mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-23 21:34:54 +03:00
qemu_cgroup: Allow SGX in devices controller
SGX memory backend needs to access /dev/sgx_vepc (which allows userspace to allocate "raw" EPC without an associated enclave) and /dev/sgx_provision (which allows creating provisioning enclaves). Allow these two devices in CGroups if a domain is configured so. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Haibin Huang <haibin.huang@intel.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
parent
facadf2491
commit
bea39eb9f3
@ -120,6 +120,28 @@ qemuCgroupDenyDevicePath(virDomainObj *vm,
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
qemuCgroupDenyDevicesPaths(virDomainObj *vm,
|
||||
const char *const *paths,
|
||||
int perms,
|
||||
bool ignoreEacces)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
for (i = 0; paths[i] != NULL; i++) {
|
||||
if (!virFileExists(paths[i])) {
|
||||
VIR_DEBUG("Ignoring non-existent device %s", paths[i]);
|
||||
continue;
|
||||
}
|
||||
|
||||
if (qemuCgroupDenyDevicePath(vm, paths[i], perms, ignoreEacces) < 0)
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
qemuSetupImagePathCgroup(virDomainObj *vm,
|
||||
const char *path,
|
||||
@ -520,16 +542,32 @@ qemuSetupMemoryDevicesCgroup(virDomainObj *vm,
|
||||
virDomainMemoryDef *mem)
|
||||
{
|
||||
qemuDomainObjPrivate *priv = vm->privateData;
|
||||
|
||||
if (mem->model != VIR_DOMAIN_MEMORY_MODEL_NVDIMM &&
|
||||
mem->model != VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM)
|
||||
return 0;
|
||||
const char *const sgxPaths[] = { QEMU_DEV_SGX_VEPVC,
|
||||
QEMU_DEV_SGX_PROVISION, NULL };
|
||||
|
||||
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
||||
return 0;
|
||||
|
||||
return qemuCgroupAllowDevicePath(vm, mem->nvdimmPath,
|
||||
VIR_CGROUP_DEVICE_RW, false);
|
||||
switch (mem->model) {
|
||||
case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
|
||||
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM:
|
||||
if (qemuCgroupAllowDevicePath(vm, mem->nvdimmPath,
|
||||
VIR_CGROUP_DEVICE_RW, false) < 0)
|
||||
return -1;
|
||||
break;
|
||||
case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
|
||||
if (qemuCgroupAllowDevicesPaths(vm, sgxPaths,
|
||||
VIR_CGROUP_DEVICE_RW, false) < 0)
|
||||
return -1;
|
||||
break;
|
||||
case VIR_DOMAIN_MEMORY_MODEL_NONE:
|
||||
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
|
||||
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
|
||||
case VIR_DOMAIN_MEMORY_MODEL_LAST:
|
||||
break;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
@ -538,16 +576,32 @@ qemuTeardownMemoryDevicesCgroup(virDomainObj *vm,
|
||||
virDomainMemoryDef *mem)
|
||||
{
|
||||
qemuDomainObjPrivate *priv = vm->privateData;
|
||||
|
||||
if (mem->model != VIR_DOMAIN_MEMORY_MODEL_NVDIMM &&
|
||||
mem->model != VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM)
|
||||
return 0;
|
||||
const char *const sgxPaths[] = { QEMU_DEV_SGX_VEPVC,
|
||||
QEMU_DEV_SGX_PROVISION, NULL };
|
||||
|
||||
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
||||
return 0;
|
||||
|
||||
return qemuCgroupDenyDevicePath(vm, mem->nvdimmPath,
|
||||
VIR_CGROUP_DEVICE_RWM, false);
|
||||
switch (mem->model) {
|
||||
case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
|
||||
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM:
|
||||
if (qemuCgroupDenyDevicePath(vm, mem->nvdimmPath,
|
||||
VIR_CGROUP_DEVICE_RWM, false) < 0)
|
||||
return -1;
|
||||
break;
|
||||
case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
|
||||
if (qemuCgroupDenyDevicesPaths(vm, sgxPaths,
|
||||
VIR_CGROUP_DEVICE_RW, false) < 0)
|
||||
return -1;
|
||||
break;
|
||||
case VIR_DOMAIN_MEMORY_MODEL_NONE:
|
||||
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
|
||||
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
|
||||
case VIR_DOMAIN_MEMORY_MODEL_LAST:
|
||||
break;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
|
@ -81,6 +81,8 @@ struct _qemuDomainUnpluggingDevice {
|
||||
#define QEMU_DEVPREFIX "/dev/"
|
||||
#define QEMU_DEV_VFIO "/dev/vfio/vfio"
|
||||
#define QEMU_DEV_SEV "/dev/sev"
|
||||
#define QEMU_DEV_SGX_VEPVC "/dev/sgx_vepc"
|
||||
#define QEMU_DEV_SGX_PROVISION "/dev/sgx_provision"
|
||||
#define QEMU_DEVICE_MAPPER_CONTROL_PATH "/dev/mapper/control"
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user