SGX Drivers are not showing with QEMU VM

Question

I am trying to setup Ubuntu 20.04 VM with QEMU on Ubuntu 22.04, the VM is up but /dev/sgx_enclave is not present inside VM, When I checked the EPC size, it returned "There are zero EPC sections".

sudo dmesg | grep sgx
sgx: There are zero EPC sections

I have enabled commandline args in QEMU, but it is still not working.

<qemu:commandline>
    <qemu:arg value='-cpu'/>
    <qemu:arg value='host,+sgx,+sgx-debug,+sgx-exinfo,+sgx-mode64,+sgx-provisionkey,+sgx-tokenkey,+sgx1,+sgx2,+sgxlc'/>
    <qemu:arg value='-object'/>
    <qemu:arg value='memory-backend-epc,id=mem0,size=128M,prealloc=on,host-nodes=0,policy=bind'/>
    <qemu:arg value='-object'/>
    <qemu:arg value='memory-backend-epc,id=mem1,size=128M,host-nodes=1,policy=bind'/>
    <qemu:arg value='-M'/>
    <qemu:arg value='sgx-epc.0.memdev=mem0,sgx-epc.1.memdev=mem1'/>
  </qemu:commandline>

How should I fix this. Thank you in advance

lscpu output

XML file:

<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
  virsh edit ubuntu20.04
or other application using the libvirt API.
-->
<domain type='kvm'>
  <name>ubuntu20.04</name>
  <uuid>18d9cd5f-fc23-48d9-a7c2-1dcb362d6cdc</uuid>
  <metadata>
    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
      <libosinfo:os id="http://ubuntu.com/ubuntu/20.04"/>
    </libosinfo:libosinfo>
  </metadata>
  <memory unit='KiB'>16777216</memory>
  <currentMemory unit='KiB'>16777216</currentMemory>
  <vcpu placement='static'>8</vcpu>
  <os firmware='efi'>
    <type arch='x86_64' machine='pc-q35-6.2'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <vmport state='off'/>
  </features>
  <cpu mode='host-passthrough' check='none' migratable='on'/>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
  <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <qemu:commandline>
      <qemu:arg value='-cpu'/>
      <qemu:arg value='host,+sgx'/>
      <qemu:arg value='-device'/>
      <qemu:arg value='sgx-epc,id=epc0,size=128M'/>
      <qemu:arg value='-device'/>
      <qemu:arg value='sgx-epc,id=epc1,size=128M'/>
    </qemu:commandline>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2' discard='unmap'/>
      <source file='/home/intel/.local/share/libvirt/images/ubuntu20.04.qcow2'/>
      <target dev='vda' bus='virtio'/>
      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <target dev='sda' bus='sata'/>
      <readonly/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <controller type='usb' index='0' model='qemu-xhci' ports='15'>
      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
    </controller>
    <controller type='pci' index='0' model='pcie-root'/>
    <controller type='pci' index='1' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='1' port='0x10'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
    </controller>
    <controller type='pci' index='2' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='2' port='0x11'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
    </controller>
    <controller type='pci' index='3' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='3' port='0x12'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
    </controller>
    <controller type='pci' index='4' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='4' port='0x13'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
    </controller>
    <controller type='pci' index='5' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='5' port='0x14'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
    </controller>
    <controller type='pci' index='6' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='6' port='0x15'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
    </controller>
    <controller type='pci' index='7' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='7' port='0x16'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x6'/>
    </controller>
    <controller type='pci' index='8' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='8' port='0x17'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x7'/>
    </controller>
    <controller type='pci' index='9' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='9' port='0x18'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0' multifunction='on'/>
    </controller>
    <controller type='pci' index='10' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='10' port='0x19'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x1'/>
    </controller>
    <controller type='pci' index='11' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='11' port='0x1a'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x2'/>
    </controller>
    <controller type='pci' index='12' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='12' port='0x1b'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x3'/>
    </controller>
    <controller type='pci' index='13' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='13' port='0x1c'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x4'/>
    </controller>
    <controller type='pci' index='14' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='14' port='0x1d'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x5'/>
    </controller>
    <controller type='sata' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
    </controller>
    <controller type='virtio-serial' index='0'>
      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
    </controller>
    <interface type='user'>
      <mac address='52:54:00:35:20:bb'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target type='isa-serial' port='0'>
        <model name='isa-serial'/>
      </target>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <channel type='unix'>
      <target type='virtio' name='org.qemu.guest_agent.0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <channel type='spicevmc'>
      <target type='virtio' name='com.redhat.spice.0'/>
      <address type='virtio-serial' controller='0' bus='0' port='2'/>
    </channel>
    <input type='tablet' bus='usb'>
      <address type='usb' bus='0' port='1'/>
    </input>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='spice' autoport='yes'>
      <listen type='address'/>
      <image compression='off'/>
    </graphics>
    <sound model='ich9'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/>
    </sound>
    <audio id='1' type='spice'/>
    <video>
      <model type='virtio' heads='1' primary='yes'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
    </video>
    <redirdev bus='usb' type='spicevmc'>
      <address type='usb' bus='0' port='2'/>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
      <address type='usb' bus='0' port='3'/>
    </redirdev>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
    </memballoon>
    <rng model='virtio'>
      <backend model='random'>/dev/urandom</backend>
      <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
    </rng>
  </devices>
  <qemu:commandline>
    <qemu:arg value='-cpu'/>
    <qemu:arg value='host,+sgx,+sgx-debug,+sgx-exinfo,+sgx-mode64,+sgx-provisionkey,+sgx-tokenkey,+sgx1,+sgx2,+sgxlc'/>
    <qemu:arg value='-object'/>
    <qemu:arg value='memory-backend-epc,id=mem0,size=128M,prealloc=on,host-nodes=0,policy=bind'/>
    <qemu:arg value='-object'/>
    <qemu:arg value='memory-backend-epc,id=mem1,size=128M,host-nodes=1,policy=bind'/>
    <qemu:arg value='-M'/>
    <qemu:arg value='sgx-epc.0.memdev=mem0,sgx-epc.1.memdev=mem1,sgx-epc.0.node=0,sgx-epc.1.node=1'/>
  </qemu:commandline>
</domain>

Saxtheowl · Answer 1 · 2023-04-06T11:42:51.897

let's modify the QEMU commandline arguments:

<qemu:commandline>
  <qemu:arg value='-cpu'/>
  <qemu:arg value='host,+sgx'/>
  <qemu:arg value='-device'/>
  <qemu:arg value='sgx-epc,id=epc0,size=128M'/>
  <qemu:arg value='-device'/>
  <qemu:arg value='sgx-epc,id=epc1,size=128M'/>
</qemu:commandline>

After that restart the VM, and then you can check if /dev/sgx_enclave device is present in the VM with ls /dev/sgx_enclave If that did not work also make sure that SGX is enabled in your host's BIOS settings, and that the SGX driver is properly installed and loaded on both the host and guest systems, also ensure that your host CPU supports SGX and that the necessary virtualization extensions are enabled

score 0 · Accepted Answer · answered Apr 10 '23 at 04:25

With latest libvirtd the syntax updated and to specify command line options we need to add qemu schema

<domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
......
<qemu:commandline>
    <qemu:arg value='-cpu'/>
    <qemu:arg value='host,+sgx,+sgx-debug,+sgx-exinfo,+sgx-mode64,+sgx-provisionkey,+sgx-tokenkey,+sgx1,+sgx2,+sgxlc'/>
    <qemu:arg value='-object'/>
    <qemu:arg value='memory-backend-epc,id=mem1,size=64M,prealloc=on'/>
    <qemu:arg value='-M'/>
    <qemu:arg value='sgx-epc.0.memdev=mem1'/>
  </qemu:commandline>
</domain>

The syntax helped and VM was up with SGX mountings

SGX Drivers are not showing with QEMU VM

2 Answers2

Linked