qemu_cgroup: Allow SGX in devices controller

SGX memory backend needs to access /dev/sgx_vepc (which allows
userspace to allocate "raw" EPC without an associated enclave)
and /dev/sgx_provision (which allows creating provisioning
enclaves). Allow these two devices in CGroups if a domain is
configured so.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Haibin Huang <haibin.huang@intel.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index d6f27a5a4d565e488ee11ce617a5903aae1f39f3..78c4a035bf72317a06353a4dc8a05babfe22be8e 100644 (file)
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -120,6 +120,28 @@ qemuCgroupDenyDevicePath(virDomainObj *vm,
 }
 
 
+static int
+qemuCgroupDenyDevicesPaths(virDomainObj *vm,
+                           const char *const *paths,
+                           int perms,
+                           bool ignoreEacces)
+{
+    size_t i;
+
+    for (i = 0; paths[i] != NULL; i++) {
+        if (!virFileExists(paths[i])) {
+            VIR_DEBUG("Ignoring non-existent device %s", paths[i]);
+            continue;
+        }
+
+        if (qemuCgroupDenyDevicePath(vm, paths[i], perms, ignoreEacces) < 0)
+            return -1;
+    }
+
+    return 0;
+}
+
+
 static int
 qemuSetupImagePathCgroup(virDomainObj *vm,
                          const char *path,
@@ -520,16 +542,32 @@ qemuSetupMemoryDevicesCgroup(virDomainObj *vm,
                              virDomainMemoryDef *mem)
 {
     qemuDomainObjPrivate *priv = vm->privateData;
-
-    if (mem->model != VIR_DOMAIN_MEMORY_MODEL_NVDIMM &&
-        mem->model != VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM)
-        return 0;
+    const char *const sgxPaths[] = { QEMU_DEV_SGX_VEPVC,
+                                     QEMU_DEV_SGX_PROVISION, NULL };
 
     if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
         return 0;
 
-    return qemuCgroupAllowDevicePath(vm, mem->nvdimmPath,
-                                     VIR_CGROUP_DEVICE_RW, false);
+    switch (mem->model) {
+    case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
+    case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM:
+        if (qemuCgroupAllowDevicePath(vm, mem->nvdimmPath,
+                                      VIR_CGROUP_DEVICE_RW, false) < 0)
+            return -1;
+        break;
+    case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+        if (qemuCgroupAllowDevicesPaths(vm, sgxPaths,
+                                        VIR_CGROUP_DEVICE_RW, false) < 0)
+            return -1;
+        break;
+    case VIR_DOMAIN_MEMORY_MODEL_NONE:
+    case VIR_DOMAIN_MEMORY_MODEL_DIMM:
+    case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
+    case VIR_DOMAIN_MEMORY_MODEL_LAST:
+        break;
+    }
+
+    return 0;
 }
 
 
@@ -538,16 +576,32 @@ qemuTeardownMemoryDevicesCgroup(virDomainObj *vm,
                                 virDomainMemoryDef *mem)
 {
     qemuDomainObjPrivate *priv = vm->privateData;
-
-    if (mem->model != VIR_DOMAIN_MEMORY_MODEL_NVDIMM &&
-        mem->model != VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM)
-        return 0;
+    const char *const sgxPaths[] = { QEMU_DEV_SGX_VEPVC,
+                                     QEMU_DEV_SGX_PROVISION, NULL };
 
     if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
         return 0;
 
-    return qemuCgroupDenyDevicePath(vm, mem->nvdimmPath,
-                                    VIR_CGROUP_DEVICE_RWM, false);
+    switch (mem->model) {
+    case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
+    case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM:
+        if (qemuCgroupDenyDevicePath(vm, mem->nvdimmPath,
+                                     VIR_CGROUP_DEVICE_RWM, false) < 0)
+            return -1;
+        break;
+    case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+        if (qemuCgroupDenyDevicesPaths(vm, sgxPaths,
+                                       VIR_CGROUP_DEVICE_RW, false) < 0)
+            return -1;
+        break;
+    case VIR_DOMAIN_MEMORY_MODEL_NONE:
+    case VIR_DOMAIN_MEMORY_MODEL_DIMM:
+    case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
+    case VIR_DOMAIN_MEMORY_MODEL_LAST:
+        break;
+    }
+
+    return 0;
 }
 
 

diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index 7950c4c2dae164219377bed03929b08337cad8ea..d5f4fbad12f903bda3f108239ec166a45c6cd2ff 100644 (file)
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -81,6 +81,8 @@ struct _qemuDomainUnpluggingDevice {
 #define QEMU_DEVPREFIX "/dev/"
 #define QEMU_DEV_VFIO "/dev/vfio/vfio"
 #define QEMU_DEV_SEV "/dev/sev"
+#define QEMU_DEV_SGX_VEPVC "/dev/sgx_vepc"
+#define QEMU_DEV_SGX_PROVISION "/dev/sgx_provision"
 #define QEMU_DEVICE_MAPPER_CONTROL_PATH "/dev/mapper/control"