Virtulization on Host whose Launch Control is locked

Question

Virtulization on Host whose Launch Control is locked

xymeng16 opened this issue 3 years ago · 3 comments

Hi, I would like to know something about those hosts whose launch control is locked by BIOS and cannot be unlocked. I am using such a host.
My CPU is i7-8086k, motherboard is ASUS ROG STRIX Z370-H. OOT driver was tested before and works fine.
The kernel message of my host is:

x86/cpu: SGX Launch Control is locked. Support SGX virtualization only.  
sgx: EPC section xxxx-xxxx

As I do not want to downgrade my kernel to use the OOT driver, I decide to try SGX virtualization. I followed the document to enable SGX for a Ubuntu 20.04 guest, but in the /dev directory, I can only find sgx_vepc and sgx_provision. The most important device sgx_enclave is still missing, just like in my host OS.

I checked the kernel log of the guest and it seems okay:

[    0.478980] sgx: EPC section 0x180000000-0x183ffffff  
[    0.479053] sgx: [Firmware Bug]: Unable to map EPC section to online node. Fallback to the NUMA node 0

My qemu parameters are:

  <qemu:commandline>  
    <qemu:arg value="-cpu"/>  
    <qemu:arg value="host,+sgx-provisionkey"/>  
    <qemu:arg value="-object"/>  
    <qemu:arg value="memory-backend-epc,id=mem1,size=64M,prealloc=on"/>  
    <qemu:arg value="-M"/>  
    <qemu:arg value="sgx-epc.0.memdev=mem1,sgx-epc.0.node=0"/>  
  </qemu:commandline>

I tried to add +sgxlc, but the VM failed to start. But when I try to start qemu without libvirt, +sgxlc will not fail. Then I try to use the following command to boot directly from an Ubuntu ISO, nothing wrong with boot and kernel message, but sgx_enclave still disappears:

sudo qemu-system-x86_64 \  
-enable-kvm -cpu host,+sgxlc,+sgx-provisionkey \  
-object memory-backend-epc,id=mem1,size=64M,prealloc=on \  
-M sgx-epc.0.memdev=mem1,sgx-epc.0.node=0 \  
-boot d -cdrom ubuntu-20.04.4-desktop-amd64.iso -m 4096

I also tried to modify the CPU model from host to a newer one, like Icelake-Server-v1 by using -cpu Icelake-Server-v1,+sgx,+sgxlc,+sgx-provisionkey, but still without any luck. This time even sgx_vepc and sgx_provision disappeared. But the kernel message is still:

sgx: EPC section 0x140000000-0x143ffffff  
sgx: [Firmware Bug]: Unable to map EPC section to online node. Fallback to the NUMA node 0

I am quietly confused with this bug because the kernel message indicates that SGX should work fine. But sgx_enclave will not appear. Please kindly help me or at least provide some useful information about whether I made any mistake.

Thanks!

Answer 1 · 2022-07-20T16:16:41.000Z

Problem is solved. For old CPUs without flexible launch control support, you must use the OOT driver. Otherwise, only SGX virtualization will be supported. The FLC feature can not be simulated!

Answer 2 · 2022-10-25T13:55:06.000Z

Problem is solved. For old CPUs without flexible launch control support, you must use the OOT driver. Otherwise, only SGX virtualization will be supported. The FLC feature can not be simulated!

Hi, can you share me your configuration version of Host OS， qemu-sgx ( 'vm'.xml if ok) to me, I have the similar problem but no idea, many thanks.

Answer 3 · 2022-10-26T12:12:16.000Z

I don't have a copy of the qemu configuration now. But I just followed the official tutorial so there would not be large differences for the configuration. If you have similar problem I suggest you use the OOT driver in the guest.