runtime: add support for SGX

Support the `sgx.intel.com/epc` annotation that is defined by the intel k8s plugin. This annotation enables SGX. Hardware-based isolation and memory encryption. For example, use `sgx.intel.com/epc = "64Mi"` to create a container with 1 EPC section with pre-allocated memory. At the time of writing this patch, SGX patches have not landed on the linux kernel project. The following github kernel fork contains all the SGX patches for the host and guest: https://github.com/intel/kvm-sgx fixes #483 Signed-off-by: Julio Montes <julio.montes@intel.com>
2025-04-28 19:54:35 +00:00 · 2020-09-22 15:33:51 -05:00 · 2020-09-22 15:33:51 -05:00 · 6df165c19d
commit 6df165c19d
parent cce80bf746
10 changed files with 52 additions and 0 deletions
--- a/src/runtime/pkg/katautils/config-settings.go.in
+++ b/src/runtime/pkg/katautils/config-settings.go.in
@ -56,6 +56,8 @@ const defaultVhostUserStorePath string = "/var/run/kata-containers/vhost-user/"
 const defaultRxRateLimiterMaxRate = uint64(0)
 const defaultTxRateLimiterMaxRate = uint64(0)

+var defaultSGXEPCSize = int64(0)
+
 const defaultTemplatePath string = "/run/vc/vm/template"
 const defaultVMCacheEndpoint string = "/var/run/kata-containers/cache.sock"

--- a/src/runtime/pkg/katautils/config.go
+++ b/src/runtime/pkg/katautils/config.go
@ -822,6 +822,7 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 		PCIeRootPort:            h.PCIeRootPort,
 		DisableVhostNet:         true,
 		VirtioFSExtraArgs:       h.VirtioFSExtraArgs,
+		SGXEPCSize:              defaultSGXEPCSize,
 	}, nil
 }

@ -1014,6 +1015,7 @@ func GetDefaultHypervisorConfig() vc.HypervisorConfig {
 		DisableImageNvdimm:      defaultDisableImageNvdimm,
 		RxRateLimiterMaxRate:    defaultRxRateLimiterMaxRate,
 		TxRateLimiterMaxRate:    defaultTxRateLimiterMaxRate,
+		SGXEPCSize:              defaultSGXEPCSize,
 	}
 }

--- a/src/runtime/pkg/katautils/config_test.go
+++ b/src/runtime/pkg/katautils/config_test.go
@ -83,6 +83,7 @@ func createAllRuntimeConfigFiles(dir, hypervisor string) (config testRuntimeConf
 	disableNewNetNs := false
 	sharedFS := "virtio-9p"
 	virtioFSdaemon := path.Join(dir, "virtiofsd")
+	epcSize := int64(0)

 	configFileOptions := ktu.RuntimeConfigOptions{
 		Hypervisor:           "qemu",
@ -165,6 +166,7 @@ func createAllRuntimeConfigFiles(dir, hypervisor string) (config testRuntimeConf
 		SharedFS:              sharedFS,
 		VirtioFSDaemon:        virtioFSdaemon,
 		VirtioFSCache:         defaultVirtioFSCacheMode,
+		SGXEPCSize:            epcSize,
 	}

 	agentConfig := vc.KataAgentConfig{
--- a/src/runtime/virtcontainers/clh.go
+++ b/src/runtime/virtcontainers/clh.go
@ -321,6 +321,15 @@ func (clh *cloudHypervisor) createSandbox(ctx context.Context, id string, networ
 		cache:      clh.config.VirtioFSCache,
 	}

+	if clh.config.SGXEPCSize > 0 {
+		epcSection := chclient.SgxEpcConfig{
+			Size:     clh.config.SGXEPCSize,
+			Prefault: true,
+		}
+
+		clh.vmconfig.SgxEpc = append(clh.vmconfig.SgxEpc, epcSection)
+	}
+
 	return nil
 }

--- a/src/runtime/virtcontainers/hypervisor.go
+++ b/src/runtime/virtcontainers/hypervisor.go
@ -415,6 +415,10 @@ type HypervisorConfig struct {

 	// TxRateLimiterMaxRate is used to control network I/O outbound bandwidth on VM level.
 	TxRateLimiterMaxRate uint64
+
+	// SGXEPCSize specifies the size in bytes for the EPC Section.
+	// Enable SGX. Hardware-based isolation and memory encryption.
+	SGXEPCSize int64
 }

 // vcpu mapping from vcpu number to thread number
--- a/src/runtime/virtcontainers/persist.go
+++ b/src/runtime/virtcontainers/persist.go
@ -247,6 +247,7 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) {
 		VMid:                    sconfig.HypervisorConfig.VMid,
 		RxRateLimiterMaxRate:    sconfig.HypervisorConfig.RxRateLimiterMaxRate,
 		TxRateLimiterMaxRate:    sconfig.HypervisorConfig.TxRateLimiterMaxRate,
+		SGXEPCSize:              sconfig.HypervisorConfig.SGXEPCSize,
 	}

 	ss.Config.KataAgentConfig = &persistapi.KataAgentConfig{
@ -508,6 +509,7 @@ func loadSandboxConfig(id string) (*SandboxConfig, error) {
 		VMid:                    hconf.VMid,
 		RxRateLimiterMaxRate:    hconf.RxRateLimiterMaxRate,
 		TxRateLimiterMaxRate:    hconf.TxRateLimiterMaxRate,
+		SGXEPCSize:              hconf.SGXEPCSize,
 	}

 	sconfig.AgentConfig = KataAgentConfig{
--- a/src/runtime/virtcontainers/persist/api/config.go
+++ b/src/runtime/virtcontainers/persist/api/config.go
@ -185,6 +185,10 @@ type HypervisorConfig struct {

 	// TxRateLimiterMaxRate is used to control network I/O outbound bandwidth on VM level.
 	TxRateLimiterMaxRate uint64
+
+	// SGXEPCSize specifies the size in bytes for the EPC Section.
+	// Enable SGX. Hardware-based isolation and memory encryption.
+	SGXEPCSize int64
 }

 // KataAgentConfig is a structure storing information needed
--- a/src/runtime/virtcontainers/pkg/annotations/annotations.go
+++ b/src/runtime/virtcontainers/pkg/annotations/annotations.go
@ -270,3 +270,13 @@ const (
 	// SHA512 is the SHA-512 (64) hash algorithm
 	SHA512 string = "sha512"
 )
+
+// Third-party annotations - annotations defined by other projects or k8s plugins
+// but that can change Kata Containers behaviour.
+
+const (
+	// This annotation enables SGX. Hardware-based isolation and memory encryption.
+	// Supported suffixes are: Ki | Mi | Gi | Ti | Pi | Ei . For example: 4Mi
+	// For more information about supported suffixes see https://physics.nist.gov/cuu/Units/binary.html
+	SGXEPC = "sgx.intel.com/epc"
+)
--- a/src/runtime/virtcontainers/pkg/oci/utils.go
+++ b/src/runtime/virtcontainers/pkg/oci/utils.go
@ -19,6 +19,7 @@ import (
 	crioAnnotations "github.com/cri-o/cri-o/pkg/annotations"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
+	"k8s.io/apimachinery/pkg/api/resource"

 	vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/device/config"
@ -442,6 +443,20 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig)
 			config.HypervisorConfig.EntropySource = value
 		}
 	}
+	if epcSize, ok := ocispec.Annotations[vcAnnotations.SGXEPC]; ok {
+		quantity, err := resource.ParseQuantity(epcSize)
+		if err != nil {
+			return fmt.Errorf("Couldn't parse EPC '%v': %v", err, epcSize)
+		}
+
+		if quantity.Format != resource.BinarySI {
+			return fmt.Errorf("Unsupported EPC format '%v': use Ki | Mi | Gi | Ti | Pi | Ei as suffix", epcSize)
+		}
+
+		size, _ := quantity.AsInt64()
+
+		config.HypervisorConfig.SGXEPCSize = size
+	}

 	return nil
 }
--- a/src/runtime/virtcontainers/pkg/oci/utils_test.go
+++ b/src/runtime/virtcontainers/pkg/oci/utils_test.go
@ -787,6 +787,7 @@ func TestAddHypervisorAnnotations(t *testing.T) {
 	ocispec.Annotations[vcAnnotations.PCIeRootPort] = "2"
 	ocispec.Annotations[vcAnnotations.EntropySource] = "/dev/urandom"
 	ocispec.Annotations[vcAnnotations.IOMMUPlatform] = "true"
+	ocispec.Annotations[vcAnnotations.SGXEPC] = "64Mi"
 	// 10Mbit
 	ocispec.Annotations[vcAnnotations.RxRateLimiterMaxRate] = "10000000"
 	ocispec.Annotations[vcAnnotations.TxRateLimiterMaxRate] = "10000000"
@ -823,6 +824,7 @@ func TestAddHypervisorAnnotations(t *testing.T) {
 	assert.Equal(config.HypervisorConfig.PCIeRootPort, uint32(2))
 	assert.Equal(config.HypervisorConfig.EntropySource, "/dev/urandom")
 	assert.Equal(config.HypervisorConfig.IOMMUPlatform, true)
+	assert.Equal(config.HypervisorConfig.SGXEPCSize, int64(67108864))
 	assert.Equal(config.HypervisorConfig.RxRateLimiterMaxRate, uint64(10000000))
 	assert.Equal(config.HypervisorConfig.TxRateLimiterMaxRate, uint64(10000000))