mirror of
https://github.com/libvirt/libvirt.git
synced 2025-02-25 18:55:26 -06:00
qemu_cgroup: Allow SGX in devices controller
SGX memory backend needs to access /dev/sgx_vepc (which allows userspace to allocate "raw" EPC without an associated enclave) and /dev/sgx_provision (which allows creating provisioning enclaves). Allow these two devices in CGroups if a domain is configured so. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Haibin Huang <haibin.huang@intel.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
Michal Privoznik
parent
facadf2491
commit
bea39eb9f3
@ -120,6 +120,28 @@ qemuCgroupDenyDevicePath(virDomainObj *vm,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int
|
||||||
|
qemuCgroupDenyDevicesPaths(virDomainObj *vm,
|
||||||
|
const char *const *paths,
|
||||||
|
int perms,
|
||||||
|
bool ignoreEacces)
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
|
||||||
|
for (i = 0; paths[i] != NULL; i++) {
|
||||||
|
if (!virFileExists(paths[i])) {
|
||||||
|
VIR_DEBUG("Ignoring non-existent device %s", paths[i]);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (qemuCgroupDenyDevicePath(vm, paths[i], perms, ignoreEacces) < 0)
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
qemuSetupImagePathCgroup(virDomainObj *vm,
|
qemuSetupImagePathCgroup(virDomainObj *vm,
|
||||||
const char *path,
|
const char *path,
|
||||||
@ -520,16 +542,32 @@ qemuSetupMemoryDevicesCgroup(virDomainObj *vm,
|
|||||||
virDomainMemoryDef *mem)
|
virDomainMemoryDef *mem)
|
||||||
{
|
{
|
||||||
qemuDomainObjPrivate *priv = vm->privateData;
|
qemuDomainObjPrivate *priv = vm->privateData;
|
||||||
|
const char *const sgxPaths[] = { QEMU_DEV_SGX_VEPVC,
|
||||||
if (mem->model != VIR_DOMAIN_MEMORY_MODEL_NVDIMM &&
|
QEMU_DEV_SGX_PROVISION, NULL };
|
||||||
mem->model != VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
return qemuCgroupAllowDevicePath(vm, mem->nvdimmPath,
|
switch (mem->model) {
|
||||||
VIR_CGROUP_DEVICE_RW, false);
|
case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
|
||||||
|
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM:
|
||||||
|
if (qemuCgroupAllowDevicePath(vm, mem->nvdimmPath,
|
||||||
|
VIR_CGROUP_DEVICE_RW, false) < 0)
|
||||||
|
return -1;
|
||||||
|
break;
|
||||||
|
case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
|
||||||
|
if (qemuCgroupAllowDevicesPaths(vm, sgxPaths,
|
||||||
|
VIR_CGROUP_DEVICE_RW, false) < 0)
|
||||||
|
return -1;
|
||||||
|
break;
|
||||||
|
case VIR_DOMAIN_MEMORY_MODEL_NONE:
|
||||||
|
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
|
||||||
|
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
|
||||||
|
case VIR_DOMAIN_MEMORY_MODEL_LAST:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -538,16 +576,32 @@ qemuTeardownMemoryDevicesCgroup(virDomainObj *vm,
|
|||||||
virDomainMemoryDef *mem)
|
virDomainMemoryDef *mem)
|
||||||
{
|
{
|
||||||
qemuDomainObjPrivate *priv = vm->privateData;
|
qemuDomainObjPrivate *priv = vm->privateData;
|
||||||
|
const char *const sgxPaths[] = { QEMU_DEV_SGX_VEPVC,
|
||||||
if (mem->model != VIR_DOMAIN_MEMORY_MODEL_NVDIMM &&
|
QEMU_DEV_SGX_PROVISION, NULL };
|
||||||
mem->model != VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
return qemuCgroupDenyDevicePath(vm, mem->nvdimmPath,
|
switch (mem->model) {
|
||||||
VIR_CGROUP_DEVICE_RWM, false);
|
case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
|
||||||
|
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM:
|
||||||
|
if (qemuCgroupDenyDevicePath(vm, mem->nvdimmPath,
|
||||||
|
VIR_CGROUP_DEVICE_RWM, false) < 0)
|
||||||
|
return -1;
|
||||||
|
break;
|
||||||
|
case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
|
||||||
|
if (qemuCgroupDenyDevicesPaths(vm, sgxPaths,
|
||||||
|
VIR_CGROUP_DEVICE_RW, false) < 0)
|
||||||
|
return -1;
|
||||||
|
break;
|
||||||
|
case VIR_DOMAIN_MEMORY_MODEL_NONE:
|
||||||
|
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
|
||||||
|
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
|
||||||
|
case VIR_DOMAIN_MEMORY_MODEL_LAST:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -81,6 +81,8 @@ struct _qemuDomainUnpluggingDevice {
|
|||||||
#define QEMU_DEVPREFIX "/dev/"
|
#define QEMU_DEVPREFIX "/dev/"
|
||||||
#define QEMU_DEV_VFIO "/dev/vfio/vfio"
|
#define QEMU_DEV_VFIO "/dev/vfio/vfio"
|
||||||
#define QEMU_DEV_SEV "/dev/sev"
|
#define QEMU_DEV_SEV "/dev/sev"
|
||||||
|
#define QEMU_DEV_SGX_VEPVC "/dev/sgx_vepc"
|
||||||
|
#define QEMU_DEV_SGX_PROVISION "/dev/sgx_provision"
|
||||||
#define QEMU_DEVICE_MAPPER_CONTROL_PATH "/dev/mapper/control"
|
#define QEMU_DEVICE_MAPPER_CONTROL_PATH "/dev/mapper/control"
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user