Linux 5.13 Bringing Code For Intel SGX Within KVM Guests

Written by Michael Larabel in Virtualization on 26 April 2021 at 11:42 AM EDT. Add A Comment
Linux 5.11 brought mainline support for Intel Software Guard Extensions (SGX) after a lengthy mainlining process. Building off that SGX enclaves support in the mainline kernel more recently has been support for SGX with KVM virtualization and now for mainline Linux 5.13 that guest-side support is landing for KVM guests.

Software Guard Extensions for KVM allows for a portion of the system meory to be encrypted with an SGX enclaves and used exclusively by a KVM guest that cannot be used by the host or any other guest.

Sent out on the kernel mailing list today was x86/sgx for v5.13 that mainlines the guest side of the SGX support in Kernel-based Virtual Machine guests.
Add a misc device /dev/sgx_vepc to allow userspace to allocate "raw" EPC without an associated enclave. The intended and only known use case for raw EPC allocation is to expose EPC to a KVM guest, hence the 'vepc' moniker, virt.{c,h} files and X86_SGX_KVM Kconfig.

SGX driver uses misc device /dev/sgx_enclave to support userspace to create enclave. Each file descriptor from opening /dev/sgx_enclave represents an enclave. Unlike SGX driver, KVM doesn't control how guest uses EPC, therefore EPC allocated to KVM guest is not associated to an enclave, and /dev/sgx_enclave is not suitable for allocating EPC for KVM guest.

Having separate device nodes for SGX driver and KVM virtual EPC also allows separate permission control for running host SGX enclaves and KVM SGX guests.

To use /dev/sgx_vepc to allocate a virtual EPC instance with particular size, the userspace hypervisor opens /dev/sgx_vepc, and uses mmap() with the intended size to get an address range of virtual EPC. Then it may use the address range to create one KVM memory slot as virtual EPC for guest.

This guest-side KVM support for SGX is the main addition with the Intel SGX work for Linux 5.13. SGX has been around in Intel Core CPUs since Skylake but not found in the latest Rocket Lake desktop CPUs or Tiger Lake mobile. But with Intel 3rd Gen Xeon Scalable "Ice Lake" there is now SGX support there for those wishing to make use of these encrypted memory enclaves.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via

Popular News This Week