runtime: add support for SGX

Support the `sgx.intel.com/epc` annotation that is defined by the intel k8s plugin. This annotation enables SGX. Hardware-based isolation and memory encryption. For example, use `sgx.intel.com/epc = "64Mi"` to create a container with 1 EPC section with pre-allocated memory. At the time of writing this patch, SGX patches have not landed on the linux kernel project. The following github kernel fork contains all the SGX patches for the host and guest: https://github.com/intel/kvm-sgx fixes #483 Signed-off-by: Julio Montes <julio.montes@intel.com>
2026-01-21 23:34:22 +01:00 · 2020-09-22 15:33:51 -05:00
parent cce80bf746
commit 6df165c19d
10 changed files with 52 additions and 0 deletions
--- a/src/runtime/virtcontainers/pkg/annotations/annotations.go
+++ b/src/runtime/virtcontainers/pkg/annotations/annotations.go
@@ -270,3 +270,13 @@ const (
 	// SHA512 is the SHA-512 (64) hash algorithm
 	SHA512 string = "sha512"
 )
+
+// Third-party annotations - annotations defined by other projects or k8s plugins
+// but that can change Kata Containers behaviour.
+
+const (
+	// This annotation enables SGX. Hardware-based isolation and memory encryption.
+	// Supported suffixes are: Ki | Mi | Gi | Ti | Pi | Ei . For example: 4Mi
+	// For more information about supported suffixes see https://physics.nist.gov/cuu/Units/binary.html
+	SGXEPC = "sgx.intel.com/epc"
+)