qemu

sgx.rst (7479B)

---

 Software Guard eXtensions (SGX)
 ===============================
 
 Overview
 --------
 
 Intel Software Guard eXtensions (SGX) is a set of instructions and mechanisms
 for memory accesses in order to provide security accesses for sensitive
 applications and data. SGX allows an application to use it's pariticular
 address space as an *enclave*, which is a protected area provides confidentiality
 and integrity even in the presence of privileged malware. Accesses to the
 enclave memory area from any software not resident in the enclave are prevented,
 including those from privileged software.
 
 Virtual SGX
 -----------
 
 SGX feature is exposed to guest via SGX CPUID. Looking at SGX CPUID, we can
 report the same CPUID info to guest as on host for most of SGX CPUID. With
 reporting the same CPUID guest is able to use full capacity of SGX, and KVM
 doesn't need to emulate those info.
 
 The guest's EPC base and size are determined by QEMU, and KVM needs QEMU to
 notify such info to it before it can initialize SGX for guest.
 
 Virtual EPC
 ~~~~~~~~~~~
 
 By default, QEMU does not assign EPC to a VM, i.e. fully enabling SGX in a VM
 requires explicit allocation of EPC to the VM. Similar to other specialized
 memory types, e.g. hugetlbfs, EPC is exposed as a memory backend.
 
 SGX EPC is enumerated through CPUID, i.e. EPC "devices" need to be realized
 prior to realizing the vCPUs themselves, which occurs long before generic
 devices are parsed and realized.  This limitation means that EPC does not
 require -maxmem as EPC is not treated as {cold,hot}plugged memory.
 
 QEMU does not artificially restrict the number of EPC sections exposed to a
 guest, e.g. QEMU will happily allow you to create 64 1M EPC sections. Be aware
 that some kernels may not recognize all EPC sections, e.g. the Linux SGX driver
 is hardwired to support only 8 EPC sections.
 
 The following QEMU snippet creates two EPC sections, with 64M pre-allocated
 to the VM and an additional 28M mapped but not allocated::
 
  -object memory-backend-epc,id=mem1,size=64M,prealloc=on \
  -object memory-backend-epc,id=mem2,size=28M \
  -M sgx-epc.0.memdev=mem1,sgx-epc.1.memdev=mem2
 
 Note:
 
 The size and location of the virtual EPC are far less restricted compared
 to physical EPC. Because physical EPC is protected via range registers,
 the size of the physical EPC must be a power of two (though software sees
 a subset of the full EPC, e.g. 92M or 128M) and the EPC must be naturally
 aligned.  KVM SGX's virtual EPC is purely a software construct and only
 requires the size and location to be page aligned. QEMU enforces the EPC
 size is a multiple of 4k and will ensure the base of the EPC is 4k aligned.
 To simplify the implementation, EPC is always located above 4g in the guest
 physical address space.
 
 Migration
 ~~~~~~~~~
 
 QEMU/KVM doesn't prevent live migrating SGX VMs, although from hardware's
 perspective, SGX doesn't support live migration, since both EPC and the SGX
 key hierarchy are bound to the physical platform. However live migration
 can be supported in the sense if guest software stack can support recreating
 enclaves when it suffers sudden lose of EPC; and if guest enclaves can detect
 SGX keys being changed, and handle gracefully. For instance, when ERESUME fails
 with #PF.SGX, guest software can gracefully detect it and recreate enclaves;
 and when enclave fails to unseal sensitive information from outside, it can
 detect such error and sensitive information can be provisioned to it again.
 
 CPUID
 ~~~~~
 
 Due to its myriad dependencies, SGX is currently not listed as supported
 in any of QEMU's built-in CPU configuration. To expose SGX (and SGX Launch
 Control) to a guest, you must either use ``-cpu host`` to pass-through the
 host CPU model, or explicitly enable SGX when using a built-in CPU model,
 e.g. via ``-cpu <model>,+sgx`` or ``-cpu <model>,+sgx,+sgxlc``.
 
 All SGX sub-features enumerated through CPUID, e.g. SGX2, MISCSELECT,
 ATTRIBUTES, etc... can be restricted via CPUID flags. Be aware that enforcing
 restriction of MISCSELECT, ATTRIBUTES and XFRM requires intercepting ECREATE,
 i.e. may marginally reduce SGX performance in the guest. All SGX sub-features
 controlled via -cpu are prefixed with "sgx", e.g.::
 
   $ qemu-system-x86_64 -cpu help | xargs printf "%s\n" | grep sgx
   sgx
   sgx-debug
   sgx-encls-c
   sgx-enclv
   sgx-exinfo
   sgx-kss
   sgx-mode64
   sgx-provisionkey
   sgx-tokenkey
   sgx1
   sgx2
   sgxlc
 
 The following QEMU snippet passes through the host CPU but restricts access to
 the provision and EINIT token keys::
 
  -cpu host,-sgx-provisionkey,-sgx-tokenkey
 
 SGX sub-features cannot be emulated, i.e. sub-features that are not present
 in hardware cannot be forced on via '-cpu'.
 
 Virtualize SGX Launch Control
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 QEMU SGX support for Launch Control (LC) is passive, in the sense that it
 does not actively change the LC configuration.  QEMU SGX provides the user
 the ability to set/clear the CPUID flag (and by extension the associated
 IA32_FEATURE_CONTROL MSR bit in fw_cfg) and saves/restores the LE Hash MSRs
 when getting/putting guest state, but QEMU does not add new controls to
 directly modify the LC configuration.  Similar to hardware behavior, locking
 the LC configuration to a non-Intel value is left to guest firmware.  Unlike
 host bios setting for SGX launch control(LC), there is no special bios setting
 for SGX guest by our design. If host is in locked mode, we can still allow
 creating VM with SGX.
 
 Feature Control
 ~~~~~~~~~~~~~~~
 
 QEMU SGX updates the ``etc/msr_feature_control`` fw_cfg entry to set the SGX
 (bit 18) and SGX LC (bit 17) flags based on their respective CPUID support,
 i.e. existing guest firmware will automatically set SGX and SGX LC accordingly,
 assuming said firmware supports fw_cfg.msr_feature_control.
 
 Launching a guest
 -----------------
 
 To launch a SGX guest:
 
 .. parsed-literal::
 
   |qemu_system_x86| \\
    -cpu host,+sgx-provisionkey \\
    -object memory-backend-epc,id=mem1,size=64M,prealloc=on \\
    -M sgx-epc.0.memdev=mem1,sgx-epc.0.node=0
 
 Utilizing SGX in the guest requires a kernel/OS with SGX support.
 The support can be determined in guest by::
 
   $ grep sgx /proc/cpuinfo
 
 and SGX epc info by::
 
   $ dmesg | grep sgx
   [    0.182807] sgx: EPC section 0x140000000-0x143ffffff
   [    0.183695] sgx: [Firmware Bug]: Unable to map EPC section to online node. Fallback to the NUMA node 0.
 
 To launch a SGX numa guest:
 
 .. parsed-literal::
 
   |qemu_system_x86| \\
    -cpu host,+sgx-provisionkey \\
    -object memory-backend-ram,size=2G,host-nodes=0,policy=bind,id=node0 \\
    -object memory-backend-epc,id=mem0,size=64M,prealloc=on,host-nodes=0,policy=bind \\
    -numa node,nodeid=0,cpus=0-1,memdev=node0 \\
    -object memory-backend-ram,size=2G,host-nodes=1,policy=bind,id=node1 \\
    -object memory-backend-epc,id=mem1,size=28M,prealloc=on,host-nodes=1,policy=bind \\
    -numa node,nodeid=1,cpus=2-3,memdev=node1 \\
    -M sgx-epc.0.memdev=mem0,sgx-epc.0.node=0,sgx-epc.1.memdev=mem1,sgx-epc.1.node=1
 
 and SGX epc numa info by::
 
   $ dmesg | grep sgx
   [    0.369937] sgx: EPC section 0x180000000-0x183ffffff
   [    0.370259] sgx: EPC section 0x184000000-0x185bfffff
 
   $ dmesg | grep SRAT
   [    0.009981] ACPI: SRAT: Node 0 PXM 0 [mem 0x180000000-0x183ffffff]
   [    0.009982] ACPI: SRAT: Node 1 PXM 1 [mem 0x184000000-0x185bfffff]
 
 References
 ----------
 
 - `SGX Homepage <https://software.intel.com/sgx>`__
 
 - `SGX SDK <https://github.com/intel/linux-sgx.git>`__
 
 - SGX specification: Intel SDM Volume 3