diff options
| author | Haibin Huang <haibin.huang@intel.com> | 2022-11-10 17:21:22 -0800 |
|---|---|---|
| committer | Michal Privoznik <mprivozn@redhat.com> | 2022-11-11 14:06:31 +0100 |
| commit | 8db09767a9d858cb085f4b790ed627136922d78f (patch) | |
| tree | 9f5521f85a54b793de6a8cf2bdee188a8ca65d11 /docs/formatdomaincaps.rst | |
| parent | 6b7c36c8c223c728b8c8c8a0c6d4d5d21918c42e (diff) | |
| download | libvirt-8db09767a9d858cb085f4b790ed627136922d78f.tar.gz | |
conf: expose SGX feature in domain capabilities
Extend hypervisor capabilities to include sgx feature. When available,
the hypervisor supports launching an VM with SGX on Intel platfrom.
The SGX feature tag privides additional details like section size and
sgx1 or sgx2.
Signed-off-by: Haibin Huang <haibin.huang@intel.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Diffstat (limited to 'docs/formatdomaincaps.rst')
| -rw-r--r-- | docs/formatdomaincaps.rst | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/docs/formatdomaincaps.rst b/docs/formatdomaincaps.rst index f95d3a7083..532fea0f60 100644 --- a/docs/formatdomaincaps.rst +++ b/docs/formatdomaincaps.rst @@ -614,6 +614,16 @@ capabilities. All features occur as children of the main ``features`` element. <cbitpos>47</cbitpos> <reduced-phys-bits>1</reduced-phys-bits> </sev> + <sgx supported='yes'> + <flc>no</flc> + <sgx1>yes</sgx1> + <sgx2>no</sgx2> + <section_size unit='KiB'>524288</section_size> + <sections> + <section node='0' size='262144' unit='KiB'/> + <section node='1' size='262144' unit='KiB'/> + </sections> + </sgx> </features> </domainCapabilities> @@ -693,3 +703,33 @@ in domain XML <formatdomain.html#launch-security>`__ ``maxESGuests`` The maximum number of SEV-ES guests that can be launched on the host. This value may be configurable in the firmware for some hosts. + +SGX capabilities +^^^^^^^^^^^^^^^^ + +Intel Software Guard Extensions (Intel SGX) capabilities are exposed under the +``sgx`` element. + +Intel SGX helps protect data in use via unique application isolation technology. +Protect selected code and data from modification using hardened enclaves with +Intel SGX. + +For more details on the SGX feature, please follow resources in the SGX developer's +document store. In order to use SGX with libvirt have a look at `SGX in domain XML +<formatdomain.html#memory-devices>`__ + +``flc`` + FLC (Flexible Launch Control), not strictly part of SGX2, but was not part of + original SGX hardware either. + +``sgx1`` + the sgx version 1. + +``sgx2`` + The sgx version 2. + +``section_size`` + The size of the SGX enclave page cache (called EPC). + +``sections`` + The sections of the SGX enclave page cache (called EPC). |