On Tue, 2024-01-09 at 23:22 +0100, Felix Kronlage-Dammers wrote:
Hi Mahendra!
On 9 Jan 2024, at 23:03, Mahendra Paipuri wrote:
Cheers Felix. That is quite interesting work and thanks for the links. Are you working only with Intel SGX/TDX or also looking at AMD SEV-SNP?
The colleagues from OSISM (who work on the forward porting of the SGX patchset) are looking specifically at the SGX patchset. However that story is part of a larger epic[1] - that has a larger scope. As part of that we will also look at the current (existing[2]) support of SEV.
have you considerd actuly working with the upstream community to supprot this intel has not reached out to the nova comumity to extned the SEV supprot. and the current supprot was intentially design so that it could be extend to intels multi key encypted memory features in the future. https://github.com/openstack/nova-specs/blob/c6b6eab6304203f6fca32dd3ce074b0... https://github.com/openstack/nova-specs/blob/c6b6eab6304203f6fca32dd3ce074b0... the out of tree patches you are maintineing in https://github.com/intel/secured-cloud-management-stack/blob/main/nova-intel... are going to break release to release. While this may be useful for operator that role there own openstack packages and backport or patch the upstream soruce, in its currnt form the work that is been done with out upstream engagement is never going to make it into a vendor distrobution. if there is interest in enabling SGX i would suggest bringing it up at the next virtual PTG and propsoing it for next cycle. the spec freeze deadline for caracal is tomrrow so we wont have time to review it this cycle. i have only skimed the nova patch but one thing that did jump out at me that would have to change is https://github.com/intel/secured-cloud-management-stack/blob/main/nova-intel... we do not allwo raw qemu commands in nova upstream and in general they are not stabel across qemu release and useing it taints the libvirt domain which generally renders the vm unsupproted on commeiral distros https://github.com/intel/secured-cloud-management-stack/blob/main/nova-intel... woudl have to be updated to use something like <memory model='sgx-epc'> <source> <nodemask>0-1</nodemask> </source> <target> <size unit='KiB'>16384</size> <node>0</node> </target> </memory> <memory model='sgx-epc'> <target> <size unit='KiB'>16384</size> </target> </memory> it looks like libvirt gained SGX supprot around 7.9.0 based on https://libvirt.org/formatdomain.html#memory-devices
My talk on this subject that I submitted to FOSDEM was sadly not accepted, but I will likely further publish it as a series of blogposts or similar.
felix
[1] <url: https://github.com/SovereignCloudStack/issues/issues/39> [2] <url: https://docs.openstack.org/nova/latest/admin/sev.html> -- Felix Kronlage-Dammers Product Owner IaaS & Operations Sovereign Cloud Stack
Sovereign Cloud Stack — standardized, built and operated by many Ein Projekt der Open Source Business Alliance - Bundesverband für digitale Souveränität e.V.
Tel.: +49-30-206539-205 | Matrix: @fkronlage:matrix.org | fkr@osb-alliance.com