[Bug 2009502] Re: Enable /dev/sgx_vepc access for the group 'sgx'

Steve Langasek 2009502 at bugs.launchpad.net
Sat Mar 11 00:04:46 UTC 2023 

Hello Pedro, or anyone else affected,

Accepted systemd into jammy-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/systemd/249.11-0ubuntu3.8 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
jammy to verification-done-jammy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-jammy. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Description changed:

  [ Impact ]
  
- On systems where Intel SGX is available, access to a specific devide
+ On systems where Intel SGX is available, access to a specific device
  node (/dev/sgx_vepc) must be enforced, with a specific permission (0660)
  and group (sgx).
  
  This allows KVM-based virtual machines to use such feature (the SGX
  "enclaves") in a proper fashion.  Without this, a manual udev rule needs
  to be created.
- 
  
  [ Test Plan ]
  
  As the patch itself only tailors the permissions/group to the device
  node, in a system with Intel-SGX enabled, merely `ls -la` against the
  device node should show if the permissions and group are seen as
  expected.
  
- 
  [ Where problems could occur ]
  
  N/A.  This seems to be a very straightforward inclusion, very specific
  to access enablement to the SGX reserved memory used for hosting
  enclaves.
  
  [ Other Info ]
-  
+ 
  N/A.

** Changed in: systemd (Ubuntu Jammy)
       Status: Triaged => Fix Committed

** Tags added: verification-needed verification-needed-jammy

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2009502

Title:
   Enable /dev/sgx_vepc access for the group 'sgx'

Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Jammy:
  Fix Committed

Bug description:
  [ Impact ]

  On systems where Intel SGX is available, access to a specific device
  node (/dev/sgx_vepc) must be enforced, with a specific permission
  (0660) and group (sgx).

  This allows KVM-based virtual machines to use such feature (the SGX
  "enclaves") in a proper fashion.  Without this, a manual udev rule
  needs to be created.

  [ Test Plan ]

  As the patch itself only tailors the permissions/group to the device
  node, in a system with Intel-SGX enabled, merely `ls -la` against the
  device node should show if the permissions and group are seen as
  expected.

  [ Where problems could occur ]

  N/A.  This seems to be a very straightforward inclusion, very specific
  to access enablement to the SGX reserved memory used for hosting
  enclaves.

  [ Other Info ]

  N/A.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2009502/+subscriptions

More information about the foundations-bugs mailing list