Linux 5.13 Bringing Code For Intel SGX Within KVM Guests

Written by Michael Larabel in Virtualization on 26 April 2021 at 11:42 AM EDT. Add A Comment
VIRTUALIZATION
Linux 5.11 brought mainline support for Intel Software Guard Extensions (SGX) after a lengthy mainlining process. Building off that SGX enclaves support in the mainline kernel more recently has been support for SGX with KVM virtualization and now for mainline Linux 5.13 that guest-side support is landing for KVM guests.

Software Guard Extensions for KVM allows for a portion of the system meory to be encrypted with an SGX enclaves and used exclusively by a KVM guest that cannot be used by the host or any other guest.

Sent out on the kernel mailing list today was x86/sgx for v5.13 that mainlines the guest side of the SGX support in Kernel-based Virtual Machine guests.
Add a misc device /dev/sgx_vepc to allow userspace to allocate "raw" EPC without an associated enclave. The intended and only known use case for raw EPC allocation is to expose EPC to a KVM guest, hence the 'vepc' moniker, virt.{c,h} files and X86_SGX_KVM Kconfig.

SGX driver uses misc device /dev/sgx_enclave to support userspace to create enclave. Each file descriptor from opening /dev/sgx_enclave represents an enclave. Unlike SGX driver, KVM doesn't control how guest uses EPC, therefore EPC allocated to KVM guest is not associated to an enclave, and /dev/sgx_enclave is not suitable for allocating EPC for KVM guest.

Having separate device nodes for SGX driver and KVM virtual EPC also allows separate permission control for running host SGX enclaves and KVM SGX guests.

To use /dev/sgx_vepc to allocate a virtual EPC instance with particular size, the userspace hypervisor opens /dev/sgx_vepc, and uses mmap() with the intended size to get an address range of virtual EPC. Then it may use the address range to create one KVM memory slot as virtual EPC for guest.

This guest-side KVM support for SGX is the main addition with the Intel SGX work for Linux 5.13. SGX has been around in Intel Core CPUs since Skylake but not found in the latest Rocket Lake desktop CPUs or Tiger Lake mobile. But with Intel 3rd Gen Xeon Scalable "Ice Lake" there is now SGX support there for those wishing to make use of these encrypted memory enclaves.
Add A Comment
Related News
QEMU 9.2 Released With VirtIO GPU Vulkan Support, AVX10 & Experimental Rust Support
Rust Hypervisor Firmware v0.5 Supports For More CPUs & Improves EFI Support
Linux 6.13 KVM Eliminates An "Awful Idea", Many x86_64 Improvements
Virtual CPUFreq Driver Coming With Linux 6.13 For Better Power/Performance Within VMs
IBM Power11 CPUs Launching In 2025 - Linux 6.13 Preps KVM Nested Guests For Power11
DXVK 2.5 Brings Memory Management Rewrite & Other Improvements
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
Linus Torvalds Comes Out Against "Completely Broken" x86_64 Feature Levels
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
COSMIC Alpha 4 Released For System76's Rust-Based Desktop
Rustls Multi-Threaded Performance Is Battering OpenSSL
Fedora 42 Aims To Enhance The Windows Subsystem For Linux Experience
KDE Starts December By Landing A Number Of New Features
Linux 6.12 Officially Promoted To Being An LTS Kernel