[libvirt] New Feature: Intel MKTME Support

Daniel P. Berrangé berrange at redhat.com
Tue Mar 5 17:35:09 UTC 2019 

On Tue, Mar 05, 2019 at 05:23:04PM +0000, Mohammed, Karimullah wrote:
> Hi Daniel,
> MKTME supports encryption of memory(NVRAM) for Virtual Machines(hardware
> based encryption). This features uses Linux kernel key ring services, i.e.
> Operations like, allocation and clearing of secret/keys. These keys are
> used in encryption of memory in Virtual machines. So MKTME provided
> encryption of entire RAM of a VM, allocated to it, thereby supporting VM
> isolation feature. 
> 
> So to implement this functionality in openstack
> 
> 1. Nova executes host capability command, to identify if the hardware
>     support for MKTME (openstack xml host_capabilities command request
>     -->> libvirt ->> QEMU)-- qemu monitoring commands
> 2. Once the hardware is identified and if user configures mktme policy
>    to launch a VM in openstack,  Nova
> 	a. Sends a new xml command request to libvirt, then libvirt makes
>          a syscall to Linux kernel key ring services to get/retrieve a
>          key/key-handle for this VM ( we are not sure at this point
>          whether to make this syscall directly in libvirt or through QEMU)

What will openstack do with the key / key-handle  it gets back from
libvirt ?

Why does it need to allocate one before starting the VMs, as opposed
to letting QEMU or libvirt allocate it during startup ?

By allocating it separately from the VM start request it opens the
possibility for leaking keys, if VM startup fails and the mgmt app
doesn't release the now unused key.

> 	b. Once the key is retrieved , Nova compute executes a VM launch
>          xml command request to libvirt with a new argument called
>          mktme- keyhandle , which will send a command request to QEMU
>          to launch the VM( We are in process of supporting  this
>          functionality in  QEMU  for VM launch operation, with new
>          mktme-key argument)
> 
> We are not sure , where to make this(2a) kernel system calls at present
> and looking for suggestions. 

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list