I’m experimenting with some features of OpenNebula.
I’ve succesfully started a Windows 10 guest following the documentation and it all went smooth.
Now I was trying to do some setups with Open Enclave SDK to do some tests (I originally successfully run the samples on Windows installed on top of the host) but it seems like I’m not able to load the sgx driver even if I’ve added some flag in the VM Template, like this:
Don’t know if the CPU Features are needed since it’s already host-passthrough.
Inside the host my CPU is correctly recognized but running the samples provided from the Open Enclave source returns an error that normally requires to enable the Intel SGX in the bios.
So maybe something here needs to change. Don’t know if it’s a topic you can help me with since it’s not related to OpenNebula directly… but probably it requires a different template configuration that I’m missing.
Thank you!
Versions of the related components and OS (frontend, hypervisors, VMs):
Frontend: Ubuntu 24.04 LTS
Host: Ubuntu 22.04 LTS
VM Guest: Windows 10 Home Edition
HW is the same for both frontend and host part and it does support Intel SGX, correctly enabled in the bios.
It looks like it’s more “outside” OpenNebula scope, but we are definitely interested in knowing more about the use case you have around this TEE.
In any case, if you have the Intel SGX configured in the BIOS, the only thing I’ve found from the OpenNebula side is to have to use KVM as hypervisor and Customize VM templates to enable SGX passthrough (via RAW attributes):
RAW = [
TYPE = "kvm",
DATA = "<cpu mode='host-passthrough'><feature policy='require' name='sgx'/></cpu>"
]
(Check more info about Template Customization on our Documentation)
Restart the VM and that should work.
Let us know if it’s enough with this, and we’ll take a deeper look.
since I’ve configured the cpu model as host passthrough is there any conflict that can happen with the raw data so do I need to remove the info from the cpu model and features as in my image?
Moreover if I update the vm template will my vm take all the new values or do I need to reinstantiate it as well?
Anyway I’m using KVM.
For now is just testing purposes, no real use case!
About the second question, a change in the template won’t affect the currently running instances, so unfortunately you will have to reinstantiate them.
About the first one, being host-passthrough means that the ABI of the VM will be compatible with the processors with the same extension in case that you want to migrate that VM between them, but the OS also has its point about using them
in a linux virtual machine running on your infrastructure do you get any output when running a grep -i sgx /proc/cpuinfo ?
Do you have the latest qemu drivers installed on the windows guest machine? Sometimes some “virtual hardware” is not totally recognized by windows guests
I know I can use OpenEnclave without FLC since it’s not supported on my machine. But on Windows host installed directly on top of the HW I was able to do run the sample with SGX1 (no FLC configured).
For the second point I don’t know If I have them. I’ve followed the guide in OpenNebula documentation and installed the drivers with VirtIO downloading the stable ones from the url provided.
