;
+
+ /* SGX isn't actually supported */
+ if (rc == 0) {
+ virQEMUCapsClear(qemuCaps, QEMU_CAPS_SGX_EPC);
+ return 0;
+ }
+
+ virSGXCapabilitiesFree(qemuCaps->sgxCapabilities);
+ qemuCaps->sgxCapabilities = caps;
+ return 0;
+}
+
+
/*
* Filter for features which should never be passed to QEMU. Either because
* QEMU never supported them or they were dropped as they never did anything
@@ -4187,6 +4250,42 @@ virQEMUCapsParseSEVInfo(virQEMUCapsPtr qemuCaps, xmlXPathContextPtr
ctxt)
return 0;
}
+static int
+virQEMUCapsParseSGXInfo(virQEMUCapsPtr qemuCaps, xmlXPathContextPtr ctxt)
+{
+ g_autoptr(virSGXCapability) sgx = NULL;
+
+ if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_SGX_EPC))
+ return 0;
+
+ if (virXPathBoolean("boolean(./sgx)", ctxt) == 0) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("missing SGX platform data in QEMU "
+ "capabilities cache"));
+ return -1;
+ }
+
+ if (VIR_ALLOC(sgx) < 0)
+ return -1;
+
+ if (virXPathBoolean("boolean(./sgx/flc)", ctxt) == 0) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("missing SGX platform flc data in QEMU "
+ "capabilities cache"));
+ return -1;
+ }
+
+ if (virXPathUInt("string(./sgx/epc_size)", ctxt, &sgx->epc_size)
< 0) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("missing or malformed SGX platform epc_size information
"
+ "in QEMU capabilities cache"));
+ return -1;
+ }
+
+ qemuCaps->sgxCapabilities = g_steal_pointer(&sgx);
+ return 0;
+}
+
/*
* Parsing a doc that looks like
@@ -4425,6 +4524,9 @@ virQEMUCapsLoadCache(virArch hostArch,
if (virQEMUCapsParseSEVInfo(qemuCaps, ctxt) < 0)
goto cleanup;
+ if (virQEMUCapsParseSGXInfo(qemuCaps, ctxt) < 0)
+ goto cleanup;
+
virQEMUCapsInitHostCPUModel(qemuCaps, hostArch, VIR_DOMAIN_VIRT_KVM);
virQEMUCapsInitHostCPUModel(qemuCaps, hostArch, VIR_DOMAIN_VIRT_QEMU);
@@ -4601,6 +4703,19 @@ virQEMUCapsFormatSEVInfo(virQEMUCapsPtr qemuCaps, virBufferPtr
buf)
virBufferAddLit(buf, "</sev>\n");
}
+static void
+virQEMUCapsFormatSGXInfo(virQEMUCapsPtr qemuCaps, virBufferPtr buf)
+{
+ virSGXCapabilityPtr sgx = virQEMUCapsGetSGXCapabilities(qemuCaps);
+
+ virBufferAddLit(buf, "<sgx>\n");
+ virBufferAdjustIndent(buf, 2);
+ virBufferAsprintf(buf, "<flc>%s</flc>\n", sgx->flc ?
"yes" : "no");
+ virBufferAsprintf(buf, "<epc_size>%u</epc_size>\n",
sgx->epc_size);
+ virBufferAdjustIndent(buf, -2);
+ virBufferAddLit(buf, "</sgx>\n");
+}
+
char *
virQEMUCapsFormatCache(virQEMUCapsPtr qemuCaps)
@@ -4671,6 +4786,9 @@ virQEMUCapsFormatCache(virQEMUCapsPtr qemuCaps)
if (qemuCaps->sevCapabilities)
virQEMUCapsFormatSEVInfo(qemuCaps, &buf);
+ if (qemuCaps->sgxCapabilities)
+ virQEMUCapsFormatSGXInfo(qemuCaps, &buf);
+
if (qemuCaps->kvmSupportsNesting)
virBufferAddLit(&buf, "<kvmSupportsNesting/>\n");
@@ -5323,6 +5441,8 @@ virQEMUCapsInitQMPMonitor(virQEMUCapsPtr qemuCaps,
return -1;
if (virQEMUCapsProbeQMPSEVCapabilities(qemuCaps, mon) < 0)
return -1;
+ if (virQEMUCapsProbeQMPSGXCapabilities(qemuCaps, mon) < 0)
+ return -1;
virQEMUCapsInitProcessCaps(qemuCaps);
@@ -6245,6 +6365,31 @@ virQEMUCapsFillDomainFeatureGICCaps(virQEMUCapsPtr qemuCaps,
}
+/**
+ * virQEMUCapsFillDomainFeatureiSGXCaps:
+ * @qemuCaps: QEMU capabilities
+ * @domCaps: domain capabilities
+ *
+ * Take the information about SGX capabilities that has been obtained
+ * using the 'query-sgx-capabilities' QMP command and stored in @qemuCaps
+ * and convert it to a form suitable for @domCaps.
+ */
+static void
+virQEMUCapsFillDomainFeatureSGXCaps(virQEMUCapsPtr qemuCaps,
+ virDomainCapsPtr domCaps)
+{
+ virSGXCapability *cap = qemuCaps->sgxCapabilities;
+
+ if (!cap)
+ return;
+
+ domCaps->sgx = g_new0(virSGXCapability, 1);
+
+ domCaps->sgx->flc = cap->flc;
+ domCaps->sgx->epc_size = cap->epc_size;
+}
+
+
/**
* virQEMUCapsFillDomainFeatureSEVCaps:
* @qemuCaps: QEMU capabilities
@@ -6316,6 +6461,7 @@ virQEMUCapsFillDomainCaps(virQEMUCapsPtr qemuCaps,
virQEMUCapsFillDomainDeviceRNGCaps(qemuCaps, rng);
virQEMUCapsFillDomainFeatureGICCaps(qemuCaps, domCaps);
virQEMUCapsFillDomainFeatureSEVCaps(qemuCaps, domCaps);
+ virQEMUCapsFillDomainFeatureSGXCaps(qemuCaps, domCaps);
return 0;
}
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index 5d08941538..0e3af622a7 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -578,6 +578,9 @@ typedef enum { /* virQEMUCapsFlags grouping marker for syntax-check
*/
QEMU_CAPS_NUMA_HMAT, /* -numa hmat */
QEMU_CAPS_BLOCKDEV_HOSTDEV_SCSI, /* -blockdev used for (i)SCSI hostdevs */
+ /* 380 */
+ QEMU_CAPS_SGX_EPC, /* -object sgx-epc,... */
+
QEMU_CAPS_LAST /* this must always be the last item */
} virQEMUCapsFlags;
@@ -759,5 +762,8 @@ virQEMUCapsCPUFeatureFromQEMU(virQEMUCapsPtr qemuCaps,
virSEVCapabilityPtr
virQEMUCapsGetSEVCapabilities(virQEMUCapsPtr qemuCaps);
+virSGXCapabilityPtr
+virQEMUCapsGetSGXCapabilities(virQEMUCapsPtr qemuCaps);
+
virArch virQEMUCapsArchFromString(const char *arch);
const char *virQEMUCapsArchToString(virArch arch);
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index fb05acbc94..9462b5a6c8 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -6405,7 +6405,7 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver,
case VIR_CPU_MODE_CUSTOM:
virBufferAdd(buf, cpu->model, -1);
- if(def->sgx)
+ if (def->sgx)
virBufferAdd(buf,
",+sgx,+sgx-debug,+sgx1,+sgx-encls-c,+sgx-enclv,+sgx-exinfo,"
"+sgx-kss,+sgx-mode64,+sgx-provisionkey,+sgx-tokenkey,+sgx2,"
diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
index 637361d24d..1e377ee8dc 100644
--- a/src/qemu/qemu_monitor.c
+++ b/src/qemu/qemu_monitor.c
@@ -3870,6 +3870,16 @@ qemuMonitorGetSEVCapabilities(qemuMonitorPtr mon,
}
+int
+qemuMonitorGetSGXCapabilities(qemuMonitorPtr mon,
+ virSGXCapability **capabilities)
+{
+ QEMU_CHECK_MONITOR(mon);
+
+ return qemuMonitorJSONGetSGXCapabilities(mon, capabilities);
+}
+
+
int
qemuMonitorNBDServerStart(qemuMonitorPtr mon,
const virStorageNetHostDef *server,
diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h
index d20a15c202..76b3cd54c7 100644
--- a/src/qemu/qemu_monitor.h
+++ b/src/qemu/qemu_monitor.h
@@ -836,6 +836,9 @@ int qemuMonitorGetGICCapabilities(qemuMonitorPtr mon,
int qemuMonitorGetSEVCapabilities(qemuMonitorPtr mon,
virSEVCapability **capabilities);
+int qemuMonitorGetSGXCapabilities(qemuMonitorPtr mon,
+ virSGXCapability **capabilities);
+
typedef enum {
QEMU_MONITOR_MIGRATE_BACKGROUND = 1 << 0,
QEMU_MONITOR_MIGRATE_NON_SHARED_DISK = 1 << 1, /* migration with non-shared
storage with full disk copy */
diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
index 9cdf6c0f7f..06f0738ad8 100644
--- a/src/qemu/qemu_monitor_json.c
+++ b/src/qemu/qemu_monitor_json.c
@@ -44,6 +44,7 @@
# include "libvirt_qemu_probes.h"
#endif
+#define KB 1024
#define VIR_FROM_THIS VIR_FROM_QEMU
VIR_LOG_INIT("qemu.qemu_monitor_json");
@@ -7056,6 +7057,96 @@ qemuMonitorJSONGetGICCapabilities(qemuMonitorPtr mon,
}
+/**
+ * qemuMonitorJSONGetSGXCapabilities:
+ * @mon: qemu monitor object
+ * @capabilities: pointer to pointer to a SGX capability structure to be filled
+ *
+ * This function queries and fills in INTEL's SGX platform-specific data.
+ * Note that from QEMU's POV both -object sgx-epc and query-sgx-capabilities
+ * can be present even if SGX is not available, which basically leaves us with
+ * checking for JSON "GenericError" in order to differentiate between
compiled-in
+ * support and actual SGX support on the platform.
+ *
+ * Returns -1 on error, 0 if SGX is not supported, and 1 if SGX is supported on
+ * the platform.
+ */
+int
+qemuMonitorJSONGetSGXCapabilities(qemuMonitorPtr mon,
+ virSGXCapability **capabilities)
+{
+ int ret = -1;
+ virJSONValuePtr cmd;
+ virJSONValuePtr reply = NULL;
+ virJSONValuePtr caps;
+ bool sgx = false;
+ bool flc = false;
+ unsigned int section_size = 0;
+ g_autoptr(virSGXCapability) capability = NULL;
+
+ *capabilities = NULL;
+
+ if (!(cmd = qemuMonitorJSONMakeCommand("query-sgx-capabilities", NULL)))
+ return -1;
+
+ if (qemuMonitorJSONCommand(mon, cmd, &reply) < 0)
+ goto cleanup;
+
+ /* QEMU has only compiled-in support of SGX */
+ if (qemuMonitorJSONHasError(reply, "GenericError")) {
+ ret = 0;
+ goto cleanup;
+ }
+
+ if (qemuMonitorJSONCheckError(cmd, reply) < 0)
+ goto cleanup;
+
+ caps = virJSONValueObjectGetObject(reply, "return");
+
+ if (virJSONValueObjectGetBoolean(caps, "sgx", &sgx) < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("query-sgx reply was missing"
+ " 'sgx' field"));
+ goto cleanup;
+ }
+ if (!sgx) {
+ VIR_WARN("sgx is not support %d\n", sgx);
+ ret = 0;
+ goto cleanup;
+ }
+
+ if (virJSONValueObjectGetBoolean(caps, "flc", &flc) < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("query-sgx-capabilities reply was missing"
+ " 'flc' field"));
+ goto cleanup;
+ }
+
+ if (virJSONValueObjectGetNumberUint(caps, "section-size",
§ion_size) < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("query-sgx-capabilities reply was missing"
+ " 'section-size' field"));
+ goto cleanup;
+ }
+
+
+ if (VIR_ALLOC(capability) < 0)
+ goto cleanup;
+
+ capability->flc = flc;
+
+ capability->epc_size = section_size/(KB);
+ *capabilities = g_steal_pointer(&capability);
+ ret = 1;
+
+ cleanup:
+ virJSONValueFree(cmd);
+ virJSONValueFree(reply);
+
+ return ret;
+}
+
+
/**
* qemuMonitorJSONGetSEVCapabilities:
* @mon: qemu monitor object
diff --git a/src/qemu/qemu_monitor_json.h b/src/qemu/qemu_monitor_json.h
index 098ab857be..b0c23e57ac 100644
--- a/src/qemu/qemu_monitor_json.h
+++ b/src/qemu/qemu_monitor_json.h
@@ -159,6 +159,9 @@ int qemuMonitorJSONGetGICCapabilities(qemuMonitorPtr mon,
int qemuMonitorJSONGetSEVCapabilities(qemuMonitorPtr mon,
virSEVCapability **capabilities);
+int qemuMonitorJSONGetSGXCapabilities(qemuMonitorPtr mon,
+ virSGXCapability **capabilities);
+
int qemuMonitorJSONMigrate(qemuMonitorPtr mon,
unsigned int flags,
const char *uri);
diff --git a/tests/domaincapsdata/bhyve_basic.x86_64.xml
b/tests/domaincapsdata/bhyve_basic.x86_64.xml
index bdf2c4eee8..8998fb2cee 100644
--- a/tests/domaincapsdata/bhyve_basic.x86_64.xml
+++ b/tests/domaincapsdata/bhyve_basic.x86_64.xml
@@ -32,5 +32,6 @@
<vmcoreinfo supported='no'/>
<genid supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/bhyve_fbuf.x86_64.xml
b/tests/domaincapsdata/bhyve_fbuf.x86_64.xml
index f998c457c1..e013463456 100644
--- a/tests/domaincapsdata/bhyve_fbuf.x86_64.xml
+++ b/tests/domaincapsdata/bhyve_fbuf.x86_64.xml
@@ -49,5 +49,6 @@
<vmcoreinfo supported='no'/>
<genid supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/bhyve_uefi.x86_64.xml
b/tests/domaincapsdata/bhyve_uefi.x86_64.xml
index 18f90023d5..d6243db384 100644
--- a/tests/domaincapsdata/bhyve_uefi.x86_64.xml
+++ b/tests/domaincapsdata/bhyve_uefi.x86_64.xml
@@ -41,5 +41,6 @@
<vmcoreinfo supported='no'/>
<genid supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/empty.xml b/tests/domaincapsdata/empty.xml
index 6c3f5f54fd..df55215ed5 100644
--- a/tests/domaincapsdata/empty.xml
+++ b/tests/domaincapsdata/empty.xml
@@ -12,5 +12,6 @@
</devices>
<features>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/libxl-xenfv.xml b/tests/domaincapsdata/libxl-xenfv.xml
index 4efc137c97..160c220728 100644
--- a/tests/domaincapsdata/libxl-xenfv.xml
+++ b/tests/domaincapsdata/libxl-xenfv.xml
@@ -75,5 +75,6 @@
<vmcoreinfo supported='no'/>
<genid supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/libxl-xenpv.xml b/tests/domaincapsdata/libxl-xenpv.xml
index 70e598fe9e..cbd64fabfc 100644
--- a/tests/domaincapsdata/libxl-xenpv.xml
+++ b/tests/domaincapsdata/libxl-xenpv.xml
@@ -65,5 +65,6 @@
<vmcoreinfo supported='no'/>
<genid supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_1.5.3-q35.x86_64.xml
b/tests/domaincapsdata/qemu_1.5.3-q35.x86_64.xml
index 3ed96a3ee7..183f55a09d 100644
--- a/tests/domaincapsdata/qemu_1.5.3-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_1.5.3-q35.x86_64.xml
@@ -137,5 +137,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_1.5.3-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_1.5.3-tcg.x86_64.xml
index 3b3d89a643..680751ab5e 100644
--- a/tests/domaincapsdata/qemu_1.5.3-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_1.5.3-tcg.x86_64.xml
@@ -133,5 +133,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_1.5.3.x86_64.xml
b/tests/domaincapsdata/qemu_1.5.3.x86_64.xml
index 20cd3a105a..f2737be495 100644
--- a/tests/domaincapsdata/qemu_1.5.3.x86_64.xml
+++ b/tests/domaincapsdata/qemu_1.5.3.x86_64.xml
@@ -137,5 +137,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_1.6.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_1.6.0-q35.x86_64.xml
index a4b26b46cb..38f510c0b4 100644
--- a/tests/domaincapsdata/qemu_1.6.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_1.6.0-q35.x86_64.xml
@@ -137,5 +137,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_1.6.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_1.6.0-tcg.x86_64.xml
index 6bff19bad5..970d2b7b83 100644
--- a/tests/domaincapsdata/qemu_1.6.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_1.6.0-tcg.x86_64.xml
@@ -133,5 +133,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_1.6.0.x86_64.xml
b/tests/domaincapsdata/qemu_1.6.0.x86_64.xml
index 16417a13d2..eaa3e872e4 100644
--- a/tests/domaincapsdata/qemu_1.6.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_1.6.0.x86_64.xml
@@ -137,5 +137,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_1.7.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_1.7.0-q35.x86_64.xml
index 559b49491e..55460bb3eb 100644
--- a/tests/domaincapsdata/qemu_1.7.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_1.7.0-q35.x86_64.xml
@@ -137,5 +137,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_1.7.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_1.7.0-tcg.x86_64.xml
index 97e71bffff..cf816e1315 100644
--- a/tests/domaincapsdata/qemu_1.7.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_1.7.0-tcg.x86_64.xml
@@ -133,5 +133,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_1.7.0.x86_64.xml
b/tests/domaincapsdata/qemu_1.7.0.x86_64.xml
index 472c073de9..e86e538268 100644
--- a/tests/domaincapsdata/qemu_1.7.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_1.7.0.x86_64.xml
@@ -137,5 +137,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.1.1-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.1.1-q35.x86_64.xml
index a87f5b2a63..7a94784943 100644
--- a/tests/domaincapsdata/qemu_2.1.1-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.1.1-q35.x86_64.xml
@@ -138,5 +138,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.1.1-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.1.1-tcg.x86_64.xml
index 192a505d77..413f46d5a6 100644
--- a/tests/domaincapsdata/qemu_2.1.1-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.1.1-tcg.x86_64.xml
@@ -134,5 +134,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.1.1.x86_64.xml
b/tests/domaincapsdata/qemu_2.1.1.x86_64.xml
index 15adfe0ee8..d087157b06 100644
--- a/tests/domaincapsdata/qemu_2.1.1.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.1.1.x86_64.xml
@@ -138,5 +138,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.10.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.10.0-q35.x86_64.xml
index be2840d9b8..a70eb157d9 100644
--- a/tests/domaincapsdata/qemu_2.10.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.10.0-q35.x86_64.xml
@@ -161,5 +161,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.10.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.10.0-tcg.x86_64.xml
index 1193f49bd6..1730dd81ab 100644
--- a/tests/domaincapsdata/qemu_2.10.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.10.0-tcg.x86_64.xml
@@ -176,5 +176,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.10.0-virt.aarch64.xml
b/tests/domaincapsdata/qemu_2.10.0-virt.aarch64.xml
index 4505d64e3a..0fded78a64 100644
--- a/tests/domaincapsdata/qemu_2.10.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_2.10.0-virt.aarch64.xml
@@ -145,5 +145,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.10.0.aarch64.xml
b/tests/domaincapsdata/qemu_2.10.0.aarch64.xml
index 629833b745..d74e018aea 100644
--- a/tests/domaincapsdata/qemu_2.10.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_2.10.0.aarch64.xml
@@ -139,5 +139,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.10.0.ppc64.xml
b/tests/domaincapsdata/qemu_2.10.0.ppc64.xml
index 863afbc0df..ba102fd26f 100644
--- a/tests/domaincapsdata/qemu_2.10.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_2.10.0.ppc64.xml
@@ -111,5 +111,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.10.0.s390x.xml
b/tests/domaincapsdata/qemu_2.10.0.s390x.xml
index ce5c92edce..3c16cc8b05 100644
--- a/tests/domaincapsdata/qemu_2.10.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_2.10.0.s390x.xml
@@ -200,5 +200,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.10.0.x86_64.xml
b/tests/domaincapsdata/qemu_2.10.0.x86_64.xml
index 6596016d33..a47914a796 100644
--- a/tests/domaincapsdata/qemu_2.10.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.10.0.x86_64.xml
@@ -161,5 +161,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.11.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.11.0-q35.x86_64.xml
index c2e148e0fc..f0348486fd 100644
--- a/tests/domaincapsdata/qemu_2.11.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.11.0-q35.x86_64.xml
@@ -159,5 +159,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.11.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.11.0-tcg.x86_64.xml
index 7f66cf7b7e..e8282b30fc 100644
--- a/tests/domaincapsdata/qemu_2.11.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.11.0-tcg.x86_64.xml
@@ -171,5 +171,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.11.0.s390x.xml
b/tests/domaincapsdata/qemu_2.11.0.s390x.xml
index c5b48fdad5..2fdbe3ce5d 100644
--- a/tests/domaincapsdata/qemu_2.11.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_2.11.0.s390x.xml
@@ -199,5 +199,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.11.0.x86_64.xml
b/tests/domaincapsdata/qemu_2.11.0.x86_64.xml
index 38b6b20f77..de5404b2a4 100644
--- a/tests/domaincapsdata/qemu_2.11.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.11.0.x86_64.xml
@@ -159,5 +159,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.12.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.12.0-q35.x86_64.xml
index 8d38d33369..e977a8937a 100644
--- a/tests/domaincapsdata/qemu_2.12.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.12.0-q35.x86_64.xml
@@ -176,5 +176,6 @@
<cbitpos>47</cbitpos>
<reducedPhysBits>1</reducedPhysBits>
</sev>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.12.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.12.0-tcg.x86_64.xml
index 9a89587115..3a4c85eb65 100644
--- a/tests/domaincapsdata/qemu_2.12.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.12.0-tcg.x86_64.xml
@@ -185,5 +185,6 @@
<cbitpos>47</cbitpos>
<reducedPhysBits>1</reducedPhysBits>
</sev>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.12.0-virt.aarch64.xml
b/tests/domaincapsdata/qemu_2.12.0-virt.aarch64.xml
index 8ea58bfa25..f78722ea3c 100644
--- a/tests/domaincapsdata/qemu_2.12.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_2.12.0-virt.aarch64.xml
@@ -147,5 +147,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.12.0.aarch64.xml
b/tests/domaincapsdata/qemu_2.12.0.aarch64.xml
index 667516e75e..c7de5ad674 100644
--- a/tests/domaincapsdata/qemu_2.12.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_2.12.0.aarch64.xml
@@ -141,5 +141,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.12.0.ppc64.xml
b/tests/domaincapsdata/qemu_2.12.0.ppc64.xml
index eac3e6a868..8d3377e937 100644
--- a/tests/domaincapsdata/qemu_2.12.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_2.12.0.ppc64.xml
@@ -111,5 +111,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.12.0.s390x.xml
b/tests/domaincapsdata/qemu_2.12.0.s390x.xml
index 01cc3d81ec..12ff7cfd95 100644
--- a/tests/domaincapsdata/qemu_2.12.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_2.12.0.s390x.xml
@@ -198,5 +198,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.12.0.x86_64.xml
b/tests/domaincapsdata/qemu_2.12.0.x86_64.xml
index 6e006a3ba3..2039b77790 100644
--- a/tests/domaincapsdata/qemu_2.12.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.12.0.x86_64.xml
@@ -176,5 +176,6 @@
<cbitpos>47</cbitpos>
<reducedPhysBits>1</reducedPhysBits>
</sev>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.4.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.4.0-q35.x86_64.xml
index 23e103927e..608118652a 100644
--- a/tests/domaincapsdata/qemu_2.4.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.4.0-q35.x86_64.xml
@@ -146,5 +146,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.4.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.4.0-tcg.x86_64.xml
index 2a6296739c..411780d41e 100644
--- a/tests/domaincapsdata/qemu_2.4.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.4.0-tcg.x86_64.xml
@@ -142,5 +142,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.4.0.x86_64.xml
b/tests/domaincapsdata/qemu_2.4.0.x86_64.xml
index 7c6d78e510..6bd8627277 100644
--- a/tests/domaincapsdata/qemu_2.4.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.4.0.x86_64.xml
@@ -146,5 +146,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.5.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.5.0-q35.x86_64.xml
index bb8bd9c5c5..fe465bcfaa 100644
--- a/tests/domaincapsdata/qemu_2.5.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.5.0-q35.x86_64.xml
@@ -146,5 +146,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.5.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.5.0-tcg.x86_64.xml
index 8b022e9bd7..b4803039df 100644
--- a/tests/domaincapsdata/qemu_2.5.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.5.0-tcg.x86_64.xml
@@ -142,5 +142,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.5.0.x86_64.xml
b/tests/domaincapsdata/qemu_2.5.0.x86_64.xml
index a89990a42e..07eea7c96c 100644
--- a/tests/domaincapsdata/qemu_2.5.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.5.0.x86_64.xml
@@ -146,5 +146,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.6.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.6.0-q35.x86_64.xml
index 251696a161..c490c36170 100644
--- a/tests/domaincapsdata/qemu_2.6.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.6.0-q35.x86_64.xml
@@ -146,5 +146,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.6.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.6.0-tcg.x86_64.xml
index 7937fad971..3b53321be5 100644
--- a/tests/domaincapsdata/qemu_2.6.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.6.0-tcg.x86_64.xml
@@ -142,5 +142,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.6.0-virt.aarch64.xml
b/tests/domaincapsdata/qemu_2.6.0-virt.aarch64.xml
index 95053e9cbe..c1697eabf8 100644
--- a/tests/domaincapsdata/qemu_2.6.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_2.6.0-virt.aarch64.xml
@@ -144,5 +144,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.6.0.aarch64.xml
b/tests/domaincapsdata/qemu_2.6.0.aarch64.xml
index 223e944c8a..121acd636f 100644
--- a/tests/domaincapsdata/qemu_2.6.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_2.6.0.aarch64.xml
@@ -138,5 +138,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.6.0.ppc64.xml
b/tests/domaincapsdata/qemu_2.6.0.ppc64.xml
index c97f232028..41217aa7b1 100644
--- a/tests/domaincapsdata/qemu_2.6.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_2.6.0.ppc64.xml
@@ -111,5 +111,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.6.0.x86_64.xml
b/tests/domaincapsdata/qemu_2.6.0.x86_64.xml
index f95f8fb46a..586855e7e3 100644
--- a/tests/domaincapsdata/qemu_2.6.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.6.0.x86_64.xml
@@ -146,5 +146,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.7.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.7.0-q35.x86_64.xml
index 1e6c47f2d6..d8e523e904 100644
--- a/tests/domaincapsdata/qemu_2.7.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.7.0-q35.x86_64.xml
@@ -147,5 +147,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.7.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.7.0-tcg.x86_64.xml
index 8b7c2ce8e6..ed92bee692 100644
--- a/tests/domaincapsdata/qemu_2.7.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.7.0-tcg.x86_64.xml
@@ -143,5 +143,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.7.0.s390x.xml
b/tests/domaincapsdata/qemu_2.7.0.s390x.xml
index ff3dd4939b..b8bc1245ec 100644
--- a/tests/domaincapsdata/qemu_2.7.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_2.7.0.s390x.xml
@@ -103,5 +103,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.7.0.x86_64.xml
b/tests/domaincapsdata/qemu_2.7.0.x86_64.xml
index da1b10c41b..c2df40d00e 100644
--- a/tests/domaincapsdata/qemu_2.7.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.7.0.x86_64.xml
@@ -147,5 +147,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.8.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.8.0-q35.x86_64.xml
index 0a7493d86d..78acecdfd7 100644
--- a/tests/domaincapsdata/qemu_2.8.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.8.0-q35.x86_64.xml
@@ -147,5 +147,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.8.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.8.0-tcg.x86_64.xml
index 100e8e059c..638bfea6f7 100644
--- a/tests/domaincapsdata/qemu_2.8.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.8.0-tcg.x86_64.xml
@@ -143,5 +143,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.8.0.s390x.xml
b/tests/domaincapsdata/qemu_2.8.0.s390x.xml
index 47b1aa46f7..233092be64 100644
--- a/tests/domaincapsdata/qemu_2.8.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_2.8.0.s390x.xml
@@ -184,5 +184,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.8.0.x86_64.xml
b/tests/domaincapsdata/qemu_2.8.0.x86_64.xml
index 6fa754c18a..deb094df40 100644
--- a/tests/domaincapsdata/qemu_2.8.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.8.0.x86_64.xml
@@ -147,5 +147,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.9.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.9.0-q35.x86_64.xml
index 3df3c3738e..0669e56b1d 100644
--- a/tests/domaincapsdata/qemu_2.9.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.9.0-q35.x86_64.xml
@@ -156,5 +156,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.9.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.9.0-tcg.x86_64.xml
index 08bb5fbad7..045c308f8e 100644
--- a/tests/domaincapsdata/qemu_2.9.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.9.0-tcg.x86_64.xml
@@ -175,5 +175,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.9.0.ppc64.xml
b/tests/domaincapsdata/qemu_2.9.0.ppc64.xml
index 3776b6ed9c..deca3b2373 100644
--- a/tests/domaincapsdata/qemu_2.9.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_2.9.0.ppc64.xml
@@ -111,5 +111,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.9.0.s390x.xml
b/tests/domaincapsdata/qemu_2.9.0.s390x.xml
index cf7e7781cc..263a2a9a71 100644
--- a/tests/domaincapsdata/qemu_2.9.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_2.9.0.s390x.xml
@@ -185,5 +185,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.9.0.x86_64.xml
b/tests/domaincapsdata/qemu_2.9.0.x86_64.xml
index a80ef28488..a553b5c7f2 100644
--- a/tests/domaincapsdata/qemu_2.9.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.9.0.x86_64.xml
@@ -156,5 +156,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_3.0.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_3.0.0-q35.x86_64.xml
index cd37906bc7..b8e27b774d 100644
--- a/tests/domaincapsdata/qemu_3.0.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_3.0.0-q35.x86_64.xml
@@ -174,5 +174,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_3.0.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_3.0.0-tcg.x86_64.xml
index d3211e7a13..797b3496b8 100644
--- a/tests/domaincapsdata/qemu_3.0.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_3.0.0-tcg.x86_64.xml
@@ -185,5 +185,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_3.0.0.ppc64.xml
b/tests/domaincapsdata/qemu_3.0.0.ppc64.xml
index 1b8ddd4ed0..e791c0619c 100644
--- a/tests/domaincapsdata/qemu_3.0.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_3.0.0.ppc64.xml
@@ -113,5 +113,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_3.0.0.s390x.xml
b/tests/domaincapsdata/qemu_3.0.0.s390x.xml
index 7a4e536fb5..c12e40ca10 100644
--- a/tests/domaincapsdata/qemu_3.0.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_3.0.0.s390x.xml
@@ -205,5 +205,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_3.0.0.x86_64.xml
b/tests/domaincapsdata/qemu_3.0.0.x86_64.xml
index 9fa4224760..7667232cb1 100644
--- a/tests/domaincapsdata/qemu_3.0.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_3.0.0.x86_64.xml
@@ -174,5 +174,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_3.1.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_3.1.0-q35.x86_64.xml
index 82b1b6a095..f24b621b4a 100644
--- a/tests/domaincapsdata/qemu_3.1.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_3.1.0-q35.x86_64.xml
@@ -177,5 +177,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_3.1.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_3.1.0-tcg.x86_64.xml
index 756b28034e..8ddcf7495d 100644
--- a/tests/domaincapsdata/qemu_3.1.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_3.1.0-tcg.x86_64.xml
@@ -188,5 +188,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_3.1.0.ppc64.xml
b/tests/domaincapsdata/qemu_3.1.0.ppc64.xml
index 6a2bc87947..b34c8e8e02 100644
--- a/tests/domaincapsdata/qemu_3.1.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_3.1.0.ppc64.xml
@@ -113,5 +113,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_3.1.0.x86_64.xml
b/tests/domaincapsdata/qemu_3.1.0.x86_64.xml
index ffc82f17c3..5440773513 100644
--- a/tests/domaincapsdata/qemu_3.1.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_3.1.0.x86_64.xml
@@ -177,5 +177,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.0.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_4.0.0-q35.x86_64.xml
index c837de966f..2ccb7e850f 100644
--- a/tests/domaincapsdata/qemu_4.0.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.0.0-q35.x86_64.xml
@@ -177,5 +177,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.0.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_4.0.0-tcg.x86_64.xml
index 0aa8aa18be..87a56371e1 100644
--- a/tests/domaincapsdata/qemu_4.0.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.0.0-tcg.x86_64.xml
@@ -189,5 +189,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.0.0-virt.aarch64.xml
b/tests/domaincapsdata/qemu_4.0.0-virt.aarch64.xml
index f5347aba9f..6a8a15cb82 100644
--- a/tests/domaincapsdata/qemu_4.0.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_4.0.0-virt.aarch64.xml
@@ -154,5 +154,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.0.0.aarch64.xml
b/tests/domaincapsdata/qemu_4.0.0.aarch64.xml
index b879d7553c..2a6d6cb4ec 100644
--- a/tests/domaincapsdata/qemu_4.0.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_4.0.0.aarch64.xml
@@ -148,5 +148,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.0.0.ppc64.xml
b/tests/domaincapsdata/qemu_4.0.0.ppc64.xml
index 0642753f11..4831fe949d 100644
--- a/tests/domaincapsdata/qemu_4.0.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_4.0.0.ppc64.xml
@@ -114,5 +114,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.0.0.s390x.xml
b/tests/domaincapsdata/qemu_4.0.0.s390x.xml
index 632c26d689..7277154d38 100644
--- a/tests/domaincapsdata/qemu_4.0.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_4.0.0.s390x.xml
@@ -210,5 +210,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.0.0.x86_64.xml
b/tests/domaincapsdata/qemu_4.0.0.x86_64.xml
index 3f64bd4b66..e230e39773 100644
--- a/tests/domaincapsdata/qemu_4.0.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.0.0.x86_64.xml
@@ -177,5 +177,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.1.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_4.1.0-q35.x86_64.xml
index 8bf41d6b49..4ea0c221e3 100644
--- a/tests/domaincapsdata/qemu_4.1.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.1.0-q35.x86_64.xml
@@ -182,5 +182,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.1.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_4.1.0-tcg.x86_64.xml
index d6265ce243..fd8a2d29de 100644
--- a/tests/domaincapsdata/qemu_4.1.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.1.0-tcg.x86_64.xml
@@ -190,5 +190,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.1.0.x86_64.xml
b/tests/domaincapsdata/qemu_4.1.0.x86_64.xml
index 5010f879a6..db4fbb81d5 100644
--- a/tests/domaincapsdata/qemu_4.1.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.1.0.x86_64.xml
@@ -182,5 +182,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
index 6f72b67f68..dc1e0b1bcc 100644
--- a/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
@@ -189,5 +189,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.2.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_4.2.0-tcg.x86_64.xml
index 7339a3f81c..298cd92d3d 100644
--- a/tests/domaincapsdata/qemu_4.2.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.2.0-tcg.x86_64.xml
@@ -196,5 +196,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.2.0-virt.aarch64.xml
b/tests/domaincapsdata/qemu_4.2.0-virt.aarch64.xml
index ef57216562..8ede831af4 100644
--- a/tests/domaincapsdata/qemu_4.2.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_4.2.0-virt.aarch64.xml
@@ -155,5 +155,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.2.0.aarch64.xml
b/tests/domaincapsdata/qemu_4.2.0.aarch64.xml
index 3cf2a6faf1..802631b704 100644
--- a/tests/domaincapsdata/qemu_4.2.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_4.2.0.aarch64.xml
@@ -149,5 +149,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.2.0.ppc64.xml
b/tests/domaincapsdata/qemu_4.2.0.ppc64.xml
index 0f2cf6da64..14923e14b5 100644
--- a/tests/domaincapsdata/qemu_4.2.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_4.2.0.ppc64.xml
@@ -115,5 +115,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.2.0.s390x.xml
b/tests/domaincapsdata/qemu_4.2.0.s390x.xml
index ecd037438a..21cefb9ff4 100644
--- a/tests/domaincapsdata/qemu_4.2.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_4.2.0.s390x.xml
@@ -224,5 +224,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.2.0.x86_64.xml
b/tests/domaincapsdata/qemu_4.2.0.x86_64.xml
index f4a8321637..55b3e0d545 100644
--- a/tests/domaincapsdata/qemu_4.2.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.2.0.x86_64.xml
@@ -189,5 +189,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_5.0.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_5.0.0-q35.x86_64.xml
index fc21b2ad62..0252950bb6 100644
--- a/tests/domaincapsdata/qemu_5.0.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_5.0.0-q35.x86_64.xml
@@ -190,5 +190,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_5.0.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_5.0.0-tcg.x86_64.xml
index 110a79dd34..bcbbf8a8d8 100644
--- a/tests/domaincapsdata/qemu_5.0.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_5.0.0-tcg.x86_64.xml
@@ -196,5 +196,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_5.0.0-virt.aarch64.xml
b/tests/domaincapsdata/qemu_5.0.0-virt.aarch64.xml
index b2b37c0f7b..fc110c1028 100644
--- a/tests/domaincapsdata/qemu_5.0.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_5.0.0-virt.aarch64.xml
@@ -156,5 +156,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_5.0.0.aarch64.xml
b/tests/domaincapsdata/qemu_5.0.0.aarch64.xml
index 7377a2c4cf..d21e85f289 100644
--- a/tests/domaincapsdata/qemu_5.0.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_5.0.0.aarch64.xml
@@ -150,5 +150,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_5.0.0.ppc64.xml
b/tests/domaincapsdata/qemu_5.0.0.ppc64.xml
index 9693aeb72e..f3ffaaeca9 100644
--- a/tests/domaincapsdata/qemu_5.0.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_5.0.0.ppc64.xml
@@ -115,5 +115,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_5.0.0.x86_64.xml
b/tests/domaincapsdata/qemu_5.0.0.x86_64.xml
index aceca34c43..269976d0c4 100644
--- a/tests/domaincapsdata/qemu_5.0.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_5.0.0.x86_64.xml
@@ -190,5 +190,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_5.1.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_5.1.0-q35.x86_64.xml
index e1762611c5..9044d839ad 100644
--- a/tests/domaincapsdata/qemu_5.1.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_5.1.0-q35.x86_64.xml
@@ -202,5 +202,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_5.1.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_5.1.0-tcg.x86_64.xml
index 86f091d238..cec56619d6 100644
--- a/tests/domaincapsdata/qemu_5.1.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_5.1.0-tcg.x86_64.xml
@@ -196,5 +196,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_5.1.0.x86_64.xml
b/tests/domaincapsdata/qemu_5.1.0.x86_64.xml
index 117f316b6a..b0b0d8b4a9 100644
--- a/tests/domaincapsdata/qemu_5.1.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_5.1.0.x86_64.xml
@@ -202,5 +202,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
--
2.17.1
6:32 a.m.
New subject: [libvirt][PATCH v4 4/4] Support to query SGX capability
On Thu, 2021-07-01 at 20:10 +0800, Haibin Huang wrote:
1.Add SGX feature in domain capabilities
2.Get sgx capabilities by query-sgx-capabilities
3.Transfer the B to KB for epc_size
4.Delete sgx1 and sgx2
5.add unit test for get capabilities
Signed-off-by: Haibin Huang <haibin.huang(a)intel.com>
---
src/conf/domain_capabilities.c | 29 ++++
src/conf/domain_capabilities.h | 13 ++
src/libvirt_private.syms | 2 +-
src/qemu/qemu_capabilities.c | 146 ++++++++++++++++++
src/qemu/qemu_capabilities.h | 6 +
src/qemu/qemu_command.c | 2 +-
src/qemu/qemu_monitor.c | 10 ++
src/qemu/qemu_monitor.h | 3 +
src/qemu/qemu_monitor_json.c | 91 +++++++++++
src/qemu/qemu_monitor_json.h | 3 +
tests/domaincapsdata/bhyve_basic.x86_64.xml | 1 +
tests/domaincapsdata/bhyve_fbuf.x86_64.xml | 1 +
tests/domaincapsdata/bhyve_uefi.x86_64.xml | 1 +
tests/domaincapsdata/empty.xml | 1 +
tests/domaincapsdata/libxl-xenfv.xml | 1 +
tests/domaincapsdata/libxl-xenpv.xml | 1 +
.../domaincapsdata/qemu_1.5.3-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.5.3-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_1.5.3.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.6.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.6.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_1.6.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.7.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.7.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_1.7.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.1.1-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.1.1-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.1.1.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.10.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.10.0-tcg.x86_64.xml | 1 +
.../qemu_2.10.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.11.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.11.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.11.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.11.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.12.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml | 1 +
.../qemu_2.12.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.4.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.4.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.4.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.5.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.5.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.5.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.6.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.6.0-tcg.x86_64.xml | 1 +
.../qemu_2.6.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.6.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.6.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.6.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.7.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.7.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.7.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.7.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.8.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.8.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.8.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.8.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.9.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.9.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.9.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.9.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.9.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.0.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_3.1.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_3.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.0.0-tcg.x86_64.xml | 1 +
.../qemu_4.0.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_4.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.2.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml | 1 +
.../qemu_4.2.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml | 1 +
.../qemu_5.0.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_5.1.0.x86_64.xml | 1 +
106 files changed, 399 insertions(+), 2 deletions(-)
Can this be split up, so that the "mechanical" changes
(tests/domaincapsdata/qemu_*.xml) are separate from the functional
changes? E.g. start with a commit that introduces a dummy
"virDomainCapsFeatureSGXFormat" that always prints "<sgx
supported='no'/>" + the relevant changes in tests/; then, in a second
commit, the actual implementation?
diff --git a/src/conf/domain_capabilities.c
b/src/conf/domain_capabilities.c
index d61108e125..f83a462ca3 100644
--- a/src/conf/domain_capabilities.c
+++ b/src/conf/domain_capabilities.c
@@ -91,6 +91,16 @@ virSEVCapabilitiesFree(virSEVCapability *cap)
}
+void
+virSGXCapabilitiesFree(virSGXCapability *cap)
+{
+ if (!cap)
+ return;
+
+ VIR_FREE(cap);
+}
+
+
static void
virDomainCapsDispose(void *obj)
{
@@ -101,6 +111,7 @@ virDomainCapsDispose(void *obj)
virObjectUnref(caps->cpu.custom);
virCPUDefFree(caps->cpu.hostModel);
virSEVCapabilitiesFree(caps->sev);
+ virSGXCapabilitiesFree(caps->sgx);
virDomainCapsStringValuesFree(&caps->os.loader.values);
}
@@ -564,6 +575,23 @@ virDomainCapsFeatureSEVFormat(virBufferPtr buf,
return;
}
+static void
+virDomainCapsFeatureSGXFormat(virBufferPtr buf,
+ virSGXCapabilityPtr const sgx)
+{
+ if (!sgx) {
+ virBufferAddLit(buf, "<sgx supported='no'/>\n");
+ } else {
+ virBufferAddLit(buf, "<sgx supported='yes'>\n");
+ virBufferAdjustIndent(buf, 2);
+ virBufferAsprintf(buf, "<flc>%s</flc>\n", sgx->flc ?
"yes" :
"no");
+ virBufferAsprintf(buf, "<epc_size
unit='KiB'>%d</epc_size>\n", sgx->epc_size);
+ virBufferAdjustIndent(buf, -2);
+ virBufferAddLit(buf, "</sgx>\n");
+ }
+
+ return;
+}
static void
virDomainCapsFormatFeatures(const virDomainCaps *caps,
@@ -584,6 +612,7 @@ virDomainCapsFormatFeatures(const virDomainCaps
*caps,
}
virDomainCapsFeatureSEVFormat(&childBuf, caps->sev);
+ virDomainCapsFeatureSGXFormat(&childBuf, caps->sgx);
virXMLFormatElement(buf, "features", NULL, &childBuf);
}
diff --git a/src/conf/domain_capabilities.h
b/src/conf/domain_capabilities.h
index 685d5e2a44..d63f2d4219 100644
--- a/src/conf/domain_capabilities.h
+++ b/src/conf/domain_capabilities.h
@@ -150,6 +150,13 @@ struct _virDomainCapsCPU {
virDomainCapsCPUModelsPtr custom;
};
+typedef struct _virSGXCapability virSGXCapability;
+typedef virSGXCapability *virSGXCapabilityPtr;
+struct _virSGXCapability {
+ bool flc;
+ unsigned int epc_size;
+};
+
typedef struct _virSEVCapability virSEVCapability;
typedef virSEVCapability *virSEVCapabilityPtr;
struct _virSEVCapability {
@@ -191,6 +198,7 @@ struct _virDomainCaps {
virDomainCapsFeatureGIC gic;
virSEVCapabilityPtr sev;
+ virSGXCapabilityPtr sgx;
Requires change to docs/schema/.
/* add new domain features here */
virTristateBool features[VIR_DOMAIN_CAPS_FEATURE_LAST];
@@ -239,4 +247,9 @@ int virDomainCapsDeviceDefValidate(const
virDomainCaps *caps,
void
virSEVCapabilitiesFree(virSEVCapability *capabilities);
+void
+virSGXCapabilitiesFree(virSGXCapability *capabilities);
+
G_DEFINE_AUTOPTR_CLEANUP_FUNC(virSEVCapability,
virSEVCapabilitiesFree);
+
+G_DEFINE_AUTOPTR_CLEANUP_FUNC(virSGXCapability,
virSGXCapabilitiesFree);
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 01c2e710cd..ea7aa897cc 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -215,6 +215,7 @@ virDomainCapsEnumSet;
virDomainCapsFormat;
virDomainCapsNew;
virSEVCapabilitiesFree;
+virSGXCapabilitiesFree;
# conf/domain_conf.h
@@ -1694,7 +1695,6 @@ virBitmapToDataBuf;
virBitmapToString;
virBitmapUnion;
-
Please leave the second empty line.
# util/virbpf.h
virBPFAttachProg;
virBPFCreateMap;
diff --git a/src/qemu/qemu_capabilities.c
b/src/qemu/qemu_capabilities.c
index ff6ba8c9e9..63f55480dd 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -597,6 +597,9 @@ VIR_ENUM_IMPL(virQEMUCaps,
"spapr-tpm-proxy",
"numa.hmat",
"blockdev-hostdev-scsi",
+
+ /* 380 */
+ "sgx-epc",
);
@@ -698,11 +701,14 @@ struct _virQEMUCaps {
virSEVCapability *sevCapabilities;
+ virSGXCapability *sgxCapabilities;
+
/* Capabilities which may differ depending on the accelerator. */
virQEMUCapsAccel kvm;
virQEMUCapsAccel tcg;
};
+
struct virQEMUCapsSearchData {
virArch arch;
const char *binaryFilter;
@@ -1323,6 +1329,7 @@ struct virQEMUCapsStringFlags
virQEMUCapsObjectTypes[] = {
{ "tcg-accel", QEMU_CAPS_TCG },
{ "pvscsi", QEMU_CAPS_SCSI_PVSCSI },
{ "spapr-tpm-proxy", QEMU_CAPS_DEVICE_SPAPR_TPM_PROXY },
+ { "sgx-epc", QEMU_CAPS_SGX_EPC },
};
@@ -1870,6 +1877,23 @@ virQEMUCapsSEVInfoCopy(virSEVCapabilityPtr *dst,
}
+static int
+virQEMUCapsSGXInfoCopy(virSGXCapabilityPtr *dst,
+ virSGXCapabilityPtr src)
+{
+ g_autoptr(virSGXCapability) tmp = NULL;
+
+ if (VIR_ALLOC(tmp) < 0)
+ return -1;
If this were a simple "virSGXCapability *tmp = g_new0(...)"...
+
+ tmp->flc = src->flc;
+ tmp->epc_size = src->epc_size;
+
+ *dst = g_steal_pointer(&tmp);
+ return 0;
... the g_steal_pointer would not be necessary, and
"G_DEFINE_AUTOPTR_CLEANUP_FUNC(virSGXCapability,
virSGXCapabilitiesFree);" would not be, either.
+}
+
+
static void
virQEMUCapsAccelCopyMachineTypes(virQEMUCapsAccelPtr dst,
virQEMUCapsAccelPtr src)
@@ -1947,6 +1971,11 @@ virQEMUCapsPtr
virQEMUCapsNewCopy(virQEMUCapsPtr qemuCaps)
qemuCaps->sevCapabilities) < 0)
goto error;
+ if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SGX_EPC) &&
+ virQEMUCapsSGXInfoCopy(&ret->sgxCapabilities,
+ qemuCaps->sgxCapabilities) < 0)
+ goto error;
+
return ret;
error:
@@ -1987,6 +2016,7 @@ void virQEMUCapsDispose(void *obj)
VIR_FREE(qemuCaps->gicCapabilities);
virSEVCapabilitiesFree(qemuCaps->sevCapabilities);
+ virSGXCapabilitiesFree(qemuCaps->sgxCapabilities);
virQEMUCapsAccelClear(&qemuCaps->kvm);
virQEMUCapsAccelClear(&qemuCaps->tcg);
@@ -2581,6 +2611,13 @@ virQEMUCapsGetSEVCapabilities(virQEMUCapsPtr
qemuCaps)
}
+virSGXCapabilityPtr
+virQEMUCapsGetSGXCapabilities(virQEMUCapsPtr qemuCaps)
+{
+ return qemuCaps->sgxCapabilities;
+}
+
+
static int
virQEMUCapsProbeQMPCommands(virQEMUCapsPtr qemuCaps,
qemuMonitorPtr mon)
@@ -2640,6 +2677,7 @@ virQEMUCapsProbeQMPObjectTypes(virQEMUCapsPtr
qemuCaps,
if ((nvalues = qemuMonitorGetObjectTypes(mon, &values)) < 0)
return -1;
+
Unrelated change.
virQEMUCapsProcessStringFlags(qemuCaps,
G_N_ELEMENTS(virQEMUCapsObjectTypes),
virQEMUCapsObjectTypes,
@@ -3405,6 +3443,31 @@
virQEMUCapsProbeQMPSEVCapabilities(virQEMUCapsPtr qemuCaps,
}
+static int
+virQEMUCapsProbeQMPSGXCapabilities(virQEMUCapsPtr qemuCaps,
+ qemuMonitorPtr mon)
+{
+ int rc = -1;
+ virSGXCapability *caps = NULL;
+
+ if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_SGX_EPC))
+ return 0;
+
+ if ((rc = qemuMonitorGetSGXCapabilities(mon, &caps)) < 0)
+ return -1;
+
+ /* SGX isn't actually supported */
+ if (rc == 0) {
+ virQEMUCapsClear(qemuCaps, QEMU_CAPS_SGX_EPC);
+ return 0;
+ }
+
+ virSGXCapabilitiesFree(qemuCaps->sgxCapabilities);
+ qemuCaps->sgxCapabilities = caps;
+ return 0;
+}
+
+
/*
* Filter for features which should never be passed to QEMU. Either
because
* QEMU never supported them or they were dropped as they never did
anything
@@ -4187,6 +4250,42 @@ virQEMUCapsParseSEVInfo(virQEMUCapsPtr
qemuCaps, xmlXPathContextPtr ctxt)
return 0;
}
+static int
+virQEMUCapsParseSGXInfo(virQEMUCapsPtr qemuCaps, xmlXPathContextPtr
ctxt)
+{
+ g_autoptr(virSGXCapability) sgx = NULL;
+
+ if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_SGX_EPC))
+ return 0;
+
Using "virXPathNode()" + "virXMLProp*()" might save you some boiler
plate code and writing custom error messages.
+ if (virXPathBoolean("boolean(./sgx)", ctxt) == 0) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("missing SGX platform data in QEMU "
+ "capabilities cache"));
+ return -1;
+ }
+
+ if (VIR_ALLOC(sgx) < 0)
+ return -1;
+
Prefer "g_new0".
+ if (virXPathBoolean("boolean(./sgx/flc)", ctxt) == 0)
{
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("missing SGX platform flc data in QEMU "
+ "capabilities cache"));
+ return -1;
+ }
+
+ if (virXPathUInt("string(./sgx/epc_size)", ctxt, &sgx->epc_size)
< 0) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("missing or malformed SGX platform epc_size
information "
+ "in QEMU capabilities cache"));
+ return -1;
+ }
+
+ qemuCaps->sgxCapabilities = g_steal_pointer(&sgx);
+ return 0;
+}
+
/*
* Parsing a doc that looks like
@@ -4425,6 +4524,9 @@ virQEMUCapsLoadCache(virArch hostArch,
if (virQEMUCapsParseSEVInfo(qemuCaps, ctxt) < 0)
goto cleanup;
+ if (virQEMUCapsParseSGXInfo(qemuCaps, ctxt) < 0)
+ goto cleanup;
+
virQEMUCapsInitHostCPUModel(qemuCaps, hostArch,
VIR_DOMAIN_VIRT_KVM);
virQEMUCapsInitHostCPUModel(qemuCaps, hostArch,
VIR_DOMAIN_VIRT_QEMU);
@@ -4601,6 +4703,19 @@ virQEMUCapsFormatSEVInfo(virQEMUCapsPtr
qemuCaps, virBufferPtr buf)
virBufferAddLit(buf, "</sev>\n");
}
+static void
+virQEMUCapsFormatSGXInfo(virQEMUCapsPtr qemuCaps, virBufferPtr buf)
+{
+ virSGXCapabilityPtr sgx =
virQEMUCapsGetSGXCapabilities(qemuCaps);
+
+ virBufferAddLit(buf, "<sgx>\n");
+ virBufferAdjustIndent(buf, 2);
+ virBufferAsprintf(buf, "<flc>%s</flc>\n", sgx->flc ?
"yes" :
"no");
+ virBufferAsprintf(buf, "<epc_size>%u</epc_size>\n", sgx-
>epc_size);
+ virBufferAdjustIndent(buf, -2);
+ virBufferAddLit(buf, "</sgx>\n");
+}
+
char *
virQEMUCapsFormatCache(virQEMUCapsPtr qemuCaps)
@@ -4671,6 +4786,9 @@ virQEMUCapsFormatCache(virQEMUCapsPtr qemuCaps)
if (qemuCaps->sevCapabilities)
virQEMUCapsFormatSEVInfo(qemuCaps, &buf);
+ if (qemuCaps->sgxCapabilities)
+ virQEMUCapsFormatSGXInfo(qemuCaps, &buf);
+
if (qemuCaps->kvmSupportsNesting)
virBufferAddLit(&buf, "<kvmSupportsNesting/>\n");
@@ -5323,6 +5441,8 @@ virQEMUCapsInitQMPMonitor(virQEMUCapsPtr
qemuCaps,
return -1;
if (virQEMUCapsProbeQMPSEVCapabilities(qemuCaps, mon) < 0)
return -1;
+ if (virQEMUCapsProbeQMPSGXCapabilities(qemuCaps, mon) < 0)
+ return -1;
virQEMUCapsInitProcessCaps(qemuCaps);
@@ -6245,6 +6365,31 @@
virQEMUCapsFillDomainFeatureGICCaps(virQEMUCapsPtr qemuCaps,
}
+/**
+ * virQEMUCapsFillDomainFeatureiSGXCaps:
+ * @qemuCaps: QEMU capabilities
+ * @domCaps: domain capabilities
+ *
+ * Take the information about SGX capabilities that has been
obtained
+ * using the 'query-sgx-capabilities' QMP command and stored in
@qemuCaps
+ * and convert it to a form suitable for @domCaps.
+ */
+static void
+virQEMUCapsFillDomainFeatureSGXCaps(virQEMUCapsPtr qemuCaps,
+ virDomainCapsPtr domCaps)
+{
+ virSGXCapability *cap = qemuCaps->sgxCapabilities;
+
+ if (!cap)
+ return;
+
+ domCaps->sgx = g_new0(virSGXCapability, 1);
+
+ domCaps->sgx->flc = cap->flc;
+ domCaps->sgx->epc_size = cap->epc_size;
+}
+
+
/**
* virQEMUCapsFillDomainFeatureSEVCaps:
* @qemuCaps: QEMU capabilities
@@ -6316,6 +6461,7 @@ virQEMUCapsFillDomainCaps(virQEMUCapsPtr
qemuCaps,
virQEMUCapsFillDomainDeviceRNGCaps(qemuCaps, rng);
virQEMUCapsFillDomainFeatureGICCaps(qemuCaps, domCaps);
virQEMUCapsFillDomainFeatureSEVCaps(qemuCaps, domCaps);
+ virQEMUCapsFillDomainFeatureSGXCaps(qemuCaps, domCaps);
return 0;
}
diff --git a/src/qemu/qemu_capabilities.h
b/src/qemu/qemu_capabilities.h
index 5d08941538..0e3af622a7 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -578,6 +578,9 @@ typedef enum { /* virQEMUCapsFlags grouping
marker for syntax-check */
QEMU_CAPS_NUMA_HMAT, /* -numa hmat */
QEMU_CAPS_BLOCKDEV_HOSTDEV_SCSI, /* -blockdev used for (i)SCSI
hostdevs */
+ /* 380 */
+ QEMU_CAPS_SGX_EPC, /* -object sgx-epc,... */
+
QEMU_CAPS_LAST /* this must always be the last item */
} virQEMUCapsFlags;
@@ -759,5 +762,8 @@ virQEMUCapsCPUFeatureFromQEMU(virQEMUCapsPtr
qemuCaps,
virSEVCapabilityPtr
virQEMUCapsGetSEVCapabilities(virQEMUCapsPtr qemuCaps);
+virSGXCapabilityPtr
+virQEMUCapsGetSGXCapabilities(virQEMUCapsPtr qemuCaps);
+
virArch virQEMUCapsArchFromString(const char *arch);
const char *virQEMUCapsArchToString(virArch arch);
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index fb05acbc94..9462b5a6c8 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -6405,7 +6405,7 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr
driver,
case VIR_CPU_MODE_CUSTOM:
virBufferAdd(buf, cpu->model, -1);
- if(def->sgx)
+ if (def->sgx)
virBufferAdd(buf,
Fix in previous patch.
",+sgx,+sgx-debug,+sgx1,+sgx-encls-c,+sgx-
enclv,+sgx-exinfo,"
"+sgx-kss,+sgx-mode64,+sgx-
provisionkey,+sgx-tokenkey,+sgx2,"
diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
index 637361d24d..1e377ee8dc 100644
--- a/src/qemu/qemu_monitor.c
+++ b/src/qemu/qemu_monitor.c
@@ -3870,6 +3870,16 @@ qemuMonitorGetSEVCapabilities(qemuMonitorPtr
mon,
}
+int
+qemuMonitorGetSGXCapabilities(qemuMonitorPtr mon,
+ virSGXCapability **capabilities)
+{
+ QEMU_CHECK_MONITOR(mon);
+
+ return qemuMonitorJSONGetSGXCapabilities(mon, capabilities);
+}
+
+
int
qemuMonitorNBDServerStart(qemuMonitorPtr mon,
const virStorageNetHostDef *server,
diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h
index d20a15c202..76b3cd54c7 100644
--- a/src/qemu/qemu_monitor.h
+++ b/src/qemu/qemu_monitor.h
@@ -836,6 +836,9 @@ int qemuMonitorGetGICCapabilities(qemuMonitorPtr
mon,
int qemuMonitorGetSEVCapabilities(qemuMonitorPtr mon,
virSEVCapability **capabilities);
+int qemuMonitorGetSGXCapabilities(qemuMonitorPtr mon,
+ virSGXCapability **capabilities);
+
typedef enum {
QEMU_MONITOR_MIGRATE_BACKGROUND = 1 << 0,
QEMU_MONITOR_MIGRATE_NON_SHARED_DISK = 1 << 1, /* migration with
non-shared storage with full disk copy */
diff --git a/src/qemu/qemu_monitor_json.c
b/src/qemu/qemu_monitor_json.c
index 9cdf6c0f7f..06f0738ad8 100644
--- a/src/qemu/qemu_monitor_json.c
+++ b/src/qemu/qemu_monitor_json.c
@@ -44,6 +44,7 @@
# include "libvirt_qemu_probes.h"
#endif
+#define KB 1024
#define VIR_FROM_THIS VIR_FROM_QEMU
VIR_LOG_INIT("qemu.qemu_monitor_json");
@@ -7056,6 +7057,96 @@
qemuMonitorJSONGetGICCapabilities(qemuMonitorPtr mon,
}
+/**
+ * qemuMonitorJSONGetSGXCapabilities:
+ * @mon: qemu monitor object
+ * @capabilities: pointer to pointer to a SGX capability structure
to be filled
+ *
+ * This function queries and fills in INTEL's SGX platform-specific
data.
+ * Note that from QEMU's POV both -object sgx-epc and query-sgx-
capabilities
+ * can be present even if SGX is not available, which basically
leaves us with
+ * checking for JSON "GenericError" in order to differentiate
between compiled-in
+ * support and actual SGX support on the platform.
+ *
+ * Returns -1 on error, 0 if SGX is not supported, and 1 if SGX is
supported on
+ * the platform.
+ */
+int
+qemuMonitorJSONGetSGXCapabilities(qemuMonitorPtr mon,
+ virSGXCapability **capabilities)
+{
+ int ret = -1;
+ virJSONValuePtr cmd;
+ virJSONValuePtr reply = NULL;
+ virJSONValuePtr caps;
+ bool sgx = false;
+ bool flc = false;
+ unsigned int section_size = 0;
+ g_autoptr(virSGXCapability) capability = NULL;
+
+ *capabilities = NULL;
+
+ if (!(cmd = qemuMonitorJSONMakeCommand("query-sgx-capabilities",
NULL)))
+ return -1;
+
+ if (qemuMonitorJSONCommand(mon, cmd, &reply) < 0)
+ goto cleanup;
+
+ /* QEMU has only compiled-in support of SGX */
+ if (qemuMonitorJSONHasError(reply, "GenericError")) {
+ ret = 0;
+ goto cleanup;
+ }
+
+ if (qemuMonitorJSONCheckError(cmd, reply) < 0)
+ goto cleanup;
+
+ caps = virJSONValueObjectGetObject(reply, "return");
+
+ if (virJSONValueObjectGetBoolean(caps, "sgx", &sgx) < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("query-sgx reply was missing"
+ " 'sgx' field"));
+ goto cleanup;
+ }
+ if (!sgx) {
+ VIR_WARN("sgx is not support %d\n", sgx);
+ ret = 0;
+ goto cleanup;
+ }
+
+ if (virJSONValueObjectGetBoolean(caps, "flc", &flc) < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("query-sgx-capabilities reply was missing"
+ " 'flc' field"));
+ goto cleanup;
+ }
+
+ if (virJSONValueObjectGetNumberUint(caps, "section-size",
§ion_size) < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("query-sgx-capabilities reply was missing"
+ " 'section-size' field"));
+ goto cleanup;
+ }
+
+
+ if (VIR_ALLOC(capability) < 0)
+ goto cleanup;
+
+ capability->flc = flc;
+
+ capability->epc_size = section_size/(KB);
+ *capabilities = g_steal_pointer(&capability);
+ ret = 1;
+
+ cleanup:
+ virJSONValueFree(cmd);
+ virJSONValueFree(reply);
Using "g_autoptr(virJsonValue) cmd;" and "g_autoptr(virJsonValue)
reply;" would remove the need for "goto" and the label.
Regards,
Tim
+
+ return ret;
+}
+
+
/**
* qemuMonitorJSONGetSEVCapabilities:
* @mon: qemu monitor object
diff --git a/src/qemu/qemu_monitor_json.h
b/src/qemu/qemu_monitor_json.h
index 098ab857be..b0c23e57ac 100644
--- a/src/qemu/qemu_monitor_json.h
+++ b/src/qemu/qemu_monitor_json.h
@@ -159,6 +159,9 @@ int
qemuMonitorJSONGetGICCapabilities(qemuMonitorPtr mon,
int qemuMonitorJSONGetSEVCapabilities(qemuMonitorPtr mon,
virSEVCapability
**capabilities);
+int qemuMonitorJSONGetSGXCapabilities(qemuMonitorPtr mon,
+ virSGXCapability
**capabilities);
+
int qemuMonitorJSONMigrate(qemuMonitorPtr mon,
unsigned int flags,
const char *uri);
diff --git a/tests/domaincapsdata/bhyve_basic.x86_64.xml
b/tests/domaincapsdata/bhyve_basic.x86_64.xml
index bdf2c4eee8..8998fb2cee 100644
--- a/tests/domaincapsdata/bhyve_basic.x86_64.xml
+++ b/tests/domaincapsdata/bhyve_basic.x86_64.xml
@@ -32,5 +32,6 @@
<vmcoreinfo supported='no'/>
<genid supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/bhyve_fbuf.x86_64.xml
b/tests/domaincapsdata/bhyve_fbuf.x86_64.xml
index f998c457c1..e013463456 100644
--- a/tests/domaincapsdata/bhyve_fbuf.x86_64.xml
+++ b/tests/domaincapsdata/bhyve_fbuf.x86_64.xml
@@ -49,5 +49,6 @@
<vmcoreinfo supported='no'/>
<genid supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/bhyve_uefi.x86_64.xml
b/tests/domaincapsdata/bhyve_uefi.x86_64.xml
index 18f90023d5..d6243db384 100644
--- a/tests/domaincapsdata/bhyve_uefi.x86_64.xml
+++ b/tests/domaincapsdata/bhyve_uefi.x86_64.xml
@@ -41,5 +41,6 @@
<vmcoreinfo supported='no'/>
<genid supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/empty.xml
b/tests/domaincapsdata/empty.xml
index 6c3f5f54fd..df55215ed5 100644
--- a/tests/domaincapsdata/empty.xml
+++ b/tests/domaincapsdata/empty.xml
@@ -12,5 +12,6 @@
</devices>
<features>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/libxl-xenfv.xml
b/tests/domaincapsdata/libxl-xenfv.xml
index 4efc137c97..160c220728 100644
--- a/tests/domaincapsdata/libxl-xenfv.xml
+++ b/tests/domaincapsdata/libxl-xenfv.xml
@@ -75,5 +75,6 @@
<vmcoreinfo supported='no'/>
<genid supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/libxl-xenpv.xml
b/tests/domaincapsdata/libxl-xenpv.xml
index 70e598fe9e..cbd64fabfc 100644
--- a/tests/domaincapsdata/libxl-xenpv.xml
+++ b/tests/domaincapsdata/libxl-xenpv.xml
@@ -65,5 +65,6 @@
<vmcoreinfo supported='no'/>
<genid supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_1.5.3-q35.x86_64.xml
b/tests/domaincapsdata/qemu_1.5.3-q35.x86_64.xml
index 3ed96a3ee7..183f55a09d 100644
--- a/tests/domaincapsdata/qemu_1.5.3-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_1.5.3-q35.x86_64.xml
@@ -137,5 +137,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_1.5.3-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_1.5.3-tcg.x86_64.xml
index 3b3d89a643..680751ab5e 100644
--- a/tests/domaincapsdata/qemu_1.5.3-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_1.5.3-tcg.x86_64.xml
@@ -133,5 +133,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_1.5.3.x86_64.xml
b/tests/domaincapsdata/qemu_1.5.3.x86_64.xml
index 20cd3a105a..f2737be495 100644
--- a/tests/domaincapsdata/qemu_1.5.3.x86_64.xml
+++ b/tests/domaincapsdata/qemu_1.5.3.x86_64.xml
@@ -137,5 +137,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_1.6.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_1.6.0-q35.x86_64.xml
index a4b26b46cb..38f510c0b4 100644
--- a/tests/domaincapsdata/qemu_1.6.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_1.6.0-q35.x86_64.xml
@@ -137,5 +137,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_1.6.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_1.6.0-tcg.x86_64.xml
index 6bff19bad5..970d2b7b83 100644
--- a/tests/domaincapsdata/qemu_1.6.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_1.6.0-tcg.x86_64.xml
@@ -133,5 +133,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_1.6.0.x86_64.xml
b/tests/domaincapsdata/qemu_1.6.0.x86_64.xml
index 16417a13d2..eaa3e872e4 100644
--- a/tests/domaincapsdata/qemu_1.6.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_1.6.0.x86_64.xml
@@ -137,5 +137,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_1.7.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_1.7.0-q35.x86_64.xml
index 559b49491e..55460bb3eb 100644
--- a/tests/domaincapsdata/qemu_1.7.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_1.7.0-q35.x86_64.xml
@@ -137,5 +137,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_1.7.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_1.7.0-tcg.x86_64.xml
index 97e71bffff..cf816e1315 100644
--- a/tests/domaincapsdata/qemu_1.7.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_1.7.0-tcg.x86_64.xml
@@ -133,5 +133,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_1.7.0.x86_64.xml
b/tests/domaincapsdata/qemu_1.7.0.x86_64.xml
index 472c073de9..e86e538268 100644
--- a/tests/domaincapsdata/qemu_1.7.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_1.7.0.x86_64.xml
@@ -137,5 +137,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.1.1-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.1.1-q35.x86_64.xml
index a87f5b2a63..7a94784943 100644
--- a/tests/domaincapsdata/qemu_2.1.1-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.1.1-q35.x86_64.xml
@@ -138,5 +138,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.1.1-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.1.1-tcg.x86_64.xml
index 192a505d77..413f46d5a6 100644
--- a/tests/domaincapsdata/qemu_2.1.1-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.1.1-tcg.x86_64.xml
@@ -134,5 +134,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.1.1.x86_64.xml
b/tests/domaincapsdata/qemu_2.1.1.x86_64.xml
index 15adfe0ee8..d087157b06 100644
--- a/tests/domaincapsdata/qemu_2.1.1.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.1.1.x86_64.xml
@@ -138,5 +138,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.10.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.10.0-q35.x86_64.xml
index be2840d9b8..a70eb157d9 100644
--- a/tests/domaincapsdata/qemu_2.10.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.10.0-q35.x86_64.xml
@@ -161,5 +161,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.10.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.10.0-tcg.x86_64.xml
index 1193f49bd6..1730dd81ab 100644
--- a/tests/domaincapsdata/qemu_2.10.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.10.0-tcg.x86_64.xml
@@ -176,5 +176,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.10.0-virt.aarch64.xml
b/tests/domaincapsdata/qemu_2.10.0-virt.aarch64.xml
index 4505d64e3a..0fded78a64 100644
--- a/tests/domaincapsdata/qemu_2.10.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_2.10.0-virt.aarch64.xml
@@ -145,5 +145,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.10.0.aarch64.xml
b/tests/domaincapsdata/qemu_2.10.0.aarch64.xml
index 629833b745..d74e018aea 100644
--- a/tests/domaincapsdata/qemu_2.10.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_2.10.0.aarch64.xml
@@ -139,5 +139,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.10.0.ppc64.xml
b/tests/domaincapsdata/qemu_2.10.0.ppc64.xml
index 863afbc0df..ba102fd26f 100644
--- a/tests/domaincapsdata/qemu_2.10.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_2.10.0.ppc64.xml
@@ -111,5 +111,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.10.0.s390x.xml
b/tests/domaincapsdata/qemu_2.10.0.s390x.xml
index ce5c92edce..3c16cc8b05 100644
--- a/tests/domaincapsdata/qemu_2.10.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_2.10.0.s390x.xml
@@ -200,5 +200,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.10.0.x86_64.xml
b/tests/domaincapsdata/qemu_2.10.0.x86_64.xml
index 6596016d33..a47914a796 100644
--- a/tests/domaincapsdata/qemu_2.10.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.10.0.x86_64.xml
@@ -161,5 +161,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.11.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.11.0-q35.x86_64.xml
index c2e148e0fc..f0348486fd 100644
--- a/tests/domaincapsdata/qemu_2.11.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.11.0-q35.x86_64.xml
@@ -159,5 +159,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.11.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.11.0-tcg.x86_64.xml
index 7f66cf7b7e..e8282b30fc 100644
--- a/tests/domaincapsdata/qemu_2.11.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.11.0-tcg.x86_64.xml
@@ -171,5 +171,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.11.0.s390x.xml
b/tests/domaincapsdata/qemu_2.11.0.s390x.xml
index c5b48fdad5..2fdbe3ce5d 100644
--- a/tests/domaincapsdata/qemu_2.11.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_2.11.0.s390x.xml
@@ -199,5 +199,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.11.0.x86_64.xml
b/tests/domaincapsdata/qemu_2.11.0.x86_64.xml
index 38b6b20f77..de5404b2a4 100644
--- a/tests/domaincapsdata/qemu_2.11.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.11.0.x86_64.xml
@@ -159,5 +159,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.12.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.12.0-q35.x86_64.xml
index 8d38d33369..e977a8937a 100644
--- a/tests/domaincapsdata/qemu_2.12.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.12.0-q35.x86_64.xml
@@ -176,5 +176,6 @@
<cbitpos>47</cbitpos>
<reducedPhysBits>1</reducedPhysBits>
</sev>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.12.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.12.0-tcg.x86_64.xml
index 9a89587115..3a4c85eb65 100644
--- a/tests/domaincapsdata/qemu_2.12.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.12.0-tcg.x86_64.xml
@@ -185,5 +185,6 @@
<cbitpos>47</cbitpos>
<reducedPhysBits>1</reducedPhysBits>
</sev>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.12.0-virt.aarch64.xml
b/tests/domaincapsdata/qemu_2.12.0-virt.aarch64.xml
index 8ea58bfa25..f78722ea3c 100644
--- a/tests/domaincapsdata/qemu_2.12.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_2.12.0-virt.aarch64.xml
@@ -147,5 +147,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.12.0.aarch64.xml
b/tests/domaincapsdata/qemu_2.12.0.aarch64.xml
index 667516e75e..c7de5ad674 100644
--- a/tests/domaincapsdata/qemu_2.12.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_2.12.0.aarch64.xml
@@ -141,5 +141,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.12.0.ppc64.xml
b/tests/domaincapsdata/qemu_2.12.0.ppc64.xml
index eac3e6a868..8d3377e937 100644
--- a/tests/domaincapsdata/qemu_2.12.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_2.12.0.ppc64.xml
@@ -111,5 +111,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.12.0.s390x.xml
b/tests/domaincapsdata/qemu_2.12.0.s390x.xml
index 01cc3d81ec..12ff7cfd95 100644
--- a/tests/domaincapsdata/qemu_2.12.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_2.12.0.s390x.xml
@@ -198,5 +198,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.12.0.x86_64.xml
b/tests/domaincapsdata/qemu_2.12.0.x86_64.xml
index 6e006a3ba3..2039b77790 100644
--- a/tests/domaincapsdata/qemu_2.12.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.12.0.x86_64.xml
@@ -176,5 +176,6 @@
<cbitpos>47</cbitpos>
<reducedPhysBits>1</reducedPhysBits>
</sev>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.4.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.4.0-q35.x86_64.xml
index 23e103927e..608118652a 100644
--- a/tests/domaincapsdata/qemu_2.4.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.4.0-q35.x86_64.xml
@@ -146,5 +146,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.4.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.4.0-tcg.x86_64.xml
index 2a6296739c..411780d41e 100644
--- a/tests/domaincapsdata/qemu_2.4.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.4.0-tcg.x86_64.xml
@@ -142,5 +142,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.4.0.x86_64.xml
b/tests/domaincapsdata/qemu_2.4.0.x86_64.xml
index 7c6d78e510..6bd8627277 100644
--- a/tests/domaincapsdata/qemu_2.4.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.4.0.x86_64.xml
@@ -146,5 +146,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.5.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.5.0-q35.x86_64.xml
index bb8bd9c5c5..fe465bcfaa 100644
--- a/tests/domaincapsdata/qemu_2.5.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.5.0-q35.x86_64.xml
@@ -146,5 +146,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.5.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.5.0-tcg.x86_64.xml
index 8b022e9bd7..b4803039df 100644
--- a/tests/domaincapsdata/qemu_2.5.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.5.0-tcg.x86_64.xml
@@ -142,5 +142,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.5.0.x86_64.xml
b/tests/domaincapsdata/qemu_2.5.0.x86_64.xml
index a89990a42e..07eea7c96c 100644
--- a/tests/domaincapsdata/qemu_2.5.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.5.0.x86_64.xml
@@ -146,5 +146,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.6.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.6.0-q35.x86_64.xml
index 251696a161..c490c36170 100644
--- a/tests/domaincapsdata/qemu_2.6.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.6.0-q35.x86_64.xml
@@ -146,5 +146,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.6.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.6.0-tcg.x86_64.xml
index 7937fad971..3b53321be5 100644
--- a/tests/domaincapsdata/qemu_2.6.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.6.0-tcg.x86_64.xml
@@ -142,5 +142,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.6.0-virt.aarch64.xml
b/tests/domaincapsdata/qemu_2.6.0-virt.aarch64.xml
index 95053e9cbe..c1697eabf8 100644
--- a/tests/domaincapsdata/qemu_2.6.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_2.6.0-virt.aarch64.xml
@@ -144,5 +144,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.6.0.aarch64.xml
b/tests/domaincapsdata/qemu_2.6.0.aarch64.xml
index 223e944c8a..121acd636f 100644
--- a/tests/domaincapsdata/qemu_2.6.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_2.6.0.aarch64.xml
@@ -138,5 +138,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.6.0.ppc64.xml
b/tests/domaincapsdata/qemu_2.6.0.ppc64.xml
index c97f232028..41217aa7b1 100644
--- a/tests/domaincapsdata/qemu_2.6.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_2.6.0.ppc64.xml
@@ -111,5 +111,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.6.0.x86_64.xml
b/tests/domaincapsdata/qemu_2.6.0.x86_64.xml
index f95f8fb46a..586855e7e3 100644
--- a/tests/domaincapsdata/qemu_2.6.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.6.0.x86_64.xml
@@ -146,5 +146,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.7.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.7.0-q35.x86_64.xml
index 1e6c47f2d6..d8e523e904 100644
--- a/tests/domaincapsdata/qemu_2.7.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.7.0-q35.x86_64.xml
@@ -147,5 +147,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.7.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.7.0-tcg.x86_64.xml
index 8b7c2ce8e6..ed92bee692 100644
--- a/tests/domaincapsdata/qemu_2.7.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.7.0-tcg.x86_64.xml
@@ -143,5 +143,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.7.0.s390x.xml
b/tests/domaincapsdata/qemu_2.7.0.s390x.xml
index ff3dd4939b..b8bc1245ec 100644
--- a/tests/domaincapsdata/qemu_2.7.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_2.7.0.s390x.xml
@@ -103,5 +103,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.7.0.x86_64.xml
b/tests/domaincapsdata/qemu_2.7.0.x86_64.xml
index da1b10c41b..c2df40d00e 100644
--- a/tests/domaincapsdata/qemu_2.7.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.7.0.x86_64.xml
@@ -147,5 +147,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.8.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.8.0-q35.x86_64.xml
index 0a7493d86d..78acecdfd7 100644
--- a/tests/domaincapsdata/qemu_2.8.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.8.0-q35.x86_64.xml
@@ -147,5 +147,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.8.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.8.0-tcg.x86_64.xml
index 100e8e059c..638bfea6f7 100644
--- a/tests/domaincapsdata/qemu_2.8.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.8.0-tcg.x86_64.xml
@@ -143,5 +143,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.8.0.s390x.xml
b/tests/domaincapsdata/qemu_2.8.0.s390x.xml
index 47b1aa46f7..233092be64 100644
--- a/tests/domaincapsdata/qemu_2.8.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_2.8.0.s390x.xml
@@ -184,5 +184,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.8.0.x86_64.xml
b/tests/domaincapsdata/qemu_2.8.0.x86_64.xml
index 6fa754c18a..deb094df40 100644
--- a/tests/domaincapsdata/qemu_2.8.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.8.0.x86_64.xml
@@ -147,5 +147,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.9.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_2.9.0-q35.x86_64.xml
index 3df3c3738e..0669e56b1d 100644
--- a/tests/domaincapsdata/qemu_2.9.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.9.0-q35.x86_64.xml
@@ -156,5 +156,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.9.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_2.9.0-tcg.x86_64.xml
index 08bb5fbad7..045c308f8e 100644
--- a/tests/domaincapsdata/qemu_2.9.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.9.0-tcg.x86_64.xml
@@ -175,5 +175,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.9.0.ppc64.xml
b/tests/domaincapsdata/qemu_2.9.0.ppc64.xml
index 3776b6ed9c..deca3b2373 100644
--- a/tests/domaincapsdata/qemu_2.9.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_2.9.0.ppc64.xml
@@ -111,5 +111,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.9.0.s390x.xml
b/tests/domaincapsdata/qemu_2.9.0.s390x.xml
index cf7e7781cc..263a2a9a71 100644
--- a/tests/domaincapsdata/qemu_2.9.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_2.9.0.s390x.xml
@@ -185,5 +185,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_2.9.0.x86_64.xml
b/tests/domaincapsdata/qemu_2.9.0.x86_64.xml
index a80ef28488..a553b5c7f2 100644
--- a/tests/domaincapsdata/qemu_2.9.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_2.9.0.x86_64.xml
@@ -156,5 +156,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_3.0.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_3.0.0-q35.x86_64.xml
index cd37906bc7..b8e27b774d 100644
--- a/tests/domaincapsdata/qemu_3.0.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_3.0.0-q35.x86_64.xml
@@ -174,5 +174,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_3.0.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_3.0.0-tcg.x86_64.xml
index d3211e7a13..797b3496b8 100644
--- a/tests/domaincapsdata/qemu_3.0.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_3.0.0-tcg.x86_64.xml
@@ -185,5 +185,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_3.0.0.ppc64.xml
b/tests/domaincapsdata/qemu_3.0.0.ppc64.xml
index 1b8ddd4ed0..e791c0619c 100644
--- a/tests/domaincapsdata/qemu_3.0.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_3.0.0.ppc64.xml
@@ -113,5 +113,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_3.0.0.s390x.xml
b/tests/domaincapsdata/qemu_3.0.0.s390x.xml
index 7a4e536fb5..c12e40ca10 100644
--- a/tests/domaincapsdata/qemu_3.0.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_3.0.0.s390x.xml
@@ -205,5 +205,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_3.0.0.x86_64.xml
b/tests/domaincapsdata/qemu_3.0.0.x86_64.xml
index 9fa4224760..7667232cb1 100644
--- a/tests/domaincapsdata/qemu_3.0.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_3.0.0.x86_64.xml
@@ -174,5 +174,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_3.1.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_3.1.0-q35.x86_64.xml
index 82b1b6a095..f24b621b4a 100644
--- a/tests/domaincapsdata/qemu_3.1.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_3.1.0-q35.x86_64.xml
@@ -177,5 +177,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_3.1.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_3.1.0-tcg.x86_64.xml
index 756b28034e..8ddcf7495d 100644
--- a/tests/domaincapsdata/qemu_3.1.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_3.1.0-tcg.x86_64.xml
@@ -188,5 +188,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_3.1.0.ppc64.xml
b/tests/domaincapsdata/qemu_3.1.0.ppc64.xml
index 6a2bc87947..b34c8e8e02 100644
--- a/tests/domaincapsdata/qemu_3.1.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_3.1.0.ppc64.xml
@@ -113,5 +113,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_3.1.0.x86_64.xml
b/tests/domaincapsdata/qemu_3.1.0.x86_64.xml
index ffc82f17c3..5440773513 100644
--- a/tests/domaincapsdata/qemu_3.1.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_3.1.0.x86_64.xml
@@ -177,5 +177,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.0.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_4.0.0-q35.x86_64.xml
index c837de966f..2ccb7e850f 100644
--- a/tests/domaincapsdata/qemu_4.0.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.0.0-q35.x86_64.xml
@@ -177,5 +177,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.0.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_4.0.0-tcg.x86_64.xml
index 0aa8aa18be..87a56371e1 100644
--- a/tests/domaincapsdata/qemu_4.0.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.0.0-tcg.x86_64.xml
@@ -189,5 +189,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.0.0-virt.aarch64.xml
b/tests/domaincapsdata/qemu_4.0.0-virt.aarch64.xml
index f5347aba9f..6a8a15cb82 100644
--- a/tests/domaincapsdata/qemu_4.0.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_4.0.0-virt.aarch64.xml
@@ -154,5 +154,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.0.0.aarch64.xml
b/tests/domaincapsdata/qemu_4.0.0.aarch64.xml
index b879d7553c..2a6d6cb4ec 100644
--- a/tests/domaincapsdata/qemu_4.0.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_4.0.0.aarch64.xml
@@ -148,5 +148,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.0.0.ppc64.xml
b/tests/domaincapsdata/qemu_4.0.0.ppc64.xml
index 0642753f11..4831fe949d 100644
--- a/tests/domaincapsdata/qemu_4.0.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_4.0.0.ppc64.xml
@@ -114,5 +114,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.0.0.s390x.xml
b/tests/domaincapsdata/qemu_4.0.0.s390x.xml
index 632c26d689..7277154d38 100644
--- a/tests/domaincapsdata/qemu_4.0.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_4.0.0.s390x.xml
@@ -210,5 +210,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.0.0.x86_64.xml
b/tests/domaincapsdata/qemu_4.0.0.x86_64.xml
index 3f64bd4b66..e230e39773 100644
--- a/tests/domaincapsdata/qemu_4.0.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.0.0.x86_64.xml
@@ -177,5 +177,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.1.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_4.1.0-q35.x86_64.xml
index 8bf41d6b49..4ea0c221e3 100644
--- a/tests/domaincapsdata/qemu_4.1.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.1.0-q35.x86_64.xml
@@ -182,5 +182,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.1.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_4.1.0-tcg.x86_64.xml
index d6265ce243..fd8a2d29de 100644
--- a/tests/domaincapsdata/qemu_4.1.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.1.0-tcg.x86_64.xml
@@ -190,5 +190,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.1.0.x86_64.xml
b/tests/domaincapsdata/qemu_4.1.0.x86_64.xml
index 5010f879a6..db4fbb81d5 100644
--- a/tests/domaincapsdata/qemu_4.1.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.1.0.x86_64.xml
@@ -182,5 +182,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
index 6f72b67f68..dc1e0b1bcc 100644
--- a/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
@@ -189,5 +189,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.2.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_4.2.0-tcg.x86_64.xml
index 7339a3f81c..298cd92d3d 100644
--- a/tests/domaincapsdata/qemu_4.2.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.2.0-tcg.x86_64.xml
@@ -196,5 +196,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.2.0-virt.aarch64.xml
b/tests/domaincapsdata/qemu_4.2.0-virt.aarch64.xml
index ef57216562..8ede831af4 100644
--- a/tests/domaincapsdata/qemu_4.2.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_4.2.0-virt.aarch64.xml
@@ -155,5 +155,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.2.0.aarch64.xml
b/tests/domaincapsdata/qemu_4.2.0.aarch64.xml
index 3cf2a6faf1..802631b704 100644
--- a/tests/domaincapsdata/qemu_4.2.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_4.2.0.aarch64.xml
@@ -149,5 +149,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.2.0.ppc64.xml
b/tests/domaincapsdata/qemu_4.2.0.ppc64.xml
index 0f2cf6da64..14923e14b5 100644
--- a/tests/domaincapsdata/qemu_4.2.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_4.2.0.ppc64.xml
@@ -115,5 +115,6 @@
<backingStoreInput supported='no'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.2.0.s390x.xml
b/tests/domaincapsdata/qemu_4.2.0.s390x.xml
index ecd037438a..21cefb9ff4 100644
--- a/tests/domaincapsdata/qemu_4.2.0.s390x.xml
+++ b/tests/domaincapsdata/qemu_4.2.0.s390x.xml
@@ -224,5 +224,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_4.2.0.x86_64.xml
b/tests/domaincapsdata/qemu_4.2.0.x86_64.xml
index f4a8321637..55b3e0d545 100644
--- a/tests/domaincapsdata/qemu_4.2.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.2.0.x86_64.xml
@@ -189,5 +189,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_5.0.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_5.0.0-q35.x86_64.xml
index fc21b2ad62..0252950bb6 100644
--- a/tests/domaincapsdata/qemu_5.0.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_5.0.0-q35.x86_64.xml
@@ -190,5 +190,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_5.0.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_5.0.0-tcg.x86_64.xml
index 110a79dd34..bcbbf8a8d8 100644
--- a/tests/domaincapsdata/qemu_5.0.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_5.0.0-tcg.x86_64.xml
@@ -196,5 +196,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_5.0.0-virt.aarch64.xml
b/tests/domaincapsdata/qemu_5.0.0-virt.aarch64.xml
index b2b37c0f7b..fc110c1028 100644
--- a/tests/domaincapsdata/qemu_5.0.0-virt.aarch64.xml
+++ b/tests/domaincapsdata/qemu_5.0.0-virt.aarch64.xml
@@ -156,5 +156,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_5.0.0.aarch64.xml
b/tests/domaincapsdata/qemu_5.0.0.aarch64.xml
index 7377a2c4cf..d21e85f289 100644
--- a/tests/domaincapsdata/qemu_5.0.0.aarch64.xml
+++ b/tests/domaincapsdata/qemu_5.0.0.aarch64.xml
@@ -150,5 +150,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_5.0.0.ppc64.xml
b/tests/domaincapsdata/qemu_5.0.0.ppc64.xml
index 9693aeb72e..f3ffaaeca9 100644
--- a/tests/domaincapsdata/qemu_5.0.0.ppc64.xml
+++ b/tests/domaincapsdata/qemu_5.0.0.ppc64.xml
@@ -115,5 +115,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_5.0.0.x86_64.xml
b/tests/domaincapsdata/qemu_5.0.0.x86_64.xml
index aceca34c43..269976d0c4 100644
--- a/tests/domaincapsdata/qemu_5.0.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_5.0.0.x86_64.xml
@@ -190,5 +190,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_5.1.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_5.1.0-q35.x86_64.xml
index e1762611c5..9044d839ad 100644
--- a/tests/domaincapsdata/qemu_5.1.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_5.1.0-q35.x86_64.xml
@@ -202,5 +202,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_5.1.0-tcg.x86_64.xml
b/tests/domaincapsdata/qemu_5.1.0-tcg.x86_64.xml
index 86f091d238..cec56619d6 100644
--- a/tests/domaincapsdata/qemu_5.1.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_5.1.0-tcg.x86_64.xml
@@ -196,5 +196,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
diff --git a/tests/domaincapsdata/qemu_5.1.0.x86_64.xml
b/tests/domaincapsdata/qemu_5.1.0.x86_64.xml
index 117f316b6a..b0b0d8b4a9 100644
--- a/tests/domaincapsdata/qemu_5.1.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_5.1.0.x86_64.xml
@@ -202,5 +202,6 @@
<backingStoreInput supported='yes'/>
<backup supported='no'/>
<sev supported='no'/>
+ <sgx supported='no'/>
</features>
</domainCapabilities>
9:52 p.m.
New subject: [libvirt][PATCH v4 4/4] Support to query SGX capability
-----Original Message-----
From: Tim Wiederhake <twiederh(a)redhat.com>
Sent: Monday, July 5, 2021 7:32 PM
To: Huang, Haibin <haibin.huang(a)intel.com>
Cc: libvir-list(a)redhat.com; Ding, Jian-feng <jian-feng.ding(a)intel.com>; Yang,
Lin A <lin.a.yang(a)intel.com>; Lu, Lianhao <lianhao.lu(a)intel.com>
Subject: Re: [libvirt][PATCH v4 4/4] Support to query SGX capability
On Thu, 2021-07-01 at 20:10 +0800, Haibin Huang wrote:
> 1.Add SGX feature in domain capabilities
> 2.Get sgx capabilities by query-sgx-capabilities
> 3.Transfer the B to KB for epc_size
> 4.Delete sgx1 and sgx2
> 5.add unit test for get capabilities
>
> Signed-off-by: Haibin Huang <haibin.huang(a)intel.com>
> ---
> src/conf/domain_capabilities.c | 29 ++++
> src/conf/domain_capabilities.h | 13 ++
> src/libvirt_private.syms | 2 +-
> src/qemu/qemu_capabilities.c | 146 ++++++++++++++++++
> src/qemu/qemu_capabilities.h | 6 +
> src/qemu/qemu_command.c | 2 +-
> src/qemu/qemu_monitor.c | 10 ++
> src/qemu/qemu_monitor.h | 3 +
> src/qemu/qemu_monitor_json.c | 91 +++++++++++
> src/qemu/qemu_monitor_json.h | 3 +
> tests/domaincapsdata/bhyve_basic.x86_64.xml | 1 +
> tests/domaincapsdata/bhyve_fbuf.x86_64.xml | 1 +
> tests/domaincapsdata/bhyve_uefi.x86_64.xml | 1 +
> tests/domaincapsdata/empty.xml | 1 +
> tests/domaincapsdata/libxl-xenfv.xml | 1 +
> tests/domaincapsdata/libxl-xenpv.xml | 1 +
> .../domaincapsdata/qemu_1.5.3-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_1.5.3-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_1.5.3.x86_64.xml | 1 +
> .../domaincapsdata/qemu_1.6.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_1.6.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_1.6.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_1.7.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_1.7.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_1.7.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.1.1-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.1.1-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_2.1.1.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.10.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.10.0-tcg.x86_64.xml | 1 +
> .../qemu_2.10.0-virt.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_2.10.0.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_2.10.0.ppc64.xml | 1 +
> tests/domaincapsdata/qemu_2.10.0.s390x.xml | 1 +
> tests/domaincapsdata/qemu_2.10.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.11.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.11.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_2.11.0.s390x.xml | 1 +
> tests/domaincapsdata/qemu_2.11.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.12.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml | 1 +
> .../qemu_2.12.0-virt.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_2.12.0.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_2.12.0.ppc64.xml | 1 +
> tests/domaincapsdata/qemu_2.12.0.s390x.xml | 1 +
> tests/domaincapsdata/qemu_2.12.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.4.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.4.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_2.4.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.5.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.5.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_2.5.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.6.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.6.0-tcg.x86_64.xml | 1 +
> .../qemu_2.6.0-virt.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_2.6.0.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_2.6.0.ppc64.xml | 1 +
> tests/domaincapsdata/qemu_2.6.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.7.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.7.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_2.7.0.s390x.xml | 1 +
> tests/domaincapsdata/qemu_2.7.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.8.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.8.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_2.8.0.s390x.xml | 1 +
> tests/domaincapsdata/qemu_2.8.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.9.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.9.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_2.9.0.ppc64.xml | 1 +
> tests/domaincapsdata/qemu_2.9.0.s390x.xml | 1 +
> tests/domaincapsdata/qemu_2.9.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_3.0.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_3.0.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_3.0.0.ppc64.xml | 1 +
> tests/domaincapsdata/qemu_3.0.0.s390x.xml | 1 +
> tests/domaincapsdata/qemu_3.0.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_3.1.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_3.1.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_3.1.0.ppc64.xml | 1 +
> tests/domaincapsdata/qemu_3.1.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_4.0.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_4.0.0-tcg.x86_64.xml | 1 +
> .../qemu_4.0.0-virt.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_4.0.0.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_4.0.0.ppc64.xml | 1 +
> tests/domaincapsdata/qemu_4.0.0.s390x.xml | 1 +
> tests/domaincapsdata/qemu_4.0.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_4.1.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_4.1.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_4.1.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_4.2.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml | 1 +
> .../qemu_4.2.0-virt.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_4.2.0.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_4.2.0.ppc64.xml | 1 +
> tests/domaincapsdata/qemu_4.2.0.s390x.xml | 1 +
> tests/domaincapsdata/qemu_4.2.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_5.0.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml | 1 +
> .../qemu_5.0.0-virt.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_5.0.0.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_5.0.0.ppc64.xml | 1 +
> tests/domaincapsdata/qemu_5.0.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_5.1.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_5.1.0.x86_64.xml | 1 +
> 106 files changed, 399 insertions(+), 2 deletions(-)
>
Can this be split up, so that the "mechanical" changes
(tests/domaincapsdata/qemu_*.xml) are separate from the functional
changes? E.g. start with a commit that introduces a dummy
"virDomainCapsFeatureSGXFormat" that always prints "<sgx
supported='no'/>" + the relevant changes in tests/; then, in a second
commit, the actual implementation?
[Haibin] ok, it is good point. I will adjust
it.
> diff --git a/src/conf/domain_capabilities.c
> b/src/conf/domain_capabilities.c
> index d61108e125..f83a462ca3 100644
> --- a/src/conf/domain_capabilities.c
> +++ b/src/conf/domain_capabilities.c
> @@ -91,6 +91,16 @@ virSEVCapabilitiesFree(virSEVCapability *cap)
> }
>
>
> +void
> +virSGXCapabilitiesFree(virSGXCapability *cap)
> +{
> + if (!cap)
> + return;
> +
> + VIR_FREE(cap);
> +}
> +
> +
> static void
> virDomainCapsDispose(void *obj)
> {
> @@ -101,6 +111,7 @@ virDomainCapsDispose(void *obj)
> virObjectUnref(caps->cpu.custom);
> virCPUDefFree(caps->cpu.hostModel);
> virSEVCapabilitiesFree(caps->sev);
> + virSGXCapabilitiesFree(caps->sgx);
>
> virDomainCapsStringValuesFree(&caps->os.loader.values);
> }
> @@ -564,6 +575,23 @@ virDomainCapsFeatureSEVFormat(virBufferPtr buf,
> return;
> }
>
> +static void
> +virDomainCapsFeatureSGXFormat(virBufferPtr buf,
> + virSGXCapabilityPtr const sgx)
> +{
> + if (!sgx) {
> + virBufferAddLit(buf, "<sgx supported='no'/>\n");
> + } else {
> + virBufferAddLit(buf, "<sgx supported='yes'>\n");
> + virBufferAdjustIndent(buf, 2);
> + virBufferAsprintf(buf, "<flc>%s</flc>\n", sgx->flc
? "yes" :
> "no");
> + virBufferAsprintf(buf, "<epc_size
> unit='KiB'>%d</epc_size>\n", sgx->epc_size);
> + virBufferAdjustIndent(buf, -2);
> + virBufferAddLit(buf, "</sgx>\n");
> + }
> +
> + return;
> +}
>
> static void
> virDomainCapsFormatFeatures(const virDomainCaps *caps,
> @@ -584,6 +612,7 @@ virDomainCapsFormatFeatures(const virDomainCaps
> *caps,
> }
>
> virDomainCapsFeatureSEVFormat(&childBuf, caps->sev);
> + virDomainCapsFeatureSGXFormat(&childBuf, caps->sgx);
>
> virXMLFormatElement(buf, "features", NULL, &childBuf);
> }
> diff --git a/src/conf/domain_capabilities.h
> b/src/conf/domain_capabilities.h
> index 685d5e2a44..d63f2d4219 100644
> --- a/src/conf/domain_capabilities.h
> +++ b/src/conf/domain_capabilities.h
> @@ -150,6 +150,13 @@ struct _virDomainCapsCPU {
> virDomainCapsCPUModelsPtr custom;
> };
>
> +typedef struct _virSGXCapability virSGXCapability;
> +typedef virSGXCapability *virSGXCapabilityPtr;
> +struct _virSGXCapability {
> + bool flc;
> + unsigned int epc_size;
> +};
> +
> typedef struct _virSEVCapability virSEVCapability;
> typedef virSEVCapability *virSEVCapabilityPtr;
> struct _virSEVCapability {
> @@ -191,6 +198,7 @@ struct _virDomainCaps {
>
> virDomainCapsFeatureGIC gic;
> virSEVCapabilityPtr sev;
> + virSGXCapabilityPtr sgx;
Requires change to docs/schema/.
[Haibin] ok, I got it, I think you mean
"docs/schemas/domaincaps.rng".
> /* add new domain features here */
>
> virTristateBool features[VIR_DOMAIN_CAPS_FEATURE_LAST];
> @@ -239,4 +247,9 @@ int virDomainCapsDeviceDefValidate(const
> virDomainCaps *caps,
> void
> virSEVCapabilitiesFree(virSEVCapability *capabilities);
>
> +void
> +virSGXCapabilitiesFree(virSGXCapability *capabilities);
> +
> G_DEFINE_AUTOPTR_CLEANUP_FUNC(virSEVCapability,
> virSEVCapabilitiesFree);
> +
> +G_DEFINE_AUTOPTR_CLEANUP_FUNC(virSGXCapability,
> virSGXCapabilitiesFree);
> diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
> index 01c2e710cd..ea7aa897cc 100644
> --- a/src/libvirt_private.syms
> +++ b/src/libvirt_private.syms
> @@ -215,6 +215,7 @@ virDomainCapsEnumSet;
> virDomainCapsFormat;
> virDomainCapsNew;
> virSEVCapabilitiesFree;
> +virSGXCapabilitiesFree;
>
>
> # conf/domain_conf.h
> @@ -1694,7 +1695,6 @@ virBitmapToDataBuf;
> virBitmapToString;
> virBitmapUnion;
>
> -
Please leave the second empty line.
[Haibin] ok
> # util/virbpf.h
> virBPFAttachProg;
> virBPFCreateMap;
> diff --git a/src/qemu/qemu_capabilities.c
> b/src/qemu/qemu_capabilities.c
> index ff6ba8c9e9..63f55480dd 100644
> --- a/src/qemu/qemu_capabilities.c
> +++ b/src/qemu/qemu_capabilities.c
> @@ -597,6 +597,9 @@ VIR_ENUM_IMPL(virQEMUCaps,
> "spapr-tpm-proxy",
> "numa.hmat",
> "blockdev-hostdev-scsi",
> +
> + /* 380 */
> + "sgx-epc",
> );
>
>
> @@ -698,11 +701,14 @@ struct _virQEMUCaps {
>
> virSEVCapability *sevCapabilities;
>
> + virSGXCapability *sgxCapabilities;
> +
> /* Capabilities which may differ depending on the accelerator. */
> virQEMUCapsAccel kvm;
> virQEMUCapsAccel tcg;
> };
>
> +
> struct virQEMUCapsSearchData {
> virArch arch;
> const char *binaryFilter;
> @@ -1323,6 +1329,7 @@ struct virQEMUCapsStringFlags
> virQEMUCapsObjectTypes[] = {
> { "tcg-accel", QEMU_CAPS_TCG },
> { "pvscsi", QEMU_CAPS_SCSI_PVSCSI },
> { "spapr-tpm-proxy", QEMU_CAPS_DEVICE_SPAPR_TPM_PROXY },
> + { "sgx-epc", QEMU_CAPS_SGX_EPC },
> };
>
>
> @@ -1870,6 +1877,23 @@ virQEMUCapsSEVInfoCopy(virSEVCapabilityPtr
*dst,
> }
>
>
> +static int
> +virQEMUCapsSGXInfoCopy(virSGXCapabilityPtr *dst,
> + virSGXCapabilityPtr src)
> +{
> + g_autoptr(virSGXCapability) tmp = NULL;
> +
> + if (VIR_ALLOC(tmp) < 0)
> + return -1;
If this were a simple "virSGXCapability *tmp = g_new0(...)"...
> +
> + tmp->flc = src->flc;
> + tmp->epc_size = src->epc_size;
> +
> + *dst = g_steal_pointer(&tmp);
> + return 0;
... the g_steal_pointer would not be necessary, and
"G_DEFINE_AUTOPTR_CLEANUP_FUNC(virSGXCapability,
virSGXCapabilitiesFree);" would not be, either.
[Haibin] did you mean like
below
static int
virQEMUCapsSGXInfoCopy(virSGXCapabilityPtr *dst,
virSGXCapabilityPtr src)
{
virSGXCapability *tmp = g_new0(virSGXCapability, 1);
tmp->flc = src->flc;
tmp->epc_size = src->epc_size;
*dst = tmp;
return 0;
}
> +}
> +
> +
> static void
> virQEMUCapsAccelCopyMachineTypes(virQEMUCapsAccelPtr dst,
> virQEMUCapsAccelPtr src)
> @@ -1947,6 +1971,11 @@ virQEMUCapsPtr
> virQEMUCapsNewCopy(virQEMUCapsPtr qemuCaps)
> qemuCaps->sevCapabilities) < 0)
> goto error;
>
> + if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SGX_EPC) &&
> + virQEMUCapsSGXInfoCopy(&ret->sgxCapabilities,
> + qemuCaps->sgxCapabilities) < 0)
> + goto error;
> +
> return ret;
>
> error:
> @@ -1987,6 +2016,7 @@ void virQEMUCapsDispose(void *obj)
> VIR_FREE(qemuCaps->gicCapabilities);
>
> virSEVCapabilitiesFree(qemuCaps->sevCapabilities);
> + virSGXCapabilitiesFree(qemuCaps->sgxCapabilities);
>
> virQEMUCapsAccelClear(&qemuCaps->kvm);
> virQEMUCapsAccelClear(&qemuCaps->tcg);
> @@ -2581,6 +2611,13 @@ virQEMUCapsGetSEVCapabilities(virQEMUCapsPtr
> qemuCaps)
> }
>
>
> +virSGXCapabilityPtr
> +virQEMUCapsGetSGXCapabilities(virQEMUCapsPtr qemuCaps)
> +{
> + return qemuCaps->sgxCapabilities;
> +}
> +
> +
> static int
> virQEMUCapsProbeQMPCommands(virQEMUCapsPtr qemuCaps,
> qemuMonitorPtr mon)
> @@ -2640,6 +2677,7 @@
virQEMUCapsProbeQMPObjectTypes(virQEMUCapsPtr
> qemuCaps,
>
> if ((nvalues = qemuMonitorGetObjectTypes(mon, &values)) < 0)
> return -1;
> +
Unrelated change.
[Haibin] ok, delete it.
> virQEMUCapsProcessStringFlags(qemuCaps,
>
> G_N_ELEMENTS(virQEMUCapsObjectTypes),
> virQEMUCapsObjectTypes,
> @@ -3405,6 +3443,31 @@
> virQEMUCapsProbeQMPSEVCapabilities(virQEMUCapsPtr qemuCaps,
> }
>
>
> +static int
> +virQEMUCapsProbeQMPSGXCapabilities(virQEMUCapsPtr qemuCaps,
> + qemuMonitorPtr mon)
> +{
> + int rc = -1;
> + virSGXCapability *caps = NULL;
> +
> + if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_SGX_EPC))
> + return 0;
> +
> + if ((rc = qemuMonitorGetSGXCapabilities(mon, &caps)) < 0)
> + return -1;
> +
> + /* SGX isn't actually supported */
> + if (rc == 0) {
> + virQEMUCapsClear(qemuCaps, QEMU_CAPS_SGX_EPC);
> + return 0;
> + }
> +
> + virSGXCapabilitiesFree(qemuCaps->sgxCapabilities);
> + qemuCaps->sgxCapabilities = caps;
> + return 0;
> +}
> +
> +
> /*
> * Filter for features which should never be passed to QEMU. Either
> because
> * QEMU never supported them or they were dropped as they never did
> anything
> @@ -4187,6 +4250,42 @@ virQEMUCapsParseSEVInfo(virQEMUCapsPtr
> qemuCaps, xmlXPathContextPtr ctxt)
> return 0;
> }
>
> +static int
> +virQEMUCapsParseSGXInfo(virQEMUCapsPtr qemuCaps, xmlXPathContextPtr
> ctxt)
> +{
> + g_autoptr(virSGXCapability) sgx = NULL;
> +
> + if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_SGX_EPC))
> + return 0;
> +
Using "virXPathNode()" + "virXMLProp*()" might save you some boiler
plate code and writing custom error messages.
Maybe that makes it a little bit
clearer
> + if (virXPathBoolean("boolean(./sgx)", ctxt) == 0) {
> + virReportError(VIR_ERR_XML_ERROR, "%s",
> + _("missing SGX platform data in QEMU "
> + "capabilities cache"));
> + return -1;
> + }
> +
> + if (VIR_ALLOC(sgx) < 0)
> + return -1;
> +
Prefer "g_new0".
[Haibin] ok
> + if (virXPathBoolean("boolean(./sgx/flc)", ctxt) == 0) {
> + virReportError(VIR_ERR_XML_ERROR, "%s",
> + _("missing SGX platform flc data in QEMU "
> + "capabilities cache"));
> + return -1;
> + }
> +
> + if (virXPathUInt("string(./sgx/epc_size)", ctxt,
&sgx->epc_size)
> < 0) {
> + virReportError(VIR_ERR_XML_ERROR, "%s",
> + _("missing or malformed SGX platform epc_size
> information "
> + "in QEMU capabilities cache"));
> + return -1;
> + }
> +
> + qemuCaps->sgxCapabilities = g_steal_pointer(&sgx);
> + return 0;
> +}
> +
>
> /*
> * Parsing a doc that looks like
> @@ -4425,6 +4524,9 @@ virQEMUCapsLoadCache(virArch hostArch,
> if (virQEMUCapsParseSEVInfo(qemuCaps, ctxt) < 0)
> goto cleanup;
>
> + if (virQEMUCapsParseSGXInfo(qemuCaps, ctxt) < 0)
> + goto cleanup;
> +
> virQEMUCapsInitHostCPUModel(qemuCaps, hostArch,
> VIR_DOMAIN_VIRT_KVM);
> virQEMUCapsInitHostCPUModel(qemuCaps, hostArch,
> VIR_DOMAIN_VIRT_QEMU);
>
> @@ -4601,6 +4703,19 @@ virQEMUCapsFormatSEVInfo(virQEMUCapsPtr
> qemuCaps, virBufferPtr buf)
> virBufferAddLit(buf, "</sev>\n");
> }
>
> +static void
> +virQEMUCapsFormatSGXInfo(virQEMUCapsPtr qemuCaps, virBufferPtr buf)
> +{
> + virSGXCapabilityPtr sgx =
> virQEMUCapsGetSGXCapabilities(qemuCaps);
> +
> + virBufferAddLit(buf, "<sgx>\n");
> + virBufferAdjustIndent(buf, 2);
> + virBufferAsprintf(buf, "<flc>%s</flc>\n", sgx->flc ?
"yes" :
> "no");
> + virBufferAsprintf(buf, "<epc_size>%u</epc_size>\n", sgx-
> >epc_size);
> + virBufferAdjustIndent(buf, -2);
> + virBufferAddLit(buf, "</sgx>\n");
> +}
> +
>
> char *
> virQEMUCapsFormatCache(virQEMUCapsPtr qemuCaps)
> @@ -4671,6 +4786,9 @@ virQEMUCapsFormatCache(virQEMUCapsPtr
qemuCaps)
> if (qemuCaps->sevCapabilities)
> virQEMUCapsFormatSEVInfo(qemuCaps, &buf);
>
> + if (qemuCaps->sgxCapabilities)
> + virQEMUCapsFormatSGXInfo(qemuCaps, &buf);
> +
> if (qemuCaps->kvmSupportsNesting)
> virBufferAddLit(&buf, "<kvmSupportsNesting/>\n");
>
> @@ -5323,6 +5441,8 @@ virQEMUCapsInitQMPMonitor(virQEMUCapsPtr
> qemuCaps,
> return -1;
> if (virQEMUCapsProbeQMPSEVCapabilities(qemuCaps, mon) < 0)
> return -1;
> + if (virQEMUCapsProbeQMPSGXCapabilities(qemuCaps, mon) < 0)
> + return -1;
>
> virQEMUCapsInitProcessCaps(qemuCaps);
>
> @@ -6245,6 +6365,31 @@
> virQEMUCapsFillDomainFeatureGICCaps(virQEMUCapsPtr qemuCaps,
> }
>
>
> +/**
> + * virQEMUCapsFillDomainFeatureiSGXCaps:
> + * @qemuCaps: QEMU capabilities
> + * @domCaps: domain capabilities
> + *
> + * Take the information about SGX capabilities that has been
> obtained
> + * using the 'query-sgx-capabilities' QMP command and stored in
> @qemuCaps
> + * and convert it to a form suitable for @domCaps.
> + */
> +static void
> +virQEMUCapsFillDomainFeatureSGXCaps(virQEMUCapsPtr qemuCaps,
> + virDomainCapsPtr domCaps)
> +{
> + virSGXCapability *cap = qemuCaps->sgxCapabilities;
> +
> + if (!cap)
> + return;
> +
> + domCaps->sgx = g_new0(virSGXCapability, 1);
> +
> + domCaps->sgx->flc = cap->flc;
> + domCaps->sgx->epc_size = cap->epc_size;
> +}
> +
> +
> /**
> * virQEMUCapsFillDomainFeatureSEVCaps:
> * @qemuCaps: QEMU capabilities
> @@ -6316,6 +6461,7 @@ virQEMUCapsFillDomainCaps(virQEMUCapsPtr
> qemuCaps,
> virQEMUCapsFillDomainDeviceRNGCaps(qemuCaps, rng);
> virQEMUCapsFillDomainFeatureGICCaps(qemuCaps, domCaps);
> virQEMUCapsFillDomainFeatureSEVCaps(qemuCaps, domCaps);
> + virQEMUCapsFillDomainFeatureSGXCaps(qemuCaps, domCaps);
>
> return 0;
> }
> diff --git a/src/qemu/qemu_capabilities.h
> b/src/qemu/qemu_capabilities.h
> index 5d08941538..0e3af622a7 100644
> --- a/src/qemu/qemu_capabilities.h
> +++ b/src/qemu/qemu_capabilities.h
> @@ -578,6 +578,9 @@ typedef enum { /* virQEMUCapsFlags grouping
> marker for syntax-check */
> QEMU_CAPS_NUMA_HMAT, /* -numa hmat */
> QEMU_CAPS_BLOCKDEV_HOSTDEV_SCSI, /* -blockdev used for (i)SCSI
> hostdevs */
>
> + /* 380 */
> + QEMU_CAPS_SGX_EPC, /* -object sgx-epc,... */
> +
> QEMU_CAPS_LAST /* this must always be the last item */
> } virQEMUCapsFlags;
>
> @@ -759,5 +762,8 @@
virQEMUCapsCPUFeatureFromQEMU(virQEMUCapsPtr
> qemuCaps,
> virSEVCapabilityPtr
> virQEMUCapsGetSEVCapabilities(virQEMUCapsPtr qemuCaps);
>
> +virSGXCapabilityPtr
> +virQEMUCapsGetSGXCapabilities(virQEMUCapsPtr qemuCaps);
> +
> virArch virQEMUCapsArchFromString(const char *arch);
> const char *virQEMUCapsArchToString(virArch arch);
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index fb05acbc94..9462b5a6c8 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -6405,7 +6405,7 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr
> driver,
>
> case VIR_CPU_MODE_CUSTOM:
> virBufferAdd(buf, cpu->model, -1);
> - if(def->sgx)
> + if (def->sgx)
> virBufferAdd(buf,
Fix in previous patch.
[Haibin] ok
> ",+sgx,+sgx-debug,+sgx1,+sgx-encls-c,+sgx-
> enclv,+sgx-exinfo,"
> "+sgx-kss,+sgx-mode64,+sgx-
> provisionkey,+sgx-tokenkey,+sgx2,"
> diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
> index 637361d24d..1e377ee8dc 100644
> --- a/src/qemu/qemu_monitor.c
> +++ b/src/qemu/qemu_monitor.c
> @@ -3870,6 +3870,16 @@ qemuMonitorGetSEVCapabilities(qemuMonitorPtr
> mon,
> }
>
>
> +int
> +qemuMonitorGetSGXCapabilities(qemuMonitorPtr mon,
> + virSGXCapability **capabilities)
> +{
> + QEMU_CHECK_MONITOR(mon);
> +
> + return qemuMonitorJSONGetSGXCapabilities(mon, capabilities);
> +}
> +
> +
> int
> qemuMonitorNBDServerStart(qemuMonitorPtr mon,
> const virStorageNetHostDef *server,
> diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h
> index d20a15c202..76b3cd54c7 100644
> --- a/src/qemu/qemu_monitor.h
> +++ b/src/qemu/qemu_monitor.h
> @@ -836,6 +836,9 @@ int qemuMonitorGetGICCapabilities(qemuMonitorPtr
> mon,
> int qemuMonitorGetSEVCapabilities(qemuMonitorPtr mon,
> virSEVCapability **capabilities);
>
> +int qemuMonitorGetSGXCapabilities(qemuMonitorPtr mon,
> + virSGXCapability **capabilities);
> +
> typedef enum {
> QEMU_MONITOR_MIGRATE_BACKGROUND = 1 << 0,
> QEMU_MONITOR_MIGRATE_NON_SHARED_DISK = 1 << 1, /* migration
with
> non-shared storage with full disk copy */
> diff --git a/src/qemu/qemu_monitor_json.c
> b/src/qemu/qemu_monitor_json.c
> index 9cdf6c0f7f..06f0738ad8 100644
> --- a/src/qemu/qemu_monitor_json.c
> +++ b/src/qemu/qemu_monitor_json.c
> @@ -44,6 +44,7 @@
> # include "libvirt_qemu_probes.h"
> #endif
>
> +#define KB 1024
> #define VIR_FROM_THIS VIR_FROM_QEMU
>
> VIR_LOG_INIT("qemu.qemu_monitor_json");
> @@ -7056,6 +7057,96 @@
> qemuMonitorJSONGetGICCapabilities(qemuMonitorPtr mon,
> }
>
>
> +/**
> + * qemuMonitorJSONGetSGXCapabilities:
> + * @mon: qemu monitor object
> + * @capabilities: pointer to pointer to a SGX capability structure
> to be filled
> + *
> + * This function queries and fills in INTEL's SGX platform-specific
> data.
> + * Note that from QEMU's POV both -object sgx-epc and query-sgx-
> capabilities
> + * can be present even if SGX is not available, which basically
> leaves us with
> + * checking for JSON "GenericError" in order to differentiate
> between compiled-in
> + * support and actual SGX support on the platform.
> + *
> + * Returns -1 on error, 0 if SGX is not supported, and 1 if SGX is
> supported on
> + * the platform.
> + */
> +int
> +qemuMonitorJSONGetSGXCapabilities(qemuMonitorPtr mon,
> + virSGXCapability **capabilities)
> +{
> + int ret = -1;
> + virJSONValuePtr cmd;
> + virJSONValuePtr reply = NULL;
> + virJSONValuePtr caps;
> + bool sgx = false;
> + bool flc = false;
> + unsigned int section_size = 0;
> + g_autoptr(virSGXCapability) capability = NULL;
> +
> + *capabilities = NULL;
> +
> + if (!(cmd = qemuMonitorJSONMakeCommand("query-sgx-capabilities",
> NULL)))
> + return -1;
> +
> + if (qemuMonitorJSONCommand(mon, cmd, &reply) < 0)
> + goto cleanup;
> +
> + /* QEMU has only compiled-in support of SGX */
> + if (qemuMonitorJSONHasError(reply, "GenericError")) {
> + ret = 0;
> + goto cleanup;
> + }
> +
> + if (qemuMonitorJSONCheckError(cmd, reply) < 0)
> + goto cleanup;
> +
> + caps = virJSONValueObjectGetObject(reply, "return");
> +
> + if (virJSONValueObjectGetBoolean(caps, "sgx", &sgx) < 0) {
> + virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> + _("query-sgx reply was missing"
> + " 'sgx' field"));
> + goto cleanup;
> + }
> + if (!sgx) {
> + VIR_WARN("sgx is not support %d\n", sgx);
> + ret = 0;
> + goto cleanup;
> + }
> +
> + if (virJSONValueObjectGetBoolean(caps, "flc", &flc) < 0) {
> + virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> + _("query-sgx-capabilities reply was missing"
> + " 'flc' field"));
> + goto cleanup;
> + }
> +
> + if (virJSONValueObjectGetNumberUint(caps, "section-size",
> §ion_size) < 0) {
> + virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> + _("query-sgx-capabilities reply was missing"
> + " 'section-size' field"));
> + goto cleanup;
> + }
> +
> +
> + if (VIR_ALLOC(capability) < 0)
> + goto cleanup;
> +
> + capability->flc = flc;
> +
> + capability->epc_size = section_size/(KB);
> + *capabilities = g_steal_pointer(&capability);
> + ret = 1;
> +
> + cleanup:
> + virJSONValueFree(cmd);
> + virJSONValueFree(reply);
Using "g_autoptr(virJsonValue) cmd;" and "g_autoptr(virJsonValue)
reply;" would remove the need for "goto" and the label.
[Haibin] good point
Regards,
Tim
> +
> + return ret;
> +}
> +
> +
> /**
> * qemuMonitorJSONGetSEVCapabilities:
> * @mon: qemu monitor object
> diff --git a/src/qemu/qemu_monitor_json.h
> b/src/qemu/qemu_monitor_json.h
> index 098ab857be..b0c23e57ac 100644
> --- a/src/qemu/qemu_monitor_json.h
> +++ b/src/qemu/qemu_monitor_json.h
> @@ -159,6 +159,9 @@ int
> qemuMonitorJSONGetGICCapabilities(qemuMonitorPtr mon,
> int qemuMonitorJSONGetSEVCapabilities(qemuMonitorPtr mon,
> virSEVCapability
> **capabilities);
>
> +int qemuMonitorJSONGetSGXCapabilities(qemuMonitorPtr mon,
> + virSGXCapability
> **capabilities);
> +
> int qemuMonitorJSONMigrate(qemuMonitorPtr mon,
> unsigned int flags,
> const char *uri);
> diff --git a/tests/domaincapsdata/bhyve_basic.x86_64.xml
> b/tests/domaincapsdata/bhyve_basic.x86_64.xml
> index bdf2c4eee8..8998fb2cee 100644
> --- a/tests/domaincapsdata/bhyve_basic.x86_64.xml
> +++ b/tests/domaincapsdata/bhyve_basic.x86_64.xml
> @@ -32,5 +32,6 @@
> <vmcoreinfo supported='no'/>
> <genid supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/bhyve_fbuf.x86_64.xml
> b/tests/domaincapsdata/bhyve_fbuf.x86_64.xml
> index f998c457c1..e013463456 100644
> --- a/tests/domaincapsdata/bhyve_fbuf.x86_64.xml
> +++ b/tests/domaincapsdata/bhyve_fbuf.x86_64.xml
> @@ -49,5 +49,6 @@
> <vmcoreinfo supported='no'/>
> <genid supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/bhyve_uefi.x86_64.xml
> b/tests/domaincapsdata/bhyve_uefi.x86_64.xml
> index 18f90023d5..d6243db384 100644
> --- a/tests/domaincapsdata/bhyve_uefi.x86_64.xml
> +++ b/tests/domaincapsdata/bhyve_uefi.x86_64.xml
> @@ -41,5 +41,6 @@
> <vmcoreinfo supported='no'/>
> <genid supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/empty.xml
> b/tests/domaincapsdata/empty.xml
> index 6c3f5f54fd..df55215ed5 100644
> --- a/tests/domaincapsdata/empty.xml
> +++ b/tests/domaincapsdata/empty.xml
> @@ -12,5 +12,6 @@
> </devices>
> <features>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/libxl-xenfv.xml
> b/tests/domaincapsdata/libxl-xenfv.xml
> index 4efc137c97..160c220728 100644
> --- a/tests/domaincapsdata/libxl-xenfv.xml
> +++ b/tests/domaincapsdata/libxl-xenfv.xml
> @@ -75,5 +75,6 @@
> <vmcoreinfo supported='no'/>
> <genid supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/libxl-xenpv.xml
> b/tests/domaincapsdata/libxl-xenpv.xml
> index 70e598fe9e..cbd64fabfc 100644
> --- a/tests/domaincapsdata/libxl-xenpv.xml
> +++ b/tests/domaincapsdata/libxl-xenpv.xml
> @@ -65,5 +65,6 @@
> <vmcoreinfo supported='no'/>
> <genid supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_1.5.3-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_1.5.3-q35.x86_64.xml
> index 3ed96a3ee7..183f55a09d 100644
> --- a/tests/domaincapsdata/qemu_1.5.3-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_1.5.3-q35.x86_64.xml
> @@ -137,5 +137,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_1.5.3-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_1.5.3-tcg.x86_64.xml
> index 3b3d89a643..680751ab5e 100644
> --- a/tests/domaincapsdata/qemu_1.5.3-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_1.5.3-tcg.x86_64.xml
> @@ -133,5 +133,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_1.5.3.x86_64.xml
> b/tests/domaincapsdata/qemu_1.5.3.x86_64.xml
> index 20cd3a105a..f2737be495 100644
> --- a/tests/domaincapsdata/qemu_1.5.3.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_1.5.3.x86_64.xml
> @@ -137,5 +137,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_1.6.0-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_1.6.0-q35.x86_64.xml
> index a4b26b46cb..38f510c0b4 100644
> --- a/tests/domaincapsdata/qemu_1.6.0-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_1.6.0-q35.x86_64.xml
> @@ -137,5 +137,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_1.6.0-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_1.6.0-tcg.x86_64.xml
> index 6bff19bad5..970d2b7b83 100644
> --- a/tests/domaincapsdata/qemu_1.6.0-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_1.6.0-tcg.x86_64.xml
> @@ -133,5 +133,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_1.6.0.x86_64.xml
> b/tests/domaincapsdata/qemu_1.6.0.x86_64.xml
> index 16417a13d2..eaa3e872e4 100644
> --- a/tests/domaincapsdata/qemu_1.6.0.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_1.6.0.x86_64.xml
> @@ -137,5 +137,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_1.7.0-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_1.7.0-q35.x86_64.xml
> index 559b49491e..55460bb3eb 100644
> --- a/tests/domaincapsdata/qemu_1.7.0-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_1.7.0-q35.x86_64.xml
> @@ -137,5 +137,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_1.7.0-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_1.7.0-tcg.x86_64.xml
> index 97e71bffff..cf816e1315 100644
> --- a/tests/domaincapsdata/qemu_1.7.0-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_1.7.0-tcg.x86_64.xml
> @@ -133,5 +133,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_1.7.0.x86_64.xml
> b/tests/domaincapsdata/qemu_1.7.0.x86_64.xml
> index 472c073de9..e86e538268 100644
> --- a/tests/domaincapsdata/qemu_1.7.0.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_1.7.0.x86_64.xml
> @@ -137,5 +137,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.1.1-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_2.1.1-q35.x86_64.xml
> index a87f5b2a63..7a94784943 100644
> --- a/tests/domaincapsdata/qemu_2.1.1-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.1.1-q35.x86_64.xml
> @@ -138,5 +138,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.1.1-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_2.1.1-tcg.x86_64.xml
> index 192a505d77..413f46d5a6 100644
> --- a/tests/domaincapsdata/qemu_2.1.1-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.1.1-tcg.x86_64.xml
> @@ -134,5 +134,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.1.1.x86_64.xml
> b/tests/domaincapsdata/qemu_2.1.1.x86_64.xml
> index 15adfe0ee8..d087157b06 100644
> --- a/tests/domaincapsdata/qemu_2.1.1.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.1.1.x86_64.xml
> @@ -138,5 +138,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.10.0-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_2.10.0-q35.x86_64.xml
> index be2840d9b8..a70eb157d9 100644
> --- a/tests/domaincapsdata/qemu_2.10.0-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.10.0-q35.x86_64.xml
> @@ -161,5 +161,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.10.0-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_2.10.0-tcg.x86_64.xml
> index 1193f49bd6..1730dd81ab 100644
> --- a/tests/domaincapsdata/qemu_2.10.0-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.10.0-tcg.x86_64.xml
> @@ -176,5 +176,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.10.0-virt.aarch64.xml
> b/tests/domaincapsdata/qemu_2.10.0-virt.aarch64.xml
> index 4505d64e3a..0fded78a64 100644
> --- a/tests/domaincapsdata/qemu_2.10.0-virt.aarch64.xml
> +++ b/tests/domaincapsdata/qemu_2.10.0-virt.aarch64.xml
> @@ -145,5 +145,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.10.0.aarch64.xml
> b/tests/domaincapsdata/qemu_2.10.0.aarch64.xml
> index 629833b745..d74e018aea 100644
> --- a/tests/domaincapsdata/qemu_2.10.0.aarch64.xml
> +++ b/tests/domaincapsdata/qemu_2.10.0.aarch64.xml
> @@ -139,5 +139,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.10.0.ppc64.xml
> b/tests/domaincapsdata/qemu_2.10.0.ppc64.xml
> index 863afbc0df..ba102fd26f 100644
> --- a/tests/domaincapsdata/qemu_2.10.0.ppc64.xml
> +++ b/tests/domaincapsdata/qemu_2.10.0.ppc64.xml
> @@ -111,5 +111,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.10.0.s390x.xml
> b/tests/domaincapsdata/qemu_2.10.0.s390x.xml
> index ce5c92edce..3c16cc8b05 100644
> --- a/tests/domaincapsdata/qemu_2.10.0.s390x.xml
> +++ b/tests/domaincapsdata/qemu_2.10.0.s390x.xml
> @@ -200,5 +200,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.10.0.x86_64.xml
> b/tests/domaincapsdata/qemu_2.10.0.x86_64.xml
> index 6596016d33..a47914a796 100644
> --- a/tests/domaincapsdata/qemu_2.10.0.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.10.0.x86_64.xml
> @@ -161,5 +161,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.11.0-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_2.11.0-q35.x86_64.xml
> index c2e148e0fc..f0348486fd 100644
> --- a/tests/domaincapsdata/qemu_2.11.0-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.11.0-q35.x86_64.xml
> @@ -159,5 +159,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.11.0-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_2.11.0-tcg.x86_64.xml
> index 7f66cf7b7e..e8282b30fc 100644
> --- a/tests/domaincapsdata/qemu_2.11.0-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.11.0-tcg.x86_64.xml
> @@ -171,5 +171,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.11.0.s390x.xml
> b/tests/domaincapsdata/qemu_2.11.0.s390x.xml
> index c5b48fdad5..2fdbe3ce5d 100644
> --- a/tests/domaincapsdata/qemu_2.11.0.s390x.xml
> +++ b/tests/domaincapsdata/qemu_2.11.0.s390x.xml
> @@ -199,5 +199,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.11.0.x86_64.xml
> b/tests/domaincapsdata/qemu_2.11.0.x86_64.xml
> index 38b6b20f77..de5404b2a4 100644
> --- a/tests/domaincapsdata/qemu_2.11.0.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.11.0.x86_64.xml
> @@ -159,5 +159,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.12.0-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_2.12.0-q35.x86_64.xml
> index 8d38d33369..e977a8937a 100644
> --- a/tests/domaincapsdata/qemu_2.12.0-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.12.0-q35.x86_64.xml
> @@ -176,5 +176,6 @@
> <cbitpos>47</cbitpos>
> <reducedPhysBits>1</reducedPhysBits>
> </sev>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.12.0-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_2.12.0-tcg.x86_64.xml
> index 9a89587115..3a4c85eb65 100644
> --- a/tests/domaincapsdata/qemu_2.12.0-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.12.0-tcg.x86_64.xml
> @@ -185,5 +185,6 @@
> <cbitpos>47</cbitpos>
> <reducedPhysBits>1</reducedPhysBits>
> </sev>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.12.0-virt.aarch64.xml
> b/tests/domaincapsdata/qemu_2.12.0-virt.aarch64.xml
> index 8ea58bfa25..f78722ea3c 100644
> --- a/tests/domaincapsdata/qemu_2.12.0-virt.aarch64.xml
> +++ b/tests/domaincapsdata/qemu_2.12.0-virt.aarch64.xml
> @@ -147,5 +147,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.12.0.aarch64.xml
> b/tests/domaincapsdata/qemu_2.12.0.aarch64.xml
> index 667516e75e..c7de5ad674 100644
> --- a/tests/domaincapsdata/qemu_2.12.0.aarch64.xml
> +++ b/tests/domaincapsdata/qemu_2.12.0.aarch64.xml
> @@ -141,5 +141,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.12.0.ppc64.xml
> b/tests/domaincapsdata/qemu_2.12.0.ppc64.xml
> index eac3e6a868..8d3377e937 100644
> --- a/tests/domaincapsdata/qemu_2.12.0.ppc64.xml
> +++ b/tests/domaincapsdata/qemu_2.12.0.ppc64.xml
> @@ -111,5 +111,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.12.0.s390x.xml
> b/tests/domaincapsdata/qemu_2.12.0.s390x.xml
> index 01cc3d81ec..12ff7cfd95 100644
> --- a/tests/domaincapsdata/qemu_2.12.0.s390x.xml
> +++ b/tests/domaincapsdata/qemu_2.12.0.s390x.xml
> @@ -198,5 +198,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.12.0.x86_64.xml
> b/tests/domaincapsdata/qemu_2.12.0.x86_64.xml
> index 6e006a3ba3..2039b77790 100644
> --- a/tests/domaincapsdata/qemu_2.12.0.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.12.0.x86_64.xml
> @@ -176,5 +176,6 @@
> <cbitpos>47</cbitpos>
> <reducedPhysBits>1</reducedPhysBits>
> </sev>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.4.0-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_2.4.0-q35.x86_64.xml
> index 23e103927e..608118652a 100644
> --- a/tests/domaincapsdata/qemu_2.4.0-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.4.0-q35.x86_64.xml
> @@ -146,5 +146,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.4.0-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_2.4.0-tcg.x86_64.xml
> index 2a6296739c..411780d41e 100644
> --- a/tests/domaincapsdata/qemu_2.4.0-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.4.0-tcg.x86_64.xml
> @@ -142,5 +142,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.4.0.x86_64.xml
> b/tests/domaincapsdata/qemu_2.4.0.x86_64.xml
> index 7c6d78e510..6bd8627277 100644
> --- a/tests/domaincapsdata/qemu_2.4.0.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.4.0.x86_64.xml
> @@ -146,5 +146,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.5.0-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_2.5.0-q35.x86_64.xml
> index bb8bd9c5c5..fe465bcfaa 100644
> --- a/tests/domaincapsdata/qemu_2.5.0-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.5.0-q35.x86_64.xml
> @@ -146,5 +146,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.5.0-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_2.5.0-tcg.x86_64.xml
> index 8b022e9bd7..b4803039df 100644
> --- a/tests/domaincapsdata/qemu_2.5.0-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.5.0-tcg.x86_64.xml
> @@ -142,5 +142,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.5.0.x86_64.xml
> b/tests/domaincapsdata/qemu_2.5.0.x86_64.xml
> index a89990a42e..07eea7c96c 100644
> --- a/tests/domaincapsdata/qemu_2.5.0.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.5.0.x86_64.xml
> @@ -146,5 +146,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.6.0-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_2.6.0-q35.x86_64.xml
> index 251696a161..c490c36170 100644
> --- a/tests/domaincapsdata/qemu_2.6.0-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.6.0-q35.x86_64.xml
> @@ -146,5 +146,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.6.0-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_2.6.0-tcg.x86_64.xml
> index 7937fad971..3b53321be5 100644
> --- a/tests/domaincapsdata/qemu_2.6.0-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.6.0-tcg.x86_64.xml
> @@ -142,5 +142,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.6.0-virt.aarch64.xml
> b/tests/domaincapsdata/qemu_2.6.0-virt.aarch64.xml
> index 95053e9cbe..c1697eabf8 100644
> --- a/tests/domaincapsdata/qemu_2.6.0-virt.aarch64.xml
> +++ b/tests/domaincapsdata/qemu_2.6.0-virt.aarch64.xml
> @@ -144,5 +144,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.6.0.aarch64.xml
> b/tests/domaincapsdata/qemu_2.6.0.aarch64.xml
> index 223e944c8a..121acd636f 100644
> --- a/tests/domaincapsdata/qemu_2.6.0.aarch64.xml
> +++ b/tests/domaincapsdata/qemu_2.6.0.aarch64.xml
> @@ -138,5 +138,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.6.0.ppc64.xml
> b/tests/domaincapsdata/qemu_2.6.0.ppc64.xml
> index c97f232028..41217aa7b1 100644
> --- a/tests/domaincapsdata/qemu_2.6.0.ppc64.xml
> +++ b/tests/domaincapsdata/qemu_2.6.0.ppc64.xml
> @@ -111,5 +111,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.6.0.x86_64.xml
> b/tests/domaincapsdata/qemu_2.6.0.x86_64.xml
> index f95f8fb46a..586855e7e3 100644
> --- a/tests/domaincapsdata/qemu_2.6.0.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.6.0.x86_64.xml
> @@ -146,5 +146,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.7.0-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_2.7.0-q35.x86_64.xml
> index 1e6c47f2d6..d8e523e904 100644
> --- a/tests/domaincapsdata/qemu_2.7.0-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.7.0-q35.x86_64.xml
> @@ -147,5 +147,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.7.0-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_2.7.0-tcg.x86_64.xml
> index 8b7c2ce8e6..ed92bee692 100644
> --- a/tests/domaincapsdata/qemu_2.7.0-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.7.0-tcg.x86_64.xml
> @@ -143,5 +143,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.7.0.s390x.xml
> b/tests/domaincapsdata/qemu_2.7.0.s390x.xml
> index ff3dd4939b..b8bc1245ec 100644
> --- a/tests/domaincapsdata/qemu_2.7.0.s390x.xml
> +++ b/tests/domaincapsdata/qemu_2.7.0.s390x.xml
> @@ -103,5 +103,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.7.0.x86_64.xml
> b/tests/domaincapsdata/qemu_2.7.0.x86_64.xml
> index da1b10c41b..c2df40d00e 100644
> --- a/tests/domaincapsdata/qemu_2.7.0.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.7.0.x86_64.xml
> @@ -147,5 +147,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.8.0-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_2.8.0-q35.x86_64.xml
> index 0a7493d86d..78acecdfd7 100644
> --- a/tests/domaincapsdata/qemu_2.8.0-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.8.0-q35.x86_64.xml
> @@ -147,5 +147,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.8.0-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_2.8.0-tcg.x86_64.xml
> index 100e8e059c..638bfea6f7 100644
> --- a/tests/domaincapsdata/qemu_2.8.0-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.8.0-tcg.x86_64.xml
> @@ -143,5 +143,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.8.0.s390x.xml
> b/tests/domaincapsdata/qemu_2.8.0.s390x.xml
> index 47b1aa46f7..233092be64 100644
> --- a/tests/domaincapsdata/qemu_2.8.0.s390x.xml
> +++ b/tests/domaincapsdata/qemu_2.8.0.s390x.xml
> @@ -184,5 +184,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.8.0.x86_64.xml
> b/tests/domaincapsdata/qemu_2.8.0.x86_64.xml
> index 6fa754c18a..deb094df40 100644
> --- a/tests/domaincapsdata/qemu_2.8.0.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.8.0.x86_64.xml
> @@ -147,5 +147,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.9.0-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_2.9.0-q35.x86_64.xml
> index 3df3c3738e..0669e56b1d 100644
> --- a/tests/domaincapsdata/qemu_2.9.0-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.9.0-q35.x86_64.xml
> @@ -156,5 +156,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.9.0-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_2.9.0-tcg.x86_64.xml
> index 08bb5fbad7..045c308f8e 100644
> --- a/tests/domaincapsdata/qemu_2.9.0-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.9.0-tcg.x86_64.xml
> @@ -175,5 +175,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.9.0.ppc64.xml
> b/tests/domaincapsdata/qemu_2.9.0.ppc64.xml
> index 3776b6ed9c..deca3b2373 100644
> --- a/tests/domaincapsdata/qemu_2.9.0.ppc64.xml
> +++ b/tests/domaincapsdata/qemu_2.9.0.ppc64.xml
> @@ -111,5 +111,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.9.0.s390x.xml
> b/tests/domaincapsdata/qemu_2.9.0.s390x.xml
> index cf7e7781cc..263a2a9a71 100644
> --- a/tests/domaincapsdata/qemu_2.9.0.s390x.xml
> +++ b/tests/domaincapsdata/qemu_2.9.0.s390x.xml
> @@ -185,5 +185,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_2.9.0.x86_64.xml
> b/tests/domaincapsdata/qemu_2.9.0.x86_64.xml
> index a80ef28488..a553b5c7f2 100644
> --- a/tests/domaincapsdata/qemu_2.9.0.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_2.9.0.x86_64.xml
> @@ -156,5 +156,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_3.0.0-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_3.0.0-q35.x86_64.xml
> index cd37906bc7..b8e27b774d 100644
> --- a/tests/domaincapsdata/qemu_3.0.0-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_3.0.0-q35.x86_64.xml
> @@ -174,5 +174,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_3.0.0-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_3.0.0-tcg.x86_64.xml
> index d3211e7a13..797b3496b8 100644
> --- a/tests/domaincapsdata/qemu_3.0.0-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_3.0.0-tcg.x86_64.xml
> @@ -185,5 +185,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_3.0.0.ppc64.xml
> b/tests/domaincapsdata/qemu_3.0.0.ppc64.xml
> index 1b8ddd4ed0..e791c0619c 100644
> --- a/tests/domaincapsdata/qemu_3.0.0.ppc64.xml
> +++ b/tests/domaincapsdata/qemu_3.0.0.ppc64.xml
> @@ -113,5 +113,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_3.0.0.s390x.xml
> b/tests/domaincapsdata/qemu_3.0.0.s390x.xml
> index 7a4e536fb5..c12e40ca10 100644
> --- a/tests/domaincapsdata/qemu_3.0.0.s390x.xml
> +++ b/tests/domaincapsdata/qemu_3.0.0.s390x.xml
> @@ -205,5 +205,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_3.0.0.x86_64.xml
> b/tests/domaincapsdata/qemu_3.0.0.x86_64.xml
> index 9fa4224760..7667232cb1 100644
> --- a/tests/domaincapsdata/qemu_3.0.0.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_3.0.0.x86_64.xml
> @@ -174,5 +174,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_3.1.0-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_3.1.0-q35.x86_64.xml
> index 82b1b6a095..f24b621b4a 100644
> --- a/tests/domaincapsdata/qemu_3.1.0-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_3.1.0-q35.x86_64.xml
> @@ -177,5 +177,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_3.1.0-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_3.1.0-tcg.x86_64.xml
> index 756b28034e..8ddcf7495d 100644
> --- a/tests/domaincapsdata/qemu_3.1.0-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_3.1.0-tcg.x86_64.xml
> @@ -188,5 +188,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_3.1.0.ppc64.xml
> b/tests/domaincapsdata/qemu_3.1.0.ppc64.xml
> index 6a2bc87947..b34c8e8e02 100644
> --- a/tests/domaincapsdata/qemu_3.1.0.ppc64.xml
> +++ b/tests/domaincapsdata/qemu_3.1.0.ppc64.xml
> @@ -113,5 +113,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_3.1.0.x86_64.xml
> b/tests/domaincapsdata/qemu_3.1.0.x86_64.xml
> index ffc82f17c3..5440773513 100644
> --- a/tests/domaincapsdata/qemu_3.1.0.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_3.1.0.x86_64.xml
> @@ -177,5 +177,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_4.0.0-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_4.0.0-q35.x86_64.xml
> index c837de966f..2ccb7e850f 100644
> --- a/tests/domaincapsdata/qemu_4.0.0-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_4.0.0-q35.x86_64.xml
> @@ -177,5 +177,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_4.0.0-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_4.0.0-tcg.x86_64.xml
> index 0aa8aa18be..87a56371e1 100644
> --- a/tests/domaincapsdata/qemu_4.0.0-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_4.0.0-tcg.x86_64.xml
> @@ -189,5 +189,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_4.0.0-virt.aarch64.xml
> b/tests/domaincapsdata/qemu_4.0.0-virt.aarch64.xml
> index f5347aba9f..6a8a15cb82 100644
> --- a/tests/domaincapsdata/qemu_4.0.0-virt.aarch64.xml
> +++ b/tests/domaincapsdata/qemu_4.0.0-virt.aarch64.xml
> @@ -154,5 +154,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_4.0.0.aarch64.xml
> b/tests/domaincapsdata/qemu_4.0.0.aarch64.xml
> index b879d7553c..2a6d6cb4ec 100644
> --- a/tests/domaincapsdata/qemu_4.0.0.aarch64.xml
> +++ b/tests/domaincapsdata/qemu_4.0.0.aarch64.xml
> @@ -148,5 +148,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_4.0.0.ppc64.xml
> b/tests/domaincapsdata/qemu_4.0.0.ppc64.xml
> index 0642753f11..4831fe949d 100644
> --- a/tests/domaincapsdata/qemu_4.0.0.ppc64.xml
> +++ b/tests/domaincapsdata/qemu_4.0.0.ppc64.xml
> @@ -114,5 +114,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_4.0.0.s390x.xml
> b/tests/domaincapsdata/qemu_4.0.0.s390x.xml
> index 632c26d689..7277154d38 100644
> --- a/tests/domaincapsdata/qemu_4.0.0.s390x.xml
> +++ b/tests/domaincapsdata/qemu_4.0.0.s390x.xml
> @@ -210,5 +210,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_4.0.0.x86_64.xml
> b/tests/domaincapsdata/qemu_4.0.0.x86_64.xml
> index 3f64bd4b66..e230e39773 100644
> --- a/tests/domaincapsdata/qemu_4.0.0.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_4.0.0.x86_64.xml
> @@ -177,5 +177,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_4.1.0-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_4.1.0-q35.x86_64.xml
> index 8bf41d6b49..4ea0c221e3 100644
> --- a/tests/domaincapsdata/qemu_4.1.0-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_4.1.0-q35.x86_64.xml
> @@ -182,5 +182,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_4.1.0-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_4.1.0-tcg.x86_64.xml
> index d6265ce243..fd8a2d29de 100644
> --- a/tests/domaincapsdata/qemu_4.1.0-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_4.1.0-tcg.x86_64.xml
> @@ -190,5 +190,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_4.1.0.x86_64.xml
> b/tests/domaincapsdata/qemu_4.1.0.x86_64.xml
> index 5010f879a6..db4fbb81d5 100644
> --- a/tests/domaincapsdata/qemu_4.1.0.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_4.1.0.x86_64.xml
> @@ -182,5 +182,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
> index 6f72b67f68..dc1e0b1bcc 100644
> --- a/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
> @@ -189,5 +189,6 @@
> <backingStoreInput supported='yes'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_4.2.0-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_4.2.0-tcg.x86_64.xml
> index 7339a3f81c..298cd92d3d 100644
> --- a/tests/domaincapsdata/qemu_4.2.0-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_4.2.0-tcg.x86_64.xml
> @@ -196,5 +196,6 @@
> <backingStoreInput supported='yes'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_4.2.0-virt.aarch64.xml
> b/tests/domaincapsdata/qemu_4.2.0-virt.aarch64.xml
> index ef57216562..8ede831af4 100644
> --- a/tests/domaincapsdata/qemu_4.2.0-virt.aarch64.xml
> +++ b/tests/domaincapsdata/qemu_4.2.0-virt.aarch64.xml
> @@ -155,5 +155,6 @@
> <backingStoreInput supported='yes'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_4.2.0.aarch64.xml
> b/tests/domaincapsdata/qemu_4.2.0.aarch64.xml
> index 3cf2a6faf1..802631b704 100644
> --- a/tests/domaincapsdata/qemu_4.2.0.aarch64.xml
> +++ b/tests/domaincapsdata/qemu_4.2.0.aarch64.xml
> @@ -149,5 +149,6 @@
> <backingStoreInput supported='yes'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_4.2.0.ppc64.xml
> b/tests/domaincapsdata/qemu_4.2.0.ppc64.xml
> index 0f2cf6da64..14923e14b5 100644
> --- a/tests/domaincapsdata/qemu_4.2.0.ppc64.xml
> +++ b/tests/domaincapsdata/qemu_4.2.0.ppc64.xml
> @@ -115,5 +115,6 @@
> <backingStoreInput supported='no'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_4.2.0.s390x.xml
> b/tests/domaincapsdata/qemu_4.2.0.s390x.xml
> index ecd037438a..21cefb9ff4 100644
> --- a/tests/domaincapsdata/qemu_4.2.0.s390x.xml
> +++ b/tests/domaincapsdata/qemu_4.2.0.s390x.xml
> @@ -224,5 +224,6 @@
> <backingStoreInput supported='yes'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_4.2.0.x86_64.xml
> b/tests/domaincapsdata/qemu_4.2.0.x86_64.xml
> index f4a8321637..55b3e0d545 100644
> --- a/tests/domaincapsdata/qemu_4.2.0.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_4.2.0.x86_64.xml
> @@ -189,5 +189,6 @@
> <backingStoreInput supported='yes'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_5.0.0-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_5.0.0-q35.x86_64.xml
> index fc21b2ad62..0252950bb6 100644
> --- a/tests/domaincapsdata/qemu_5.0.0-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_5.0.0-q35.x86_64.xml
> @@ -190,5 +190,6 @@
> <backingStoreInput supported='yes'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_5.0.0-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_5.0.0-tcg.x86_64.xml
> index 110a79dd34..bcbbf8a8d8 100644
> --- a/tests/domaincapsdata/qemu_5.0.0-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_5.0.0-tcg.x86_64.xml
> @@ -196,5 +196,6 @@
> <backingStoreInput supported='yes'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_5.0.0-virt.aarch64.xml
> b/tests/domaincapsdata/qemu_5.0.0-virt.aarch64.xml
> index b2b37c0f7b..fc110c1028 100644
> --- a/tests/domaincapsdata/qemu_5.0.0-virt.aarch64.xml
> +++ b/tests/domaincapsdata/qemu_5.0.0-virt.aarch64.xml
> @@ -156,5 +156,6 @@
> <backingStoreInput supported='yes'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_5.0.0.aarch64.xml
> b/tests/domaincapsdata/qemu_5.0.0.aarch64.xml
> index 7377a2c4cf..d21e85f289 100644
> --- a/tests/domaincapsdata/qemu_5.0.0.aarch64.xml
> +++ b/tests/domaincapsdata/qemu_5.0.0.aarch64.xml
> @@ -150,5 +150,6 @@
> <backingStoreInput supported='yes'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_5.0.0.ppc64.xml
> b/tests/domaincapsdata/qemu_5.0.0.ppc64.xml
> index 9693aeb72e..f3ffaaeca9 100644
> --- a/tests/domaincapsdata/qemu_5.0.0.ppc64.xml
> +++ b/tests/domaincapsdata/qemu_5.0.0.ppc64.xml
> @@ -115,5 +115,6 @@
> <backingStoreInput supported='yes'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_5.0.0.x86_64.xml
> b/tests/domaincapsdata/qemu_5.0.0.x86_64.xml
> index aceca34c43..269976d0c4 100644
> --- a/tests/domaincapsdata/qemu_5.0.0.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_5.0.0.x86_64.xml
> @@ -190,5 +190,6 @@
> <backingStoreInput supported='yes'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_5.1.0-q35.x86_64.xml
> b/tests/domaincapsdata/qemu_5.1.0-q35.x86_64.xml
> index e1762611c5..9044d839ad 100644
> --- a/tests/domaincapsdata/qemu_5.1.0-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_5.1.0-q35.x86_64.xml
> @@ -202,5 +202,6 @@
> <backingStoreInput supported='yes'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_5.1.0-tcg.x86_64.xml
> b/tests/domaincapsdata/qemu_5.1.0-tcg.x86_64.xml
> index 86f091d238..cec56619d6 100644
> --- a/tests/domaincapsdata/qemu_5.1.0-tcg.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_5.1.0-tcg.x86_64.xml
> @@ -196,5 +196,6 @@
> <backingStoreInput supported='yes'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
> diff --git a/tests/domaincapsdata/qemu_5.1.0.x86_64.xml
> b/tests/domaincapsdata/qemu_5.1.0.x86_64.xml
> index 117f316b6a..b0b0d8b4a9 100644
> --- a/tests/domaincapsdata/qemu_5.1.0.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_5.1.0.x86_64.xml
> @@ -202,5 +202,6 @@
> <backingStoreInput supported='yes'/>
> <backup supported='no'/>
> <sev supported='no'/>
> + <sgx supported='no'/>
> </features>
> </domainCapabilities>
4:47 a.m.
On Thu, Jul 01, 2021 at 08:10:25PM +0800, Haibin Huang wrote:
This patch series provides support for enabling Intel's Software
Guard Extensions (SGX) feature in guest VM.
Giving the SGX support in QEMU is still pending for reviewing, this patch series is not
submmited for code
review, but only describe the SGX enabling solution design that contains changes to
virConnectGetDomainCapabilities
API response and domain definition. All comments/suggestions would be highly
appreciated.
Intel Software Guard Extensions (Intel® SGX) is a set of instructions that increases the
security of application
code and data, giving them more protection from disclosure or modification. Developers
can partition sensitive
information into enclaves, which are areas of execution in memory with more security
protection.
The typical flow looks below at very high level:
1. Calls virConnectGetDomainCapabilities API to domain capabilities that includes the
following SGX information.
<feature>
...
<sgx supported='yes'>
<epc_size unit=’KiB’>N</epc_size>
</sgx>
</feature>
2. User requests to start a guest calling virCreateXML() with SGX requirement.
It should contain
<launchSecurity type='sgx'>
<epc_size unit='KiB'>N</epc_size>
</launchSecurity>
I don't think that Intel SGX belongs into <launchSecurity> in libvirt.
Similar feature to AMD SEV is Intel TDX which would be implement using
<launchSecurity> as it offers isolation between host and VM.
Looking at the patches this doesn't even use confidential-guest-support
machine option, it adds a new memory backend and enables CPU features
only if libvirt uses <cpu mode='custom'> so it would not work with any
other CPU mode.
To me this sounds like we should split the feature into two components
where one would add support for the new memory backend into correct XML
part [1] and the other component would be support for CPU features
related to Intel SGX [2].
Pavel
[1] <https://libvirt.org/formatdomain.html#memory-backing>
[2] <https://libvirt.org/formatdomain.html#cpu-model-and-topology>
Haibin Huang (1):
Support to query SGX capability
Lin Yang (3):
conf: Introduce SGX related element into domain xml
qemu: Add command-line to generate SGX EPC memory backend
qemu: Add command-line to enable SGX
src/conf/domain_capabilities.c | 29 ++++
src/conf/domain_capabilities.h | 13 ++
src/conf/domain_conf.c | 106 +++++++++----
src/conf/domain_conf.h | 10 ++
src/conf/virconftypes.h | 3 +
src/libvirt_private.syms | 2 +-
src/qemu/qemu_capabilities.c | 146 ++++++++++++++++++
src/qemu/qemu_capabilities.h | 6 +
src/qemu/qemu_command.c | 30 ++++
src/qemu/qemu_monitor.c | 10 ++
src/qemu/qemu_monitor.h | 3 +
src/qemu/qemu_monitor_json.c | 91 +++++++++++
src/qemu/qemu_monitor_json.h | 3 +
tests/domaincapsdata/bhyve_basic.x86_64.xml | 1 +
tests/domaincapsdata/bhyve_fbuf.x86_64.xml | 1 +
tests/domaincapsdata/bhyve_uefi.x86_64.xml | 1 +
tests/domaincapsdata/empty.xml | 1 +
tests/domaincapsdata/libxl-xenfv.xml | 1 +
tests/domaincapsdata/libxl-xenpv.xml | 1 +
.../domaincapsdata/qemu_1.5.3-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.5.3-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_1.5.3.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.6.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.6.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_1.6.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.7.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_1.7.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_1.7.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.1.1-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.1.1-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.1.1.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.10.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.10.0-tcg.x86_64.xml | 1 +
.../qemu_2.10.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.11.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.11.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.11.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.11.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.12.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml | 1 +
.../qemu_2.12.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.4.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.4.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.4.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.5.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.5.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.5.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.6.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.6.0-tcg.x86_64.xml | 1 +
.../qemu_2.6.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.6.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.6.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.6.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.7.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.7.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.7.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.7.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.8.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.8.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.8.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.8.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.9.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.9.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.9.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.9.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.9.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.0.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_3.1.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_3.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.0.0-tcg.x86_64.xml | 1 +
.../qemu_4.0.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_4.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.2.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml | 1 +
.../qemu_4.2.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml | 1 +
.../qemu_5.0.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_5.1.0.x86_64.xml | 1 +
109 files changed, 519 insertions(+), 29 deletions(-)
--
2.17.1
7:58 p.m.
-----Original Message-----
From: Pavel Hrdina <phrdina(a)redhat.com>
Sent: Wednesday, July 7, 2021 5:48 PM
To: Huang, Haibin <haibin.huang(a)intel.com>
Cc: libvir-list(a)redhat.com; Ding, Jian-feng <jian-feng.ding(a)intel.com>; Yang,
Lin A <lin.a.yang(a)intel.com>; Lu, Lianhao <lianhao.lu(a)intel.com>
Subject: Re: [libvirt][PATCH v4 0/4] Support query and use SGX
On Thu, Jul 01, 2021 at 08:10:25PM +0800, Haibin Huang wrote:
> This patch series provides support for enabling Intel's Software Guard
Extensions (SGX) feature in guest VM.
>
> Giving the SGX support in QEMU is still pending for reviewing, this
> patch series is not submmited for code review, but only describe the
> SGX enabling solution design that contains changes to
virConnectGetDomainCapabilities API response and domain definition. All
comments/suggestions would be highly appreciated.
>
> Intel Software Guard Extensions (Intel® SGX) is a set of instructions
> that increases the security of application code and data, giving them
> more protection from disclosure or modification. Developers can partition
sensitive information into enclaves, which are areas of execution in memory
with more security protection.
>
> The typical flow looks below at very high level:
>
> 1. Calls virConnectGetDomainCapabilities API to domain capabilities that
includes the following SGX information.
>
> <feature>
> ...
> <sgx supported='yes'>
> <epc_size unit=’KiB’>N</epc_size>
> </sgx>
> </feature>
>
> 2. User requests to start a guest calling virCreateXML() with SGX requirement.
> It should contain
>
> <launchSecurity type='sgx'>
> <epc_size unit='KiB'>N</epc_size>
> </launchSecurity>
I don't think that Intel SGX belongs into <launchSecurity> in libvirt.
Similar feature to AMD SEV is Intel TDX which would be implement using
<launchSecurity> as it offers isolation between host and VM.
Looking at the patches this doesn't even use confidential-guest-support machine
option, it adds a new memory backend and enables CPU features only if libvirt
uses <cpu mode='custom'> so it would not work with any other CPU mode.
To me this sounds like we should split the feature into two components where
one would add support for the new memory backend into correct XML part [1]
and the other component would be support for CPU features related to Intel
SGX [2].
[Haibin] ok, those specific CPU features we added have been deleted and
let user to specify it in [2].
Do we need to add new element in memory backend for SGX EPC memory?
Pavel
[1] <https://libvirt.org/formatdomain.html#memory-backing>
[2] <https://libvirt.org/formatdomain.html#cpu-model-and-topology>
> Haibin Huang (1):
> Support to query SGX capability
>
> Lin Yang (3):
> conf: Introduce SGX related element into domain xml
> qemu: Add command-line to generate SGX EPC memory backend
> qemu: Add command-line to enable SGX
>
> src/conf/domain_capabilities.c | 29 ++++
> src/conf/domain_capabilities.h | 13 ++
> src/conf/domain_conf.c | 106 +++++++++----
> src/conf/domain_conf.h | 10 ++
> src/conf/virconftypes.h | 3 +
> src/libvirt_private.syms | 2 +-
> src/qemu/qemu_capabilities.c | 146 ++++++++++++++++++
> src/qemu/qemu_capabilities.h | 6 +
> src/qemu/qemu_command.c | 30 ++++
> src/qemu/qemu_monitor.c | 10 ++
> src/qemu/qemu_monitor.h | 3 +
> src/qemu/qemu_monitor_json.c | 91 +++++++++++
> src/qemu/qemu_monitor_json.h | 3 +
> tests/domaincapsdata/bhyve_basic.x86_64.xml | 1 +
> tests/domaincapsdata/bhyve_fbuf.x86_64.xml | 1 +
> tests/domaincapsdata/bhyve_uefi.x86_64.xml | 1 +
> tests/domaincapsdata/empty.xml | 1 +
> tests/domaincapsdata/libxl-xenfv.xml | 1 +
> tests/domaincapsdata/libxl-xenpv.xml | 1 +
> .../domaincapsdata/qemu_1.5.3-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_1.5.3-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_1.5.3.x86_64.xml | 1 +
> .../domaincapsdata/qemu_1.6.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_1.6.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_1.6.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_1.7.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_1.7.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_1.7.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.1.1-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.1.1-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_2.1.1.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.10.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.10.0-tcg.x86_64.xml | 1 +
> .../qemu_2.10.0-virt.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_2.10.0.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_2.10.0.ppc64.xml | 1 +
> tests/domaincapsdata/qemu_2.10.0.s390x.xml | 1 +
> tests/domaincapsdata/qemu_2.10.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.11.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.11.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_2.11.0.s390x.xml | 1 +
> tests/domaincapsdata/qemu_2.11.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.12.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml | 1 +
> .../qemu_2.12.0-virt.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_2.12.0.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_2.12.0.ppc64.xml | 1 +
> tests/domaincapsdata/qemu_2.12.0.s390x.xml | 1 +
> tests/domaincapsdata/qemu_2.12.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.4.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.4.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_2.4.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.5.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.5.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_2.5.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.6.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.6.0-tcg.x86_64.xml | 1 +
> .../qemu_2.6.0-virt.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_2.6.0.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_2.6.0.ppc64.xml | 1 +
> tests/domaincapsdata/qemu_2.6.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.7.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.7.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_2.7.0.s390x.xml | 1 +
> tests/domaincapsdata/qemu_2.7.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.8.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.8.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_2.8.0.s390x.xml | 1 +
> tests/domaincapsdata/qemu_2.8.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.9.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_2.9.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_2.9.0.ppc64.xml | 1 +
> tests/domaincapsdata/qemu_2.9.0.s390x.xml | 1 +
> tests/domaincapsdata/qemu_2.9.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_3.0.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_3.0.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_3.0.0.ppc64.xml | 1 +
> tests/domaincapsdata/qemu_3.0.0.s390x.xml | 1 +
> tests/domaincapsdata/qemu_3.0.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_3.1.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_3.1.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_3.1.0.ppc64.xml | 1 +
> tests/domaincapsdata/qemu_3.1.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_4.0.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_4.0.0-tcg.x86_64.xml | 1 +
> .../qemu_4.0.0-virt.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_4.0.0.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_4.0.0.ppc64.xml | 1 +
> tests/domaincapsdata/qemu_4.0.0.s390x.xml | 1 +
> tests/domaincapsdata/qemu_4.0.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_4.1.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_4.1.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_4.1.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_4.2.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml | 1 +
> .../qemu_4.2.0-virt.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_4.2.0.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_4.2.0.ppc64.xml | 1 +
> tests/domaincapsdata/qemu_4.2.0.s390x.xml | 1 +
> tests/domaincapsdata/qemu_4.2.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_5.0.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml | 1 +
> .../qemu_5.0.0-virt.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_5.0.0.aarch64.xml | 1 +
> tests/domaincapsdata/qemu_5.0.0.ppc64.xml | 1 +
> tests/domaincapsdata/qemu_5.0.0.x86_64.xml | 1 +
> .../domaincapsdata/qemu_5.1.0-q35.x86_64.xml | 1 +
> .../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml | 1 +
> tests/domaincapsdata/qemu_5.1.0.x86_64.xml | 1 +
> 109 files changed, 519 insertions(+), 29 deletions(-)
>
> --
> 2.17.1
>
3:47 a.m.
On Fri, Jul 16, 2021 at 12:58:19AM +0000, Huang, Haibin wrote:
> -----Original Message-----
> From: Pavel Hrdina <phrdina(a)redhat.com>
> Sent: Wednesday, July 7, 2021 5:48 PM
> To: Huang, Haibin <haibin.huang(a)intel.com>
> Cc: libvir-list(a)redhat.com; Ding, Jian-feng <jian-feng.ding(a)intel.com>; Yang,
> Lin A <lin.a.yang(a)intel.com>; Lu, Lianhao <lianhao.lu(a)intel.com>
> Subject: Re: [libvirt][PATCH v4 0/4] Support query and use SGX
>
> On Thu, Jul 01, 2021 at 08:10:25PM +0800, Haibin Huang wrote:
> > This patch series provides support for enabling Intel's Software Guard
> Extensions (SGX) feature in guest VM.
> >
> > Giving the SGX support in QEMU is still pending for reviewing, this
> > patch series is not submmited for code review, but only describe the
> > SGX enabling solution design that contains changes to
> virConnectGetDomainCapabilities API response and domain definition. All
> comments/suggestions would be highly appreciated.
> >
> > Intel Software Guard Extensions (Intel® SGX) is a set of instructions
> > that increases the security of application code and data, giving them
> > more protection from disclosure or modification. Developers can partition
> sensitive information into enclaves, which are areas of execution in memory
> with more security protection.
> >
> > The typical flow looks below at very high level:
> >
> > 1. Calls virConnectGetDomainCapabilities API to domain capabilities that
> includes the following SGX information.
> >
> > <feature>
> > ...
> > <sgx supported='yes'>
> > <epc_size unit=’KiB’>N</epc_size>
> > </sgx>
> > </feature>
> >
> > 2. User requests to start a guest calling virCreateXML() with SGX requirement.
> > It should contain
> >
> > <launchSecurity type='sgx'>
> > <epc_size unit='KiB'>N</epc_size>
> > </launchSecurity>
>
> I don't think that Intel SGX belongs into <launchSecurity> in libvirt.
> Similar feature to AMD SEV is Intel TDX which would be implement using
> <launchSecurity> as it offers isolation between host and VM.
>
> Looking at the patches this doesn't even use confidential-guest-support machine
> option, it adds a new memory backend and enables CPU features only if libvirt
> uses <cpu mode='custom'> so it would not work with any other CPU
mode.
>
> To me this sounds like we should split the feature into two components where
> one would add support for the new memory backend into correct XML part [1]
> and the other component would be support for CPU features related to Intel
> SGX [2].
[Haibin] ok, those specific CPU features we added have been deleted and let user to
specify it in [2].
Do we need to add new element in memory backend for SGX EPC memory?
Correct, reading QEMU and kernel patches to enable this feature in
libvirt user will need to configure SGX EPC memory backend manually.
However, we will not be able to reuse <memoryBacking> element in the VM
XML without a lot of modification to the current code. Mainly, there can
be mupltiple SGX EPC memory sections and each can have different size.
Current code allows only single <memoryBacking> file and it is closely
tied with VM RAM.
To express SGX EPC in VM XML we will need new element, for example we
can use <memory> device:
<devices>
...
<memory model='sgx-epc'>
<target>
<size unit='MiB'>64</size>
<node>0</node>
</target>
</memory>
...
</devices>
but this would require to modify the current <memory> code as the
'sgx-epc' would be a special case where we would not use '-device'
option because we need to add it to '-machine' parameter.
Another option is to create completely new element, similar to
<launchSecurity> outside of <devices> element. I'm not sure about the
naming of the new element, one thing that comes to my mind is
<memoryRegion> with type='sgx-epc'.
Based on my findings and reading different documentations and QEMU
patches it seems that in real HW the 'sgx-epc' is encrypted memory
stored within the physical RAM but in QEMU it will be additional memory
region sitting next to the VM RAM.
Adding to CC Dan, Peter, Michal to get more opinions/ideas how to design
this feature. Here is the documentation posted to QEMU list [1].
Pavel
[1] <https://lists.nongnu.org/archive/html/qemu-devel/2021-07/msg02539.html>
4:16 a.m.
On Tue, Jul 20, 2021 at 10:47:27AM +0200, Pavel Hrdina wrote:
On Fri, Jul 16, 2021 at 12:58:19AM +0000, Huang, Haibin wrote:
>
> > -----Original Message-----
> > From: Pavel Hrdina <phrdina(a)redhat.com>
> > Sent: Wednesday, July 7, 2021 5:48 PM
> > To: Huang, Haibin <haibin.huang(a)intel.com>
> > Cc: libvir-list(a)redhat.com; Ding, Jian-feng <jian-feng.ding(a)intel.com>;
Yang,
> > Lin A <lin.a.yang(a)intel.com>; Lu, Lianhao <lianhao.lu(a)intel.com>
> > Subject: Re: [libvirt][PATCH v4 0/4] Support query and use SGX
> >
> > On Thu, Jul 01, 2021 at 08:10:25PM +0800, Haibin Huang wrote:
> > > This patch series provides support for enabling Intel's Software
Guard
> > Extensions (SGX) feature in guest VM.
> > >
> > > Giving the SGX support in QEMU is still pending for reviewing, this
> > > patch series is not submmited for code review, but only describe the
> > > SGX enabling solution design that contains changes to
> > virConnectGetDomainCapabilities API response and domain definition. All
> > comments/suggestions would be highly appreciated.
> > >
> > > Intel Software Guard Extensions (Intel® SGX) is a set of instructions
> > > that increases the security of application code and data, giving them
> > > more protection from disclosure or modification. Developers can partition
> > sensitive information into enclaves, which are areas of execution in memory
> > with more security protection.
> > >
> > > The typical flow looks below at very high level:
> > >
> > > 1. Calls virConnectGetDomainCapabilities API to domain capabilities that
> > includes the following SGX information.
> > >
> > > <feature>
> > > ...
> > > <sgx supported='yes'>
> > > <epc_size unit=’KiB’>N</epc_size>
> > > </sgx>
> > > </feature>
> > >
> > > 2. User requests to start a guest calling virCreateXML() with SGX
requirement.
> > > It should contain
> > >
> > > <launchSecurity type='sgx'>
> > > <epc_size unit='KiB'>N</epc_size>
> > > </launchSecurity>
> >
> > I don't think that Intel SGX belongs into <launchSecurity> in
libvirt.
> > Similar feature to AMD SEV is Intel TDX which would be implement using
> > <launchSecurity> as it offers isolation between host and VM.
> >
> > Looking at the patches this doesn't even use confidential-guest-support
machine
> > option, it adds a new memory backend and enables CPU features only if libvirt
> > uses <cpu mode='custom'> so it would not work with any other CPU
mode.
> >
> > To me this sounds like we should split the feature into two components where
> > one would add support for the new memory backend into correct XML part [1]
> > and the other component would be support for CPU features related to Intel
> > SGX [2].
>
> [Haibin] ok, those specific CPU features we added have been deleted and let user to
specify it in [2].
> Do we need to add new element in memory backend for SGX EPC memory?
Correct, reading QEMU and kernel patches to enable this feature in
libvirt user will need to configure SGX EPC memory backend manually.
However, we will not be able to reuse <memoryBacking> element in the VM
XML without a lot of modification to the current code. Mainly, there can
be mupltiple SGX EPC memory sections and each can have different size.
Current code allows only single <memoryBacking> file and it is closely
tied with VM RAM.
To express SGX EPC in VM XML we will need new element, for example we
can use <memory> device:
<devices>
...
<memory model='sgx-epc'>
<target>
<size unit='MiB'>64</size>
<node>0</node>
</target>
</memory>
...
</devices>
but this would require to modify the current <memory> code as the
'sgx-epc' would be a special case where we would not use '-device'
option because we need to add it to '-machine' parameter.
Where are you seeing the -machine params ? In the patch 2 here
it uses standalone parameters:
-object memory-backend-epc,id=mem1,size=<epc_size>K,prealloc \
-sgx-epc id=epc1,memdev=mem1
which makes sense given you say that multiple SGX regions can
be defined.
Another option is to create completely new element, similar to
<launchSecurity> outside of <devices> element. I'm not sure about the
naming of the new element, one thing that comes to my mind is
<memoryRegion> with type='sgx-epc'.
I think adding a <memoryRegion> outside <devices> feels a little
odd given that this parameter is defining new RAM blocks and we
already have <memory> inside <devices>. I'd be more inclined towards
the latter
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
4:29 a.m.
On Tue, Jul 20, 2021 at 10:16:48AM +0100, Daniel P. Berrangé wrote:
On Tue, Jul 20, 2021 at 10:47:27AM +0200, Pavel Hrdina wrote:
> On Fri, Jul 16, 2021 at 12:58:19AM +0000, Huang, Haibin wrote:
> >
> > > -----Original Message-----
> > > From: Pavel Hrdina <phrdina(a)redhat.com>
> > > Sent: Wednesday, July 7, 2021 5:48 PM
> > > To: Huang, Haibin <haibin.huang(a)intel.com>
> > > Cc: libvir-list(a)redhat.com; Ding, Jian-feng
<jian-feng.ding(a)intel.com>; Yang,
> > > Lin A <lin.a.yang(a)intel.com>; Lu, Lianhao
<lianhao.lu(a)intel.com>
> > > Subject: Re: [libvirt][PATCH v4 0/4] Support query and use SGX
> > >
> > > On Thu, Jul 01, 2021 at 08:10:25PM +0800, Haibin Huang wrote:
> > > > This patch series provides support for enabling Intel's Software
Guard
> > > Extensions (SGX) feature in guest VM.
> > > >
> > > > Giving the SGX support in QEMU is still pending for reviewing, this
> > > > patch series is not submmited for code review, but only describe the
> > > > SGX enabling solution design that contains changes to
> > > virConnectGetDomainCapabilities API response and domain definition. All
> > > comments/suggestions would be highly appreciated.
> > > >
> > > > Intel Software Guard Extensions (Intel® SGX) is a set of
instructions
> > > > that increases the security of application code and data, giving
them
> > > > more protection from disclosure or modification. Developers can
partition
> > > sensitive information into enclaves, which are areas of execution in
memory
> > > with more security protection.
> > > >
> > > > The typical flow looks below at very high level:
> > > >
> > > > 1. Calls virConnectGetDomainCapabilities API to domain capabilities
that
> > > includes the following SGX information.
> > > >
> > > > <feature>
> > > > ...
> > > > <sgx supported='yes'>
> > > > <epc_size unit=’KiB’>N</epc_size>
> > > > </sgx>
> > > > </feature>
> > > >
> > > > 2. User requests to start a guest calling virCreateXML() with SGX
requirement.
> > > > It should contain
> > > >
> > > > <launchSecurity type='sgx'>
> > > > <epc_size unit='KiB'>N</epc_size>
> > > > </launchSecurity>
> > >
> > > I don't think that Intel SGX belongs into <launchSecurity> in
libvirt.
> > > Similar feature to AMD SEV is Intel TDX which would be implement using
> > > <launchSecurity> as it offers isolation between host and VM.
> > >
> > > Looking at the patches this doesn't even use
confidential-guest-support machine
> > > option, it adds a new memory backend and enables CPU features only if
libvirt
> > > uses <cpu mode='custom'> so it would not work with any other
CPU mode.
> > >
> > > To me this sounds like we should split the feature into two components
where
> > > one would add support for the new memory backend into correct XML part
[1]
> > > and the other component would be support for CPU features related to
Intel
> > > SGX [2].
> >
> > [Haibin] ok, those specific CPU features we added have been deleted and let
user to specify it in [2].
> > Do we need to add new element in memory backend for SGX EPC memory?
>
> Correct, reading QEMU and kernel patches to enable this feature in
> libvirt user will need to configure SGX EPC memory backend manually.
> However, we will not be able to reuse <memoryBacking> element in the VM
> XML without a lot of modification to the current code. Mainly, there can
> be mupltiple SGX EPC memory sections and each can have different size.
> Current code allows only single <memoryBacking> file and it is closely
> tied with VM RAM.
>
> To express SGX EPC in VM XML we will need new element, for example we
> can use <memory> device:
>
> <devices>
> ...
> <memory model='sgx-epc'>
> <target>
> <size unit='MiB'>64</size>
> <node>0</node>
> </target>
> </memory>
> ...
> </devices>
>
> but this would require to modify the current <memory> code as the
> 'sgx-epc' would be a special case where we would not use '-device'
> option because we need to add it to '-machine' parameter.
Where are you seeing the -machine params ? In the patch 2 here
it uses standalone parameters:
-object memory-backend-epc,id=mem1,size=<epc_size>K,prealloc \
-sgx-epc id=epc1,memdev=mem1
which makes sense given you say that multiple SGX regions can
be defined.
This RFC is a bit outdated, latest patches in QEMU dropped the new
option '-sgx-epc' and replaced it with compound -machine parameters [1].
This was explicitly requested by Paolo here [2].
> Another option is to create completely new element, similar to
> <launchSecurity> outside of <devices> element. I'm not sure about
the
> naming of the new element, one thing that comes to my mind is
> <memoryRegion> with type='sgx-epc'.
I think adding a <memoryRegion> outside <devices> feels a little
odd given that this parameter is defining new RAM blocks and we
already have <memory> inside <devices>. I'd be more inclined towards
the latter
Using <memory> was my first idea, I just wanted to offer some
alternative as I was not completely sure about using <memory> mainly
because it will be part of -machine option.
Pavel
[1] <https://lists.nongnu.org/archive/html/qemu-devel/2021-07/msg02507.html>
[2] <https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg00644.html>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
12:38 a.m.
-----Original Message-----
From: Pavel Hrdina <phrdina(a)redhat.com>
Sent: Tuesday, July 20, 2021 5:29 PM
To: Daniel P. Berrangé <berrange(a)redhat.com>
Cc: Huang, Haibin <haibin.huang(a)intel.com>; libvir-list(a)redhat.com; Ding, Jian-
feng <jian-feng.ding(a)intel.com>; Yang, Lin A <lin.a.yang(a)intel.com>; Lu,
Lianhao <lianhao.lu(a)intel.com>; Peter Krempa <pkrempa(a)redhat.com>;
Michal Prívozník <mprivozn(a)redhat.com>
Subject: Re: [libvirt][PATCH v4 0/4] Support query and use SGX
On Tue, Jul 20, 2021 at 10:16:48AM +0100, Daniel P. Berrangé wrote:
> On Tue, Jul 20, 2021 at 10:47:27AM +0200, Pavel Hrdina wrote:
> > On Fri, Jul 16, 2021 at 12:58:19AM +0000, Huang, Haibin wrote:
> > >
> > > > -----Original Message-----
> > > > From: Pavel Hrdina <phrdina(a)redhat.com>
> > > > Sent: Wednesday, July 7, 2021 5:48 PM
> > > > To: Huang, Haibin <haibin.huang(a)intel.com>
> > > > Cc: libvir-list(a)redhat.com; Ding, Jian-feng
> > > > <jian-feng.ding(a)intel.com>; Yang, Lin A
<lin.a.yang(a)intel.com>;
> > > > Lu, Lianhao <lianhao.lu(a)intel.com>
> > > > Subject: Re: [libvirt][PATCH v4 0/4] Support query and use SGX
> > > >
> > > > On Thu, Jul 01, 2021 at 08:10:25PM +0800, Haibin Huang wrote:
> > > > > This patch series provides support for enabling Intel's
> > > > > Software Guard
> > > > Extensions (SGX) feature in guest VM.
> > > > >
> > > > > Giving the SGX support in QEMU is still pending for reviewing,
> > > > > this patch series is not submmited for code review, but only
> > > > > describe the SGX enabling solution design that contains
> > > > > changes to
> > > > virConnectGetDomainCapabilities API response and domain
> > > > definition. All comments/suggestions would be highly appreciated.
> > > > >
> > > > > Intel Software Guard Extensions (Intel® SGX) is a set of
> > > > > instructions that increases the security of application code
> > > > > and data, giving them more protection from disclosure or
> > > > > modification. Developers can partition
> > > > sensitive information into enclaves, which are areas of
> > > > execution in memory with more security protection.
> > > > >
> > > > > The typical flow looks below at very high level:
> > > > >
> > > > > 1. Calls virConnectGetDomainCapabilities API to domain
> > > > > capabilities that
> > > > includes the following SGX information.
> > > > >
> > > > > <feature>
> > > > > ...
> > > > > <sgx supported='yes'>
> > > > > <epc_size unit=’KiB’>N</epc_size>
> > > > > </sgx>
> > > > > </feature>
> > > > >
> > > > > 2. User requests to start a guest calling virCreateXML() with
SGX
requirement.
> > > > > It should contain
> > > > >
> > > > > <launchSecurity type='sgx'>
> > > > > <epc_size unit='KiB'>N</epc_size>
</launchSecurity>
> > > >
> > > > I don't think that Intel SGX belongs into <launchSecurity>
in libvirt.
> > > > Similar feature to AMD SEV is Intel TDX which would be implement
> > > > using <launchSecurity> as it offers isolation between host and
VM.
> > > >
> > > > Looking at the patches this doesn't even use
> > > > confidential-guest-support machine option, it adds a new memory
> > > > backend and enables CPU features only if libvirt uses <cpu
mode='custom'> so it would not work with any other CPU mode.
> > > >
> > > > To me this sounds like we should split the feature into two
> > > > components where one would add support for the new memory
> > > > backend into correct XML part [1] and the other component would
> > > > be support for CPU features related to Intel SGX [2].
> > >
> > > [Haibin] ok, those specific CPU features we added have been deleted and
let user to specify it in [2].
> > > Do we need to add new element in memory backend for SGX EPC memory?
> >
> > Correct, reading QEMU and kernel patches to enable this feature in
> > libvirt user will need to configure SGX EPC memory backend manually.
> > However, we will not be able to reuse <memoryBacking> element in the
> > VM XML without a lot of modification to the current code. Mainly,
> > there can be mupltiple SGX EPC memory sections and each can have
different size.
> > Current code allows only single <memoryBacking> file and it is
> > closely tied with VM RAM.
> >
> > To express SGX EPC in VM XML we will need new element, for example
> > we can use <memory> device:
> >
> > <devices>
> > ...
> > <memory model='sgx-epc'>
> > <target>
> > <size unit='MiB'>64</size>
> > <node>0</node>
> > </target>
> > </memory>
> > ...
> > </devices>
> >
> > but this would require to modify the current <memory> code as the
> > 'sgx-epc' would be a special case where we would not use
'-device'
> > option because we need to add it to '-machine' parameter.
>
> Where are you seeing the -machine params ? In the patch 2 here
> it uses standalone parameters:
>
> -object memory-backend-epc,id=mem1,size=<epc_size>K,prealloc \
> -sgx-epc id=epc1,memdev=mem1
>
> which makes sense given you say that multiple SGX regions can be
> defined.
This RFC is a bit outdated, latest patches in QEMU dropped the new option '-sgx-
epc' and replaced it with compound -machine parameters [1].
This was explicitly requested by Paolo here [2].
> > Another option is to create completely new element, similar to
> > <launchSecurity> outside of <devices> element. I'm not sure
about
> > the naming of the new element, one thing that comes to my mind is
> > <memoryRegion> with type='sgx-epc'.
>
> I think adding a <memoryRegion> outside <devices> feels a little odd
> given that this parameter is defining new RAM blocks and we already
> have <memory> inside <devices>. I'd be more inclined towards the
> latter
Using <memory> was my first idea, I just wanted to offer some alternative as I
was not completely sure about using <memory> mainly because it will be part of
-machine option.
[Haibin] Can you guys confirm that putting <memory> in <device> is an
acceptable
solution? Even it will be translated to -machine instead of -device.
<devices>
...
<memory model='sgx-epc'>
<target>
<size unit='MiB'>64</size>
<node>0</node>
</target>
</memory>
...
</devices>
Pavel
[1] <https://lists.nongnu.org/archive/html/qemu-devel/2021-07/msg02507.html>
[2] <https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg00644.html>
> Regards,
> Daniel
> --
> |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o- https://fstop138.berrange.com :|
> |: https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|
>
7:30 a.m.
On Tue, Jul 27, 2021 at 05:38:02AM +0000, Huang, Haibin wrote:
> -----Original Message-----
> From: Pavel Hrdina <phrdina(a)redhat.com>
> Sent: Tuesday, July 20, 2021 5:29 PM
> To: Daniel P. Berrangé <berrange(a)redhat.com>
> Cc: Huang, Haibin <haibin.huang(a)intel.com>; libvir-list(a)redhat.com; Ding,
Jian-
> feng <jian-feng.ding(a)intel.com>; Yang, Lin A <lin.a.yang(a)intel.com>;
Lu,
> Lianhao <lianhao.lu(a)intel.com>; Peter Krempa <pkrempa(a)redhat.com>;
> Michal Prívozník <mprivozn(a)redhat.com>
> Subject: Re: [libvirt][PATCH v4 0/4] Support query and use SGX
>
> On Tue, Jul 20, 2021 at 10:16:48AM +0100, Daniel P. Berrangé wrote:
> > On Tue, Jul 20, 2021 at 10:47:27AM +0200, Pavel Hrdina wrote:
> > > On Fri, Jul 16, 2021 at 12:58:19AM +0000, Huang, Haibin wrote:
> > > >
> > > > > -----Original Message-----
> > > > > From: Pavel Hrdina <phrdina(a)redhat.com>
> > > > > Sent: Wednesday, July 7, 2021 5:48 PM
> > > > > To: Huang, Haibin <haibin.huang(a)intel.com>
> > > > > Cc: libvir-list(a)redhat.com; Ding, Jian-feng
> > > > > <jian-feng.ding(a)intel.com>; Yang, Lin A
<lin.a.yang(a)intel.com>;
> > > > > Lu, Lianhao <lianhao.lu(a)intel.com>
> > > > > Subject: Re: [libvirt][PATCH v4 0/4] Support query and use SGX
> > > > >
> > > > > On Thu, Jul 01, 2021 at 08:10:25PM +0800, Haibin Huang wrote:
> > > > > > This patch series provides support for enabling
Intel's
> > > > > > Software Guard
> > > > > Extensions (SGX) feature in guest VM.
> > > > > >
> > > > > > Giving the SGX support in QEMU is still pending for
reviewing,
> > > > > > this patch series is not submmited for code review, but
only
> > > > > > describe the SGX enabling solution design that contains
> > > > > > changes to
> > > > > virConnectGetDomainCapabilities API response and domain
> > > > > definition. All comments/suggestions would be highly
appreciated.
> > > > > >
> > > > > > Intel Software Guard Extensions (Intel® SGX) is a set of
> > > > > > instructions that increases the security of application
code
> > > > > > and data, giving them more protection from disclosure or
> > > > > > modification. Developers can partition
> > > > > sensitive information into enclaves, which are areas of
> > > > > execution in memory with more security protection.
> > > > > >
> > > > > > The typical flow looks below at very high level:
> > > > > >
> > > > > > 1. Calls virConnectGetDomainCapabilities API to domain
> > > > > > capabilities that
> > > > > includes the following SGX information.
> > > > > >
> > > > > > <feature>
> > > > > > ...
> > > > > > <sgx supported='yes'>
> > > > > > <epc_size unit=’KiB’>N</epc_size>
> > > > > > </sgx>
> > > > > > </feature>
> > > > > >
> > > > > > 2. User requests to start a guest calling virCreateXML()
with SGX
> requirement.
> > > > > > It should contain
> > > > > >
> > > > > > <launchSecurity type='sgx'>
> > > > > > <epc_size unit='KiB'>N</epc_size>
</launchSecurity>
> > > > >
> > > > > I don't think that Intel SGX belongs into
<launchSecurity> in libvirt.
> > > > > Similar feature to AMD SEV is Intel TDX which would be
implement
> > > > > using <launchSecurity> as it offers isolation between host
and VM.
> > > > >
> > > > > Looking at the patches this doesn't even use
> > > > > confidential-guest-support machine option, it adds a new memory
> > > > > backend and enables CPU features only if libvirt uses <cpu
> mode='custom'> so it would not work with any other CPU mode.
> > > > >
> > > > > To me this sounds like we should split the feature into two
> > > > > components where one would add support for the new memory
> > > > > backend into correct XML part [1] and the other component would
> > > > > be support for CPU features related to Intel SGX [2].
> > > >
> > > > [Haibin] ok, those specific CPU features we added have been deleted
and
> let user to specify it in [2].
> > > > Do we need to add new element in memory backend for SGX EPC memory?
> > >
> > > Correct, reading QEMU and kernel patches to enable this feature in
> > > libvirt user will need to configure SGX EPC memory backend manually.
> > > However, we will not be able to reuse <memoryBacking> element in
the
> > > VM XML without a lot of modification to the current code. Mainly,
> > > there can be mupltiple SGX EPC memory sections and each can have
> different size.
> > > Current code allows only single <memoryBacking> file and it is
> > > closely tied with VM RAM.
> > >
> > > To express SGX EPC in VM XML we will need new element, for example
> > > we can use <memory> device:
> > >
> > > <devices>
> > > ...
> > > <memory model='sgx-epc'>
> > > <target>
> > > <size unit='MiB'>64</size>
> > > <node>0</node>
> > > </target>
> > > </memory>
> > > ...
> > > </devices>
> > >
> > > but this would require to modify the current <memory> code as the
> > > 'sgx-epc' would be a special case where we would not use
'-device'
> > > option because we need to add it to '-machine' parameter.
> >
> > Where are you seeing the -machine params ? In the patch 2 here
> > it uses standalone parameters:
> >
> > -object memory-backend-epc,id=mem1,size=<epc_size>K,prealloc \
> > -sgx-epc id=epc1,memdev=mem1
> >
> > which makes sense given you say that multiple SGX regions can be
> > defined.
>
> This RFC is a bit outdated, latest patches in QEMU dropped the new option
'-sgx-
> epc' and replaced it with compound -machine parameters [1].
> This was explicitly requested by Paolo here [2].
>
> > > Another option is to create completely new element, similar to
> > > <launchSecurity> outside of <devices> element. I'm not
sure about
> > > the naming of the new element, one thing that comes to my mind is
> > > <memoryRegion> with type='sgx-epc'.
> >
> > I think adding a <memoryRegion> outside <devices> feels a little
odd
> > given that this parameter is defining new RAM blocks and we already
> > have <memory> inside <devices>. I'd be more inclined towards
the
> > latter
>
> Using <memory> was my first idea, I just wanted to offer some alternative as
I
> was not completely sure about using <memory> mainly because it will be part
of
> -machine option.
[Haibin] Can you guys confirm that putting <memory> in <device> is an
acceptable
solution? Even it will be translated to -machine instead of -device.
<devices>
...
<memory model='sgx-epc'>
<target>
<size unit='MiB'>64</size>
<node>0</node>
</target>
</memory>
...
</devices>
IMHO this will be the best place where to define sgx-epc so I agree with
this.
Pavel
4:11 a.m.
On Wed, Jul 07, 2021 at 11:47:37AM +0200, Pavel Hrdina wrote:
On Thu, Jul 01, 2021 at 08:10:25PM +0800, Haibin Huang wrote:
> This patch series provides support for enabling Intel's Software Guard
Extensions (SGX) feature in guest VM.
>
> Giving the SGX support in QEMU is still pending for reviewing, this patch series is
not submmited for code
> review, but only describe the SGX enabling solution design that contains changes to
virConnectGetDomainCapabilities
> API response and domain definition. All comments/suggestions would be highly
appreciated.
>
> Intel Software Guard Extensions (Intel® SGX) is a set of instructions that increases
the security of application
> code and data, giving them more protection from disclosure or modification.
Developers can partition sensitive
> information into enclaves, which are areas of execution in memory with more security
protection.
>
> The typical flow looks below at very high level:
>
> 1. Calls virConnectGetDomainCapabilities API to domain capabilities that includes
the following SGX information.
>
> <feature>
> ...
> <sgx supported='yes'>
> <epc_size unit=’KiB’>N</epc_size>
> </sgx>
> </feature>
>
> 2. User requests to start a guest calling virCreateXML() with SGX requirement.
> It should contain
>
> <launchSecurity type='sgx'>
> <epc_size unit='KiB'>N</epc_size>
> </launchSecurity>
I don't think that Intel SGX belongs into <launchSecurity> in libvirt.
Similar feature to AMD SEV is Intel TDX which would be implement using
<launchSecurity> as it offers isolation between host and VM.
Looking at the patches this doesn't even use confidential-guest-support
machine option, it adds a new memory backend and enables CPU features
only if libvirt uses <cpu mode='custom'> so it would not work with any
other CPU mode.
This just looks like a bug - there's no reason I see why it shouldn't
work with all CPU modes. In fact the user could just specify the
<feature> elements under <cpu> using existing syntax. We just need
the cpu map to know about them
To me this sounds like we should split the feature into two
components
where one would add support for the new memory backend into correct XML
part [1] and the other component would be support for CPU features
related to Intel SGX [2].
Yeah, sounds more sensible
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
1209
days inactive
1236
days old
25 comments
5 participants
participants (5)
-
Daniel P. Berrangé -
Haibin Huang -
Huang, Haibin
-
Pavel Hrdina -
Tim Wiederhake