[libvirt] New Feature: Intel MKTME Support
Daniel P. Berrangé
berrange at redhat.com
Tue Mar 5 17:35:09 UTC 2019
On Tue, Mar 05, 2019 at 05:23:04PM +0000, Mohammed, Karimullah wrote:
> Hi Daniel,
> MKTME supports encryption of memory(NVRAM) for Virtual Machines(hardware
> based encryption). This features uses Linux kernel key ring services, i.e.
> Operations like, allocation and clearing of secret/keys. These keys are
> used in encryption of memory in Virtual machines. So MKTME provided
> encryption of entire RAM of a VM, allocated to it, thereby supporting VM
> isolation feature.
>
> So to implement this functionality in openstack
>
> 1. Nova executes host capability command, to identify if the hardware
> support for MKTME (openstack xml host_capabilities command request
> -->> libvirt ->> QEMU)-- qemu monitoring commands
> 2. Once the hardware is identified and if user configures mktme policy
> to launch a VM in openstack, Nova
> a. Sends a new xml command request to libvirt, then libvirt makes
> a syscall to Linux kernel key ring services to get/retrieve a
> key/key-handle for this VM ( we are not sure at this point
> whether to make this syscall directly in libvirt or through QEMU)
What will openstack do with the key / key-handle it gets back from
libvirt ?
Why does it need to allocate one before starting the VMs, as opposed
to letting QEMU or libvirt allocate it during startup ?
By allocating it separately from the VM start request it opens the
possibility for leaking keys, if VM startup fails and the mgmt app
doesn't release the now unused key.
> b. Once the key is retrieved , Nova compute executes a VM launch
> xml command request to libvirt with a new argument called
> mktme- keyhandle , which will send a command request to QEMU
> to launch the VM( We are in process of supporting this
> functionality in QEMU for VM launch operation, with new
> mktme-key argument)
>
> We are not sure , where to make this(2a) kernel system calls at present
> and looking for suggestions.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list