From: Kai Huang <kai.huang@intel.com>
To: Jarkko Sakkinen <jarkko@kernel.org>
Cc: linux-sgx@vger.kernel.org, kvm@vger.kernel.org, x86@kernel.org,
seanjc@google.com, luto@kernel.org, dave.hansen@intel.com,
haitao.huang@intel.com, pbonzini@redhat.com, bp@alien8.de,
tglx@linutronix.de, mingo@redhat.com, hpa@zytor.com,
jethro@fortanix.com, b.thiel@posteo.de, mattson@google.com,
joro@8bytes.org, vkuznets@redhat.com, wanpengli@tencent.com,
corbet@lwn.net
Subject: Re: [RFC PATCH 00/23] KVM SGX virtualization support
Date: Tue, 12 Jan 2021 14:14:28 +1300 [thread overview]
Message-ID: <20210112141428.038533b6cd5f674c906a3c43@intel.com> (raw)
In-Reply-To: <2422737f6b0cddf6ff1be9cf90e287dd00d6a6a3.camel@kernel.org>
On Mon, 11 Jan 2021 19:20:48 +0200 Jarkko Sakkinen wrote:
> On Wed, 2021-01-06 at 14:55 +1300, Kai Huang wrote:
> > --- Disclaimer ---
> >
> > These patches were originally written by Sean Christopherson while at Intel.
> > Now that Sean has left Intel, I (Kai) have taken over getting them upstream.
> > This series needs more review before it can be merged. It is being posted
> > publicly and under RFC so Sean and others can review it. Maintainers are safe
> > ignoring it for now.
> >
> > ------------------
> >
> > Hi all,
> >
> > This series adds KVM SGX virtualization support. The first 12 patches starting
> > with x86/sgx or x86/cpu.. are necessary changes to x86 and SGX core/driver to
> > support KVM SGX virtualization, while the rest are patches to KVM subsystem.
> >
> > Please help to review this series. Also I'd like to hear what is the proper
> > way to merge this series, since it contains change to both x86/SGX and KVM
> > subsystem. Any feedback is highly appreciated. And please let me know if I
> > forgot to CC anyone, or anyone wants to be removed from CC. Thanks in advance!
> >
> > This series is based against latest tip tree's x86/sgx branch. You can also get
> > the code from tip branch of kvm-sgx repo on github:
> >
> > https://github.com/intel/kvm-sgx.git tip
> >
> > It also requires Qemu changes to create VM with SGX support. You can find Qemu
> > repo here:
> >
> > https://github.com/intel/qemu-sgx.git next
> >
> > Please refer to README.md of above qemu-sgx repo for detail on how to create
> > guest with SGX support. At meantime, for your quick reference you can use below
> > command to create SGX guest:
> >
> > #qemu-system-x86_64 -smp 4 -m 2G -drive file=<your_vm_image>,if=virtio \
> > -cpu host,+sgx_provisionkey \
> > -sgx-epc id=epc1,memdev=mem1 \
> > -object memory-backend-epc,id=mem1,size=64M,prealloc
> >
> > Please note that the SGX relevant part is:
> >
> > -cpu host,+sgx_provisionkey \
> > -sgx-epc id=epc1,memdev=mem1 \
> > -object memory-backend-epc,id=mem1,size=64M,prealloc
> >
> > And you can change other parameters of your qemu command based on your needs.
>
> Thanks a lot documenting these snippets to the cover letter. I dig these
> up from lore once my environment is working.
>
> I'm setting up Arch based test environment with the eye on this patch set
> and generic Linux keyring patches:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/arch.git/
>
> Still have some minor bits to adjust before I can start deploying it for SGX
> testing. For this patch set I'll use two instances of it.
Thanks. Please let me know if you need anything more.
>
> > =========
> > KVM SGX virtualization Overview
> >
> > - Virtual EPC
> >
> > "Virtual EPC" is the EPC section exposed by KVM to guest so SGX software in
> > guest can discover it and use it to create SGX enclaves. KVM exposes SGX to
>
> Virtual EPC is a representation of an EPC section. And there is no "the".
>
> > guest via CPUID, and exposes one or more "virtual EPC" sections for guest.
> > The size of "virtual EPC" is passed as Qemu parameter when creating the
> > guest, and the base address is calcualted internally according to guest's
> > configuration.
> >
> > To support virtual EPC, add a new misc device /dev/sgx_virt_epc to SGX
> > core/driver to allow userspace (Qemu) to allocate "raw" EPC, and use it as
> > "virtual EPC" for guest. Obviously, unlike EPC allocated for host SGX driver,
> > virtual EPC allocated via /dev/sgx_virt_epc doesn't have enclave associated,
> > and how virtual EPC is used by guest is compeletely controlled by guest's SGX
> > software.
>
> I think that /dev/sgx_vepc would be a clear enough name for the device. This
> text has now a bit confusing "terminology" related to this.
/dev/sgx_virt_epc may be clearer from userspace's perspective, for instance,
if people see /dev/sgx_vepc, they may have to think about what it is,
while /dev/sgx_virt_epc they may not.
But I don't have strong objection here. Does anyone has anything to say here?
next prev parent reply other threads:[~2021-01-12 1:15 UTC|newest]
Thread overview: 111+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-06 1:55 [RFC PATCH 00/23] KVM SGX virtualization support Kai Huang
2021-01-06 1:55 ` [RFC PATCH 01/23] x86/sgx: Split out adding EPC page to free list to separate helper Kai Huang
2021-01-11 22:38 ` Jarkko Sakkinen
2021-01-12 0:19 ` Kai Huang
2021-01-12 21:45 ` Sean Christopherson
2021-01-13 1:15 ` Kai Huang
2021-01-13 17:05 ` Jarkko Sakkinen
2021-01-06 1:55 ` [RFC PATCH 02/23] x86/sgx: Add enum for SGX_CHILD_PRESENT error code Kai Huang
2021-01-06 18:28 ` Dave Hansen
2021-01-06 21:40 ` Kai Huang
2021-01-12 0:26 ` Jarkko Sakkinen
2021-01-11 23:32 ` Jarkko Sakkinen
2021-01-12 0:16 ` Kai Huang
2021-01-12 1:46 ` Jarkko Sakkinen
2021-01-06 1:55 ` [RFC PATCH 03/23] x86/sgx: Introduce virtual EPC for use by KVM guests Kai Huang
2021-01-06 19:35 ` Dave Hansen
2021-01-06 20:35 ` Sean Christopherson
2021-01-07 0:47 ` Kai Huang
2021-01-07 0:52 ` Dave Hansen
2021-01-07 1:38 ` Kai Huang
2021-01-07 5:00 ` Dave Hansen
2021-01-07 1:42 ` Kai Huang
2021-01-07 5:02 ` Dave Hansen
2021-01-15 14:07 ` Kai Huang
2021-01-15 15:39 ` Dave Hansen
2021-01-15 21:33 ` Kai Huang
2021-01-15 21:45 ` Sean Christopherson
2021-01-15 22:30 ` Kai Huang
2021-01-11 23:38 ` Jarkko Sakkinen
2021-01-12 0:56 ` Kai Huang
2021-01-12 1:50 ` Jarkko Sakkinen
2021-01-12 2:03 ` Kai Huang
2021-01-06 1:55 ` [RFC PATCH 04/23] x86/cpufeatures: Add SGX1 and SGX2 sub-features Kai Huang
2021-01-06 19:39 ` Dave Hansen
2021-01-06 22:12 ` Kai Huang
2021-01-06 22:21 ` Dave Hansen
2021-01-06 22:56 ` Kai Huang
2021-01-06 23:19 ` Sean Christopherson
2021-01-06 23:33 ` Dave Hansen
2021-01-06 23:56 ` Kai Huang
2021-01-06 23:40 ` Kai Huang
2021-01-06 23:43 ` Dave Hansen
2021-01-06 23:56 ` Kai Huang
2021-01-06 22:15 ` Borislav Petkov
2021-01-06 23:09 ` Kai Huang
2021-01-07 6:41 ` Borislav Petkov
2021-01-08 2:00 ` Kai Huang
2021-01-08 5:10 ` Dave Hansen
2021-01-08 7:03 ` Kai Huang
2021-01-08 7:17 ` Borislav Petkov
2021-01-08 8:06 ` Kai Huang
2021-01-08 8:13 ` Borislav Petkov
2021-01-08 9:00 ` Kai Huang
2021-01-08 23:55 ` Sean Christopherson
2021-01-09 0:35 ` Borislav Petkov
2021-01-09 1:01 ` Sean Christopherson
2021-01-09 1:19 ` Borislav Petkov
2021-01-11 17:54 ` Sean Christopherson
2021-01-11 19:09 ` Borislav Petkov
2021-01-11 19:20 ` Sean Christopherson
2021-01-12 2:01 ` Kai Huang
2021-01-12 12:13 ` Borislav Petkov
2021-01-12 17:15 ` Sean Christopherson
2021-01-12 17:51 ` Borislav Petkov
2021-01-12 21:07 ` Kai Huang
2021-01-12 23:17 ` Sean Christopherson
2021-01-13 1:05 ` Kai Huang
2021-01-11 23:39 ` Jarkko Sakkinen
2021-01-06 1:55 ` [RFC PATCH 05/23] x86/cpu/intel: Allow SGX virtualization without Launch Control support Kai Huang
2021-01-06 19:54 ` Dave Hansen
2021-01-06 22:34 ` Kai Huang
2021-01-06 22:38 ` Dave Hansen
2021-01-06 1:56 ` [RFC PATCH 06/23] x86/sgx: Expose SGX architectural definitions to the kernel Kai Huang
2021-01-06 1:56 ` [RFC PATCH 07/23] x86/sgx: Move ENCLS leaf definitions to sgx_arch.h Kai Huang
2021-01-06 1:56 ` [RFC PATCH 08/23] x86/sgx: Add SGX2 ENCLS leaf definitions (EAUG, EMODPR and EMODT) Kai Huang
2021-01-06 1:56 ` [RFC PATCH 09/23] x86/sgx: Add encls_faulted() helper Kai Huang
2021-01-06 1:56 ` [RFC PATCH 10/23] x86/sgx: Add helper to update SGX_LEPUBKEYHASHn MSRs Kai Huang
2021-01-06 19:56 ` Dave Hansen
2021-01-06 1:56 ` [RFC PATCH 11/23] x86/sgx: Add helpers to expose ECREATE and EINIT to KVM Kai Huang
2021-01-06 20:12 ` Dave Hansen
2021-01-06 21:04 ` Sean Christopherson
2021-01-06 21:23 ` Dave Hansen
2021-01-06 22:58 ` Kai Huang
2021-01-06 1:56 ` [RFC PATCH 12/23] x86/sgx: Move provisioning device creation out of SGX driver Kai Huang
2021-01-06 1:56 ` [RFC PATCH 13/23] KVM: VMX: Convert vcpu_vmx.exit_reason to a union Kai Huang
2021-01-06 1:56 ` [RFC PATCH 14/23] KVM: x86: Export kvm_mmu_gva_to_gpa_{read,write}() for SGX (VMX) Kai Huang
2021-01-06 1:56 ` [RFC PATCH 15/23] KVM: x86: Define new #PF SGX error code bit Kai Huang
2021-01-06 1:56 ` [RFC PATCH 16/23] KVM: x86: Add SGX feature leaf to reverse CPUID lookup Kai Huang
2021-01-06 1:56 ` [RFC PATCH 17/23] KVM: VMX: Add basic handling of VM-Exit from SGX enclave Kai Huang
2021-01-06 1:56 ` [RFC PATCH 18/23] KVM: VMX: Frame in ENCLS handler for SGX virtualization Kai Huang
2021-01-06 1:56 ` [RFC PATCH 19/23] KVM: VMX: Add SGX ENCLS[ECREATE] handler to enforce CPUID restrictions Kai Huang
2021-01-06 1:56 ` [RFC PATCH 20/23] KVM: VMX: Add emulation of SGX Launch Control LE hash MSRs Kai Huang
2021-01-06 1:56 ` [RFC PATCH 21/23] KVM: VMX: Add ENCLS[EINIT] handler to support SGX Launch Control (LC) Kai Huang
2021-01-06 1:56 ` [RFC PATCH 22/23] KVM: VMX: Enable SGX virtualization for SGX1, SGX2 and LC Kai Huang
2021-01-06 1:58 ` [RFC PATCH 23/23] KVM: x86: Add capability to grant VM access to privileged SGX attribute Kai Huang
2021-01-06 2:22 ` [RFC PATCH 00/23] KVM SGX virtualization support Kai Huang
2021-01-06 17:07 ` Dave Hansen
2021-01-07 0:34 ` Kai Huang
2021-01-07 0:48 ` Dave Hansen
2021-01-07 1:50 ` Kai Huang
2021-01-07 16:14 ` Sean Christopherson
2021-01-08 2:16 ` Kai Huang
2021-01-11 17:20 ` Jarkko Sakkinen
2021-01-11 18:37 ` Sean Christopherson
2021-01-12 1:58 ` Jarkko Sakkinen
2021-01-12 1:14 ` Kai Huang [this message]
2021-01-12 2:02 ` Jarkko Sakkinen
2021-01-12 2:07 ` Kai Huang
2021-01-15 14:43 ` Kai Huang
2021-01-16 9:31 ` Jarkko Sakkinen
2021-01-16 9:50 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210112141428.038533b6cd5f674c906a3c43@intel.com \
--to=kai.huang@intel.com \
--cc=b.thiel@posteo.de \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dave.hansen@intel.com \
--cc=haitao.huang@intel.com \
--cc=hpa@zytor.com \
--cc=jarkko@kernel.org \
--cc=jethro@fortanix.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mattson@google.com \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.