[Acked/CMT] LP: #1844245 - Integrate Intel SGX driver into linux-azure

Marcelo Henrique Cerri marcelo.cerri at canonical.com
Wed Dec 11 14:32:11 UTC 2019 

On Wed, Dec 11, 2019 at 12:30:20PM +0000, Andy Whitcroft wrote:
> On Wed, Dec 04, 2019 at 01:24:37PM -0300, Marcelo Henrique Cerri wrote:
> > https://bugs.launchpad.net/bugs/1844245
> > 
> > Microsoft will offer a new confidential compute VM on Azure[1] and
> > this new instance type will basically rely on Intel's SGX technology
> > that wasn't integrated upsteam yet.
> > 
> > In other to provide the best user experience we will integrate Intel's
> > out of tree module into the linux-azure kernel. However due to
> > maintenance and security concerns the module will not be loaded by
> > default.
> > 
> > For that we are blacklisting the module and also adding a systemd
> > service to the linux-cloud-tools-common package in other to provide an
> > easy way for users to load the module by default if they desire so.
> > 
> > The version that Microsoft recommended us to integrate is currently
> > available at GitHub[2].
> > 
> > Patches for Trusty were intentionally left outside of the scope this
> > RFC because it doesn't rely on systemd and it's not clear yet if
> > Trusty will be available for this new instance type.
> > 
> > I'm also suppressing any kind of automation to pick up new changes
> > directly from Intel's GitHub repository (as I had included on a
> > previous patchset I had submitted), because we are still discussing
> > how updates will be handled.
> > 
> > [1] https://azuremarketplace.microsoft.com/en-us/marketplace/apps/microsoft-azure-compute.confidentialcompute
> > [2] https://github.com/haimc-intel/SGXDataCenterAttestationPrimitives
> 
> That is a large pile of code.  The approach seems sane enough.  Do we
> expect to see this code coming to mainline any time soon ?  I guess I

Intel is working on getting this module upstream. But I don't believe
that should happen any time soon. We are starting to talk directly to
Intel as well to ensure we will keep the module up-to-date.

> would like Tyler to give it the once over as well.

+1 on Tyler's ack too!

> 
> Acked-by: Andy Whitcroft <apw at canonical.com>
> 
> -apw

-- 
Regards,
Marcelo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20191211/52ed077e/attachment.sig>

More information about the kernel-team mailing list