i386: kvm: Add support for exposing PROVISIONKEY to guest

If the guest want to fully use SGX, the guest needs to be able to
access provisioning key. Add a new KVM_CAP_SGX_ATTRIBUTE to KVM to
support provisioning key to KVM guests.

Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Yang Zhong <yang.zhong@intel.com>
Message-Id: <20210719112136.57018-14-yang.zhong@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
Sean Christopherson 2021-07-19 19:21:16 +08:00 committed by Paolo Bonzini
parent 1dec2e1f19
commit c22f546785
3 changed files with 35 additions and 1 deletions

View File

@ -5542,8 +5542,11 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
*ecx |= XSTATE_FP_MASK | XSTATE_SSE_MASK;
/* Access to PROVISIONKEY requires additional credentials. */
if ((*eax & (1U << 4)) &&
!kvm_enable_sgx_provisioning(cs->kvm_state)) {
*eax &= ~(1U << 4);
}
}
#endif
break;
case 0x14: {

View File

@ -4644,6 +4644,35 @@ void kvm_arch_update_guest_debug(CPUState *cpu, struct kvm_guest_debug *dbg)
}
}
static bool has_sgx_provisioning;
static bool __kvm_enable_sgx_provisioning(KVMState *s)
{
int fd, ret;
if (!kvm_vm_check_extension(s, KVM_CAP_SGX_ATTRIBUTE)) {
return false;
}
fd = qemu_open_old("/dev/sgx_provision", O_RDONLY);
if (fd < 0) {
return false;
}
ret = kvm_vm_enable_cap(s, KVM_CAP_SGX_ATTRIBUTE, 0, fd);
if (ret) {
error_report("Could not enable SGX PROVISIONKEY: %s", strerror(-ret));
exit(1);
}
close(fd);
return true;
}
bool kvm_enable_sgx_provisioning(KVMState *s)
{
return MEMORIZE(__kvm_enable_sgx_provisioning(s), has_sgx_provisioning);
}
static bool host_supports_vmx(void)
{
uint32_t ecx, unused;

View File

@ -51,4 +51,6 @@ bool kvm_hyperv_expand_features(X86CPU *cpu, Error **errp);
uint64_t kvm_swizzle_msi_ext_dest_id(uint64_t address);
bool kvm_enable_sgx_provisioning(KVMState *s);
#endif