Enable /dev/sgx_vepc access for the group 'sgx'
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
systemd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[ Impact ]
On systems where Intel SGX is available, access to a specific device node (/dev/sgx_vepc) must be enforced, with a specific permission (0660) and group (sgx).
This allows KVM-based virtual machines to use such feature (the SGX "enclaves") in a proper fashion. Without this, a manual udev rule needs to be created.
[ Test Plan ]
As the patch itself only tailors the permissions/group to the device node, in a system with Intel-SGX enabled, merely `ls -la` against the device node should show if the permissions and group are seen as expected.
[ Where problems could occur ]
N/A. This seems to be a very straightforward inclusion, very specific to access enablement to the SGX reserved memory used for hosting enclaves.
[ Other Info ]
N/A.
Related branches
- Lukas Märdian: Approve
-
Diff: 506 lines (+442/-0)10 files modifieddebian/changelog (+22/-0)
debian/patches/lp2000880-network-create-stacked-netdevs-after-the-underlying-link-.patch (+33/-0)
debian/patches/lp2002445/sd-netlink-add-a-test-for-rtnl_set_link_name.patch (+81/-0)
debian/patches/lp2002445/sd-netlink-do-not-swap-old-name-and-alternative-name.patch (+54/-0)
debian/patches/lp2002445/sd-netlink-restore-altname-on-error-in-rtnl_set_link_name.patch (+64/-0)
debian/patches/lp2002445/udev-attempt-device-rename-even-if-interface-is-up.patch (+63/-0)
debian/patches/lp2002445/udev-net-allow-new-link-name-as-an-altname-before-renamin.patch (+36/-0)
debian/patches/lp2004478-network-dhcp4-accept-local-subnet-routes-from-DHCP.patch (+54/-0)
debian/patches/lp2009502-Enable-dev-sgx_vepc-access-for-the-group-sgx.patch (+27/-0)
debian/patches/series (+8/-0)
Patch in question in Upstream is here [0].
[0] https:/ /github. com/systemd/ systemd/ commit/ b5d3138f9177bbc 3505f42ba073d08 d4f90b4888