1
0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-25 01:34:11 +03:00

qemu_cgroup: Allow SGX in devices controller

SGX memory backend needs to access /dev/sgx_vepc (which allows
userspace to allocate "raw" EPC without an associated enclave)
and /dev/sgx_provision (which allows creating provisioning
enclaves). Allow these two devices in CGroups if a domain is
configured so.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Haibin Huang <haibin.huang@intel.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
Michal Privoznik 2022-11-10 17:21:24 -08:00
parent facadf2491
commit bea39eb9f3
2 changed files with 68 additions and 12 deletions

View File

@ -120,6 +120,28 @@ qemuCgroupDenyDevicePath(virDomainObj *vm,
}
static int
qemuCgroupDenyDevicesPaths(virDomainObj *vm,
const char *const *paths,
int perms,
bool ignoreEacces)
{
size_t i;
for (i = 0; paths[i] != NULL; i++) {
if (!virFileExists(paths[i])) {
VIR_DEBUG("Ignoring non-existent device %s", paths[i]);
continue;
}
if (qemuCgroupDenyDevicePath(vm, paths[i], perms, ignoreEacces) < 0)
return -1;
}
return 0;
}
static int
qemuSetupImagePathCgroup(virDomainObj *vm,
const char *path,
@ -520,16 +542,32 @@ qemuSetupMemoryDevicesCgroup(virDomainObj *vm,
virDomainMemoryDef *mem)
{
qemuDomainObjPrivate *priv = vm->privateData;
if (mem->model != VIR_DOMAIN_MEMORY_MODEL_NVDIMM &&
mem->model != VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM)
return 0;
const char *const sgxPaths[] = { QEMU_DEV_SGX_VEPVC,
QEMU_DEV_SGX_PROVISION, NULL };
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
return 0;
return qemuCgroupAllowDevicePath(vm, mem->nvdimmPath,
VIR_CGROUP_DEVICE_RW, false);
switch (mem->model) {
case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM:
if (qemuCgroupAllowDevicePath(vm, mem->nvdimmPath,
VIR_CGROUP_DEVICE_RW, false) < 0)
return -1;
break;
case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
if (qemuCgroupAllowDevicesPaths(vm, sgxPaths,
VIR_CGROUP_DEVICE_RW, false) < 0)
return -1;
break;
case VIR_DOMAIN_MEMORY_MODEL_NONE:
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
case VIR_DOMAIN_MEMORY_MODEL_LAST:
break;
}
return 0;
}
@ -538,16 +576,32 @@ qemuTeardownMemoryDevicesCgroup(virDomainObj *vm,
virDomainMemoryDef *mem)
{
qemuDomainObjPrivate *priv = vm->privateData;
if (mem->model != VIR_DOMAIN_MEMORY_MODEL_NVDIMM &&
mem->model != VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM)
return 0;
const char *const sgxPaths[] = { QEMU_DEV_SGX_VEPVC,
QEMU_DEV_SGX_PROVISION, NULL };
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
return 0;
return qemuCgroupDenyDevicePath(vm, mem->nvdimmPath,
VIR_CGROUP_DEVICE_RWM, false);
switch (mem->model) {
case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM:
if (qemuCgroupDenyDevicePath(vm, mem->nvdimmPath,
VIR_CGROUP_DEVICE_RWM, false) < 0)
return -1;
break;
case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
if (qemuCgroupDenyDevicesPaths(vm, sgxPaths,
VIR_CGROUP_DEVICE_RW, false) < 0)
return -1;
break;
case VIR_DOMAIN_MEMORY_MODEL_NONE:
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
case VIR_DOMAIN_MEMORY_MODEL_LAST:
break;
}
return 0;
}

View File

@ -81,6 +81,8 @@ struct _qemuDomainUnpluggingDevice {
#define QEMU_DEVPREFIX "/dev/"
#define QEMU_DEV_VFIO "/dev/vfio/vfio"
#define QEMU_DEV_SEV "/dev/sev"
#define QEMU_DEV_SGX_VEPVC "/dev/sgx_vepc"
#define QEMU_DEV_SGX_PROVISION "/dev/sgx_provision"
#define QEMU_DEVICE_MAPPER_CONTROL_PATH "/dev/mapper/control"