Intel Sends Out KVM SGX Virtualization Patches For Linux
Intel SGX support finally landed in Linux 5.11 after going through 40+ rounds of review that took years for bringing up Software Guard Extensions in the mainline kernel. But that trek isn't yet over as Intel is now working on KVM SGX virtualization support to be upstreamed.
Intel earlier sent out a "request for comments" on KVM SGX virtualization support while on Monday they sent out the first formal (non-RFC) patch series with this support for handling Software Guard Extensions in the context of KVM virtualization. Basically this allows for a portion of the system memory to be encrypted with an SGX enclave exclusively for a KVM guest virtual machine that can't be accessed outside of the secure enclave. Separate from SGX enclaves, Intel also has coming out with future CPUs the Total Memory Encryption (TME) feature. AMD meanwhile has been working on Secure Encrypted Virtualization (SEV) with Secure Memory Encryption (SME) as their EPYC approach for securing guest VM memory from other VMs or the host.
The 25 patches introduce a new /dev/sgx_vepc interface for mapping SGX enclave memory into user-space that in turn can be passed to KVM guests, rather than using the existing /dev/sgx_enclave interface. Also there is prep work around SGX2 support even though the recently mainlined Intel SGX driver doesn't yet support SGX2 (the SGX2 update initially rolled out with Gemini Lake processors).
For those interested in using SGX enclaves within a KVM virtualized environment, the current kernel patches can be found via this thread. We'll see how long it takes before the KVM SGX virtualization support is ready for mainline but hopefully not as long as the original SGX code took to arrive.