2020-11-04 14:57:29

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 00/24] Intel SGX foundations

Overview
========

Intel(R) SGX is new hardware functionality that can be used by
applications to populate protected regions of user code and data called
enclaves. Once activated, the new hardware protects enclave code and
data from outside access and modification.

SGX implementations have existed on desktop processors for several
years. The upcoming 3rd Generation Intel Xeon Scalable Platform,
code-named “Ice Lake” will also support SGX[1].

Use Cases
=========

Enclaves provide a place to store secrets and process data with those
secrets. SGX has been used, for example, to decrypt video without
exposing the decryption keys to nosy debuggers that might be used to
subvert DRM. Software has generally been rewritten specifically to run
in enclaves, but there are also projects that try to run limited
unmodified software in enclaves[2].

SGX hardware is available in public clouds today. But, anyone wishing
to use it must use a modified distribution or side-load SGX support[3].

Hardware Implementation
=======================

New memory controller hardware encrypts data transparently before
leaving the processor package. The randomly-generated encryption key
has a lifetime of exactly one power cycle. This mitigates attacks
originating outside the processor, like snooping DIMM traffic.

Important Kernel Touch Points
=============================

Although statically carved out of normal DRAM, enclave memory can not be
accessed or managed directly by the kernel and is marked by the firmware
as “Reserved”. As a result, SGX support contains simple but analogous
functionality to the core mm such as a page allocator and reclaim.

Entering and exiting enclaves is tricky business. Enclaves are
restricted from making system calls or taking interrupts directly. The
enclave will exit out to userspace before things like this can happen.
A new vDSO exception mechanism is introduced to help smooth over some of
the architectural rough edges and make the job of userspace easier.

This implementation is picky and will decline to work on hardware which
is locked to Intel’s root of trust.

1. https://newsroom.intel.com/news-releases/intel-xeon-scalable-platform-built-most-sensitive-workloads/
2. https://grapheneproject.io/
3. https://docs.microsoft.com/en-us/azure/confidential-computing/quick-create-portal

v40 (2020-10-20):
* Change copyright years to 2016-2020 in the all files added.
https://lore.kernel.org/linux-sgx/[email protected]/
* Remove dual licensing and use GPL 2.0 unconditionally.
https://lore.kernel.org/linux-sgx/[email protected]/
* Remove platform capabilities checks from sgx_validate_secs(), as they are
validated together with the SIGSTRUCT capabilities in
sgx_ioc_enclave_init().
https://lore.kernel.org/linux-sgx/[email protected]/
* During the migration from radix_tree to xarray, the locks went missing
from sgx_encl_may_map(). Fix this by iterating with the enclave lock and
xarray lock held.
https://lore.kernel.org/linux-sgx/[email protected]/
* Verify in the #PF handler that the faulted page has equal or higher build
time permissions than the VMA permissions (i.e. the subset of {VM_READ,
VM_WRITE, VM_EXECUTE} in vma->vm_flags). Trigger a bus error, if this not
the case. By doing this, mmap() and mprotect() can be allowed to map an
address range, which has unpopulated pages, because the required
invariant will be checked before new pages are inserted to the process
address space.
* In the vDSO, do not save RBX before validating the reserved area of the
struct sgx_enclave_run.
https://lore.kernel.org/linux-sgx/[email protected]/
* Increase the reserved area to 256 bytes in struct sgx_enclave_run as
there needs to be some space for expansion given the evolution of
microarchitectures, the fact that there can be only one vDSO and possible
future extensions.
https://lore.kernel.org/linux-sgx/[email protected]/
* Change Copyright comments from '//' to '/* ... */'.
https://lore.kernel.org/linux-sgx/[email protected]/
* Fix the error fallback path in the SGX vDSO. RAX was not popped in the
error path.
https://lore.kernel.org/linux-sgx/[email protected]/
* Move mm list management, backing storage and refcounting code to
“x86/sgx: Add a page reclaimer”, as they are only needed by the page
reclaimer. Finally, change the patch position to be the very last after
the kselftest, so that the whole patch set can be tested easily with and
without the reclaimer.
* Move sgx_xsave_size_tbl code from “x86/sgx: Add SGX enclave driver” to
“x86/sgx: Add SGX_IOC_ENCLAVE_CREATE”. Comment the code and use
XFEATURE_YMM and XFEATURE_MAX as limits for the features.
* Fix bug sgx_sanitize_section() that pages left dirty were not returned
back, which could lead to a memory leak. Rename unsanitized_page_list as
more intuitive and shorter laundry_list and document the function itself
and the call site.
* Use vmalloc() to allocate an array of struct sgx_epc_page’s for struct
sgx_epc_section, in effect removing the need to store addresses inside
the page structures. This removes the artificial limit of 8 sections. The
section array is still statically allocated but now it is trivial to
increase its size later on.
* Rest of the changes are documented in patch change logs as this is
preferred way for the x86 tree.

v39 (2020-10-03):
* A new GIT tree location.
git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-sgx.git
* Return -ERESTARTSYS instead of -EINTR in SGX_IOC_ENCLAVE_ADD_PAGES.
https://lore.kernel.org/linux-sgx/[email protected]/T/#u
* Do not initialize 'encl_size' in sgx_encl_create before
sgx_validate_secs() is called.
https://lore.kernel.org/linux-sgx/[email protected]/
* Revert 'count' back to struct sgx_enclave_add_pages, move the check of
-EIO to sgx_ioc_enclave_pages() instead of being buried in subfunctions.
https://lore.kernel.org/linux-sgx/[email protected]/
* Fix documentation for the 'encl' parameter in sgx_ioc_enclave_create(),
sgx_ioc_enclave_init() and sgx_ioc_enclave_provision().
https://lore.kernel.org/linux-sgx/[email protected]/
* Refine sgx_ioc_enclave_create() kdoc to better describe the meaning and
purpose of SECS validation done by sgx_validate_secs().
https://lore.kernel.org/linux-sgx/[email protected]/
* Improve documentation sgx_ioc_enclave_add_pages() on IO failures.
https://lore.kernel.org/linux-sgx/[email protected]/
* Fix a bug in __sgx_encl_add_page(). When get_user_pages() fails, we must
return -EFAULT instead of mistakenly returning the page count.
Reported by Haitao Huang.
* Rewrite the commit message for vm_ops->mprotect() (courtesy of Dave Hansen)
https://lore.kernel.org/linux-sgx/[email protected]/
* Fix ptrace support coding style issues.
https://lore.kernel.org/linux-sgx/[email protected]/
* Fix the documentation.
https://lore.kernel.org/linux-sgx/[email protected]/
* Always write MSRs for the public key before EINIT.
https://lore.kernel.org/linux-sgx/[email protected]/
* Categorically disabled enclaves from noexec partitions.
https://lore.kernel.org/linux-sgx/[email protected]/
* Properly document the EWB flow, i.e. why there is three trials for EWB.
https://lore.kernel.org/linux-sgx/[email protected]/
* Add kdoc about batch processing to sgx_reclaim_pages().
https://lore.kernel.org/linux-sgx/[email protected]/
https://lore.kernel.org/linux-mm/[email protected]/
* Documentation fixes.
https://lore.kernel.org/linux-sgx/[email protected]/T/#me637011aba9f45698eba88ff195452c0491c07fe
* SGX vDSO clean ups.
https://lore.kernel.org/linux-sgx/[email protected]/T/#ma2204bba8d8e8a09bf9164fc1bb5c55813997b4a
* Add the commit message from "x86/vdso: Add support for exception fixup in vDSO functions" to Documentation/x86/sgx.rst
https://lore.kernel.org/linux-sgx/[email protected]/
* Update correct attributes variable when allowing provisioning.
https://lore.kernel.org/linux-sgx/[email protected]/T/#t
* Remove sgx_exception and put its fields to sgx_exception.
https://lore.kernel.org/linux-sgx/[email protected]/T/#u
* Remove 'exit_reason' and put EEXIT to 'self' field of sgx_enclave_run.
https://lore.kernel.org/linux-sgx/[email protected]/T/#u
* Refine clarity of the field names in struct sgx_enclave_run and vsgx.S, and rewrite kdoc.
https://lore.kernel.org/linux-sgx/[email protected]/T/#u
* Fix memory validation in vsgx.S. The reserved areas was not zero validated,
which causes unnecessary risk for memory corruption bugs. In effect, 'flags'
field can be removed from struct sgx_enclave_run.
https://lore.kernel.org/linux-sgx/[email protected]/T/#u
* Reduce the size of sgx_enclave_run from 256 bytes to 64 bytes, i.e. size of
a cache line. This leave 24 bytes of free space to waste in future.
https://lore.kernel.org/linux-sgx/[email protected]/T/#u
* Verify atttributes, miscsselect and xfrm also in EINIT against SIGSTRUCT set
limits.
https://lore.kernel.org/linux-sgx/[email protected]/
* Use plain lfence instead of retpoline in the vDSO because retpoline has
the potential to cause forward compatibility issues with the future
microarchitecture features. One such in already sight is CET-SS.
https://lore.kernel.org/linux-sgx/[email protected]/T/#ma65748158e2b967dbc1d9ac3b214a1415066d61c

v38:
* Fast iteration because I had email server issues with v37. Using
temporary SMTP for this (mail.kapsi.fi).
* Return -EINTR when no data is processed, just like read().
https://patchwork.kernel.org/patch/11773941/
* Remove cruft from SGX_IOC_ENCLAVE_ADD_PAGES and fix the return value.
https://lore.kernel.org/linux-sgx/[email protected]/T/#mc643ef2ab477f5f7aa5d463d883d1308eb44d6f1

v37:
* Remove MODULE_*().
https://lore.kernel.org/linux-sgx/[email protected]/
* Fix mmap() type check.
https://lore.kernel.org/linux-sgx/20200827152051.GB22351@sjchrist-ice/
* Fix ioctl-number.txt.
https://lore.kernel.org/linux-sgx/[email protected]/
* Fix SPDX identifier in arch/x86/include/uapi/asm/sgx.h
https://lore.kernel.org/linux-sgx/[email protected]/
* Consistently document "@encl: an enclave pointer".
https://lore.kernel.org/linux-sgx/[email protected]/
* Renamed SGX_IOC_ENCLAVE_SET_ATTRIBUTE as SGX_IOC_ENCLAVE_PROVISION and
cleaned up associated code. Also fixed issues of code introduced too
early that were caused by the split. Now it should be more streamlined.
https://lore.kernel.org/linux-sgx/[email protected]/
* Fixed signed integer shift overflow:
https://github.com/intel/linux-sgx-driver/pull/16/commits d27ca6071b2b28e2e789d265eda796dd9fc65a64
* Fixed off-by-one error in a size calculation:
https://github.com/intel/SGXDataCenterAttestationPrimitives/commit/e44cc238becf584cc079aef40b557c6af9a03f38
* Rework vDSO API with a context structure for IO data.
https://lore.kernel.org/linux-sgx/[email protected]/
* Refined commentary about retry-loop with ENCLS[EINIT] based on Sean's response.
https://lore.kernel.org/linux-sgx/[email protected]/
* Return positive number from SGX_IOC_ENCLAVE_ADD_PAGES indicating the
number of pages processed and set a fixed 1MB limit for length. In addition,
on interrupt, return 0 and number of processed pages instead of -EINTR.
https://lore.kernel.org/linux-sgx/[email protected]/

v36:
* Make a self-contained mprotect() handler.
* Move from radix_tree to xarray, which is more modern and robust data
structure for managing large sparse arrays. Rename encl->page_tree as
encl->page_array.

v35:
* Add missing SGX_ENCL_DEAD check to sgx_ioctl().

v34:
* Remove SGX_ENCL_DEAD checks from ioctl.c, as the file is open while
executing an ioctl.
* Split driver patch into base patch and one patch for each ioctl.
* Move encl->flags check to the beginning of each ioctl. Return
consistently -EINVAL if they don't match the expected values. Before,
sometimes -EFAULT was returned instead of -EINVAL.
* Rename vm_ops->may_mprotect as vm_ops->mprotect() and move the call
right before call to mprotect_fixup().

v33:
* Rebased to v5.8-rc1. Given the core changes (mmap_lock and #DB
handling), it made sense to update the series.
* Refined documentation about how remote attestation is done in SGX.

v32:
* v31 contained not fully cleaned up main.c after merger of main.c and
reclaim.c. Fixed in this version.
* Rebased to v5.7. Forgot to do this for v31.

v31:
* Unset SGX_ENCL_IOCTL in the error path of checking encl->flags in order
to prevent leaving it set and thus block any further ioctl calls.
* Added missing cleanup_srcu_struct() call to sgx_encl_release().
* Take encl->lock in sgx_encl_add_page() in order to prevent races with
the page reclaimer.
* Fix a use-after-free bug from the page reclaimer. Call kref_put() for
encl->refcount only after putting enclave page back to the active page
list because it could be the last ref to the enclave.
* Filter any CPU disallowed values from sigstruct->vendor
SGX_IOC_ENCLAVE_INIT.
* Use bits 0-7 of page descriptor for the EPC section index. This
should be enough for long term needs.
* Refined naming for functions that allocate and free EPC pages to
be more sound and consistent.
* Merge main.c and reclaim.c into one.

v30:
Bunch of tags added. No actual code changes.

v29:
* The selftest has been moved to selftests/sgx. Because SGX is an execution
environment of its own, it really isn't a great fit with more "standard"
x86 tests.

The RSA key is now generated on fly and the whole signing process has
been made as part of the enclave loader instead of signing the enclave
during the compilation time.

Finally, the enclave loader loads now the test enclave directly from its
ELF file, which means that ELF file does not need to be coverted as raw
binary during the build process.
* Version the mm_list instead of using on synchronize_mm() when adding new
entries. We hold the write lock for the mm_struct, and dup_mm() can thus
deadlock with the page reclaimer, which could hold the lock for the old
mm_struct.
* Disallow mmap(PROT_NONE) from /dev/sgx. Any mapping (e.g. anonymous) can
be used to reserve the address range. Now /dev/sgx supports only opaque
mappings to the (initialized) enclave data.
* Make the vDSO callable directly from C by preserving RBX and taking leaf
from RCX.

v28:
* Documented to Documentation/x86/sgx.rst how the kernel manages the
enclave ownership.
* Removed non-LC flow from sgx_einit().
* Removed struct sgx_einittoken since only the size of the corresponding
microarchitectural structure is used in the series ATM.

v27:
* Disallow RIE processes to use enclaves as there could a permission
conflict between VMA and enclave permissions.
* In the documentation, replace "grep /proc/cpuinfo" with
"grep sgx /proc/cpuinfo".

v26:
* Fixed the commit author in "x86/sgx: Linux Enclave Driver", which was
changed in v25 by mistake.
* Addressed a bunch of grammar mistakes in sgx.rst (thanks Randy once
again for such a detailed feedback).
* Added back the MAINTAINERS update commit, which was mistakenly removed
in v25.
* EREMOVE's for SECS cannot be done while sanitizing an EPC section. The
CPU does not allow to remove a SECS page before all of its children have
been removed, and a child page can be in some other section than the one
currently being processed. Thus, removed special SECS processing from
sgx_sanitize_page() and instead put sections through it twice. In the
2nd round the lists should only contain SECS pages.

v25:
* Fix a double-free issue when SGX_IOC_ENCLAVE_ADD_PAGES
fails on executing ENCLS[EADD]. The rollback path executed
radix_tree_delete() on the same address twice when this happened.
* Return -EINTR instead of -ERESTARTSYS in SGX_IOC_ENCLAVE_ADD_PAGES when
a signal is pending.
* As requested by Borislav, move the CPUID 0x12 features to their own word
in cpufeatures.
* Sean fixed a bug from sgx_reclaimer_write() where sgx_encl_put_backing()
was called with an uninitialized pointer when sgx_encl_get_backing()
fails.
* Migrated /dev/sgx/* to misc. This is future-proof as struct miscdevice
has 'groups' for setting up sysfs attributes for the device.
* Use device_initcall instead of subsys_initcall so that misc_class is
initialized before SGX is initialized.
* Return -EACCES in SGX_IOC_ENCLAVE_INIT when caller tries to select
enclave attributes that we the kernel does not allow it to set instead
of -EINVAL.
* Unless SGX public key MSRs are writable always deny the feature from
Linux. Previously this was only denied from driver. How VMs should be
supported is not really part of initial patch set, which makes this
an obvious choice.
* Cleaned up and refined documentation to be more approachable.

v24:
* Reclaim unmeasured and TCS pages (regression in v23).
* Replace usages of GFP_HIGHUSER with GFP_KERNEL.
* Return -EIO on when EADD or EEXTEND fails in %SGX_IOC_ENCLAVE_ADD_PAGES
and use the same rollback (destroy enclave). This can happen when host
suspends itself unknowingly to a VM running enclaves. From -EIO the user
space can deduce what happened.
* Have a separate @count in struct sgx_enclave_add_pages to output number
of bytes processed instead of overwriting the input parameters for
clarity and more importantly that the API provides means for partial
processing (@count could be less than @length in success case).

v23:
* Replace SGX_ENCLAVE_ADD_PAGE with SGX_ENCLAVE_ADD_PAGES. Replace @mrmask
with %SGX_PAGE_MEASURE flag.
* Return -EIO instead of -ECANCELED when ptrace() fails to read a TCS page.
* In the reclaimer, pin page before ENCLS[EBLOCK] because pinning can fail
(because of OOM) even in legit behaviour and after EBLOCK the reclaiming
flow can be only reverted by killing the whole enclave.
* Fixed SGX_ATTR_RESERVED_MASK. Bit 7 was marked as reserved while in fact
it should have been bit 6 (Table 37-3 in the SDM).
* Return -EPERM from SGX_IOC_ENCLAVE_INIT when ENCLS[EINIT] returns an SGX
error code.

v22:
* Refined bunch commit messages and added associated SDM references as
many of them were too exhausting and some outdated.
* Alignment checks have been removed from mmap() because it does not define
the ELRANGE. VMAs only act as windows to the enclave. The semantics
compare somewhat how mmap() works with regular files.
* We now require user space addresses given to SGX_IOC_ENCLAVE_ADD_PAGE to be
page aligned so that we can pass the page directly to EADD and do not have
to do an extra copy. This was made effectively possible by removing the
worker thread for adding pages.
* The selftest build files have been refined throughout of various glitches
and work properly in a cross compilation environment such as BuildRoot.
In addition, libcalls fail the build with an assertion in the linker
script, if they end up to the enclave binary.
* CONFIG_INTEL_SGX_DRIVER has been removed because you cannot use SGX core
for anything without having the driver. This could change when KVM support
is added.
* We require zero permissions in SECINFO for TCS pages because the CPU
overwrites SECINFO flags with zero permissions and measures the page
only after that. Allowing to pass TCS with non-zero permissions would
cause mismatching measurement between the one provided in SIGSTRUCT and
the one computed by the CPU.
* Obviously lots of small fixes and clean ups (does make sense to
document them all).

v21:
* Check on mmap() that the VMA does cover an area that does not have
enclave pages. Only mapping with PROT_NONE can do that to reserve
initial address space for an enclave.
* Check om mmap() and mprotect() that the VMA permissions do not
surpass the enclave permissions.
* Remove two refcounts from vma_close(): mm_list and encl->refcount.
Enclave refcount is only need for swapper/enclave sync and we can
remove mm_list refcount by destroying mm_struct when the process
is closed. By not having vm_close() the Linux MM can merge VMAs.
* Do not naturally align MAP_FIXED address.
* Numerous small fixes and clean ups.
* Use SRCU for synchronizing the list of mm_struct's.
* Move to stack based call convention in the vDSO.

v20:
* Fine-tune Kconfig messages and spacing and remove MMU_NOTIFIER
dependency as MMU notifiers are no longer used in the driver.
* Use mm_users instead of mm_count as refcount for mm_struct as mm_count
only protects from deleting mm_struct, not removing its contents.
* Sanitize EPC when the reclaimer thread starts by doing EREMOVE for all
of them. They could be in initialized state when the kernel starts
because it might be spawned by kexec().
* Documentation overhaul.
* Use a device /dev/sgx/provision for delivering the provision token
instead of securityfs.
* Create a reference to the enclave when already when opening
/dev/sgx/enclave. The file is then associated with this enclave only.
mmap() can be done at free at any point and always get a reference to
the enclave. To summarize the file now represents the enclave.

v19:
* Took 3-4 months but in some sense this was more like a rewrite of most
of the corners of the source code. If I've forgotten to deal with some
feedback, please don't shout me. Make a remark and I will fix it for
the next version. Hopefully there won't be this big turnovers anymore.
* Validate SECS attributes properly against CPUID given attributes and
against allowed attributes. SECS attributes are the ones that are
enforced whereas SIGSTRUCT attributes tell what is required to run
the enclave.
* Add KSS (Key Sharing Support) to the enclave attributes.
* Deny MAP_PRIVATE as an enclave is always a shared memory entity.
* Revert back to shmem backing storage so that it can be easily shared
by multiple processes.
* Split the recognization of an ENCLS leaf failure by using three
functions to detect it: encsl_faulted(), encls_returned_code() and
sgx_failed(). encls_failed() is only caused by a spurious expections that
should never happen. Thus, it is not defined as an inline function in
order to easily insert a kprobe to it.
* Move low-level enclave management routines, page fault handler and page
reclaiming routines from driver to the core. These cannot be separated
from each other as they are heavily interdependent. The rationale is that
the core does not call any code from the driver.
* Allow the driver to be compiled as a module now that it no code is using
its routines and it only uses exported symbols. Now the driver is
essentially just a thin ioctl layer.
* Reworked the driver to maintain a list of mm_struct's. The VMA callbacks
add new entries to this list as the process is forked. Each entry has
its own refcount because they have a different life-cycle as the enclave
does. In effect @tgid and @mm have been removed from struct sgx_encl
and we allow forking by removing VM_DONTCOPY from vm flags.
* Generate a cpu mask in the reclaimer from the cpu mask's of all
mm_struct's. This will kick out the hardware threads out of the enclave
from multiple processes. It is not a local variable because it would
eat too much of the stack space but instead a field in struct
sgx_encl.
* Allow forking i.e. remove VM_DONTCOPY. I did not change the API
because the old API scaled to the workload that Andy described. The
codebase is now mostly API independent i.e. changing the API is a
small task. For me the proper trigger to chanage it is a as concrete
as possible workload that cannot be fulfilled. I hope you understand
my thinking here. I don't want to change anything w/o proper basis
but I'm ready to change anything if there is a proper basis. I do
not have any kind of attachment to any particular type of API.
* Add Sean's vDSO ENCLS(EENTER) patches and update selftest to use the
new vDSO.

v18:
* Update the ioctl-number.txt.
* Move the driver under arch/x86.
* Add SGX features (SGX, SGX1, SGX2) to the disabled-features.h.
* Rename the selftest as test_sgx (previously sgx-selftest).
* In order to enable process accounting, swap EPC pages and PCMD's to a VMA
instead of shmem.
* Allow only to initialize and run enclaves with a subset of
{DEBUG, MODE64BIT} set.
* Add SGX_IOC_ENCLAVE_SET_ATTRIBUTE to allow an enclave to have privileged
attributes e.g. PROVISIONKEY.

v17:
* Add a simple selftest.
* Fix a null pointer dereference to section->pages when its
allocation fails.
* Add Sean's description of the exception handling to the documentation.

v16:
* Fixed SOB's in the commits that were a bit corrupted in v15.
* Implemented exceptio handling properly to detect_sgx().
* Use GENMASK() to define SGX_CPUID_SUB_LEAF_TYPE_MASK.
* Updated the documentation to use rst definition lists.
* Added the missing Documentation/x86/index.rst, which has a link to
intel_sgx.rst. Now the SGX and uapi documentation is properly generated
with 'make htmldocs'.
* While enumerating EPC sections, if an undefined section is found, fail
the driver initialization instead of continuing the initialization.
* Issue a warning if there are more than %SGX_MAX_EPC_SECTIONS.
* Remove copyright notice from arch/x86/include/asm/sgx.h.
* Migrated from ioremap_cache() to memremap().

v15:
* Split into more digestable size patches.
* Lots of small fixes and clean ups.
* Signal a "plain" SIGSEGV on an EPCM violation.

v14:
* Change the comment about X86_FEATURE_SGX_LC from “SGX launch
configuration” to “SGX launch control”.
* Move the SGX-related CPU feature flags as part of the Linux defined
virtual leaf 8.
* Add SGX_ prefix to the constants defining the ENCLS leaf functions.
* Use GENMASK*() and BIT*() in sgx_arch.h instead of raw hex numbers.
* Refine the long description for CONFIG_INTEL_SGX_CORE.
* Do not use pr_*_ratelimited() in the driver. The use of the rate limited
versions is legacy cruft from the prototyping phase.
* Detect sleep with SGX_INVALID_EINIT_TOKEN instead of counting power
cycles.
* Manually prefix with “sgx:” in the core SGX code instead of redefining
pr_fmt.
* Report if IA32_SGXLEPUBKEYHASHx MSRs are not writable in the driver
instead of core because it is a driver requirement.
* Change prompt to bool in the entry for CONFIG_INTEL_SGX_CORE because the
default is ‘n’.
* Rename struct sgx_epc_bank as struct sgx_epc_section in order to match
the SDM.
* Allocate struct sgx_epc_page instances one at a time.
* Use “__iomem void *” pointers for the mapped EPC memory consistently.
* Retry once on SGX_INVALID_TOKEN in sgx_einit() instead of counting power
cycles.
* Call enclave swapping operations directly from the driver instead of
calling them .indirectly through struct sgx_epc_page_ops because indirect
calls are not required yet as the patch set does not contain the KVM
support.
* Added special signal SEGV_SGXERR to notify about SGX EPCM violation
errors.

v13:
* Always use SGX_CPUID constant instead of a hardcoded value.
* Simplified and documented the macros and functions for ENCLS leaves.
* Enable sgx_free_page() to free active enclave pages on demand
in order to allow sgx_invalidate() to delete enclave pages.
It no longer performs EREMOVE if a page is in the process of
being reclaimed.
* Use PM notifier per enclave so that we don't have to traverse
the global list of active EPC pages to find enclaves.
* Removed unused SGX_LE_ROLLBACK constant from uapi/asm/sgx.h
* Always use ioremap() to map EPC banks as we only support 64-bit kernel.
* Invalidate IA32_SGXLEPUBKEYHASH cache used by sgx_einit() when going
to sleep.

v12:
* Split to more narrow scoped commits in order to ease the review process and
use co-developed-by tag for co-authors of commits instead of listing them in
the source files.
* Removed cruft EXPORT_SYMBOL() declarations and converted to static variables.
* Removed in-kernel LE i.e. this version of the SGX software stack only
supports unlocked IA32_SGXLEPUBKEYHASHx MSRs.
* Refined documentation on launching enclaves, swapping and enclave
construction.
* Refined sgx_arch.h to include alignment information for every struct that
requires it and removed structs that are not needed without an LE.
* Got rid of SGX_CPUID.
* SGX detection now prints log messages about firmware configuration issues.

v11:
* Polished ENCLS wrappers with refined exception handling.
* ksgxswapd was not stopped (regression in v5) in
sgx_page_cache_teardown(), which causes a leaked kthread after driver
deinitialization.
* Shutdown sgx_le_proxy when going to suspend because its EPC pages will be
invalidated when resuming, which will cause it not function properly
anymore.
* Set EINITTOKEN.VALID to zero for a token that is passed when
SGXLEPUBKEYHASH matches MRSIGNER as alloc_page() does not give a zero
page.
* Fixed the check in sgx_edbgrd() for a TCS page. Allowed to read offsets
around the flags field, which causes a #GP. Only flags read is readable.
* On read access memcpy() call inside sgx_vma_access() had src and dest
parameters in wrong order.
* The build issue with CONFIG_KASAN is now fixed. Added undefined symbols
to LE even if “KASAN_SANITIZE := false” was set in the makefile.
* Fixed a regression in the #PF handler. If a page has
SGX_ENCL_PAGE_RESERVED flag the #PF handler should unconditionally fail.
It did not, which caused weird races when trying to change other parts of
swapping code.
* EPC management has been refactored to a flat LRU cache and moved to
arch/x86. The swapper thread reads a cluster of EPC pages and swaps all
of them. It can now swap from multiple enclaves in the same round.
* For the sake of consistency with SGX_IOC_ENCLAVE_ADD_PAGE, return -EINVAL
when an enclave is already initialized or dead instead of zero.

v10:
* Cleaned up anon inode based IPC between the ring-0 and ring-3 parts
of the driver.
* Unset the reserved flag from an enclave page if EDBGRD/WR fails
(regression in v6).
* Close the anon inode when LE is stopped (regression in v9).
* Update the documentation with a more detailed description of SGX.

v9:
* Replaced kernel-LE IPC based on pipes with an anonymous inode.
The driver does not require anymore new exports.

v8:
* Check that public key MSRs match the LE public key hash in the
driver initialization when the MSRs are read-only.
* Fix the race in VA slot allocation by checking the fullness
immediately after succeesful allocation.
* Fix the race in hash mrsigner calculation between the launch
enclave and user enclaves by having a separate lock for hash
calculation.

v7:
* Fixed offset calculation in sgx_edbgr/wr(). Address was masked with PAGE_MASK
when it should have been masked with ~PAGE_MASK.
* Fixed a memory leak in sgx_ioc_enclave_create().
* Simplified swapping code by using a pointer array for a cluster
instead of a linked list.
* Squeezed struct sgx_encl_page to 32 bytes.
* Fixed deferencing of an RSA key on OpenSSL 1.1.0.
* Modified TC's CMAC to use kernel AES-NI. Restructured the code
a bit in order to better align with kernel conventions.

v6:
* Fixed semaphore underrun when accessing /dev/sgx from the launch enclave.
* In sgx_encl_create() s/IS_ERR(secs)/IS_ERR(encl)/.
* Removed virtualization chapter from the documentation.
* Changed the default filename for the signing key as signing_key.pem.
* Reworked EPC management in a way that instead of a linked list of
struct sgx_epc_page instances there is an array of integers that
encodes address and bank of an EPC page (the same data as 'pa' field
earlier). The locking has been moved to the EPC bank level instead
of a global lock.
* Relaxed locking requirements for EPC management. EPC pages can be
released back to the EPC bank concurrently.
* Cleaned up ptrace() code.
* Refined commit messages for new architectural constants.
* Sorted includes in every source file.
* Sorted local variable declarations according to the line length in
every function.
* Style fixes based on Darren's comments to sgx_le.c.

v5:
* Described IPC between the Launch Enclave and kernel in the commit messages.
* Fixed all relevant checkpatch.pl issues that I have forgot fix in earlier
versions except those that exist in the imported TinyCrypt code.
* Fixed spelling mistakes in the documentation.
* Forgot to check the return value of sgx_drv_subsys_init().
* Encapsulated properly page cache init and teardown.
* Collect epc pages to a temp list in sgx_add_epc_bank
* Removed SGX_ENCLAVE_INIT_ARCH constant.

v4:
* Tied life-cycle of the sgx_le_proxy process to /dev/sgx.
* Removed __exit annotation from sgx_drv_subsys_exit().
* Fixed a leak of a backing page in sgx_process_add_page_req() in the
case when vm_insert_pfn() fails.
* Removed unused symbol exports for sgx_page_cache.c.
* Updated sgx_alloc_page() to require encl parameter and documented the
behavior (Sean Christopherson).
* Refactored a more lean API for sgx_encl_find() and documented the behavior.
* Moved #PF handler to sgx_fault.c.
* Replaced subsys_system_register() with plain bus_register().
* Retry EINIT 2nd time only if MSRs are not locked.

v3:
* Check that FEATURE_CONTROL_LOCKED and FEATURE_CONTROL_SGX_ENABLE are set.
* Return -ERESTARTSYS in __sgx_encl_add_page() when sgx_alloc_page() fails.
* Use unused bits in epc_page->pa to store the bank number.
* Removed #ifdef for WQ_NONREENTRANT.
* If mmu_notifier_register() fails with -EINTR, return -ERESTARTSYS.
* Added --remove-section=.got.plt to objcopy flags in order to prevent a
dummy .got.plt, which will cause an inconsistent size for the LE.
* Documented sgx_encl_* functions.
* Added remark about AES implementation used inside the LE.
* Removed redundant sgx_sys_exit() from le/main.c.
* Fixed struct sgx_secinfo alignment from 128 to 64 bytes.
* Validate miscselect in sgx_encl_create().
* Fixed SSA frame size calculation to take the misc region into account.
* Implemented consistent exception handling to __encls() and __encls_ret().
* Implemented a proper device model in order to allow sysfs attributes
and in-kernel API.
* Cleaned up various "find enclave" implementations to the unified
sgx_encl_find().
* Validate that vm_pgoff is zero.
* Discard backing pages with shmem_truncate_range() after EADD.
* Added missing EEXTEND operations to LE signing and launch.
* Fixed SSA size for GPRS region from 168 to 184 bytes.
* Fixed the checks for TCS flags. Now DBGOPTIN is allowed.
* Check that TCS addresses are in ELRANGE and not just page aligned.
* Require kernel to be compiled with X64_64 and CPU_SUP_INTEL.
* Fixed an incorrect value for SGX_ATTR_DEBUG from 0x01 to 0x02.

v2:
* get_rand_uint32() changed the value of the pointer instead of value
where it is pointing at.
* Launch enclave incorrectly used sigstruct attributes-field instead of
enclave attributes-field.
* Removed unused struct sgx_add_page_req from sgx_ioctl.c
* Removed unused sgx_has_sgx2.
* Updated arch/x86/include/asm/sgx.h so that it provides stub
implementations when sgx in not enabled.
* Removed cruft rdmsr-calls from sgx_set_pubkeyhash_msrs().
* return -ENOMEM in sgx_alloc_page() when VA pages consume too much space
* removed unused global sgx_nr_pids
* moved sgx_encl_release to sgx_encl.c
* return -ERESTARTSYS instead of -EINTR in sgx_encl_init()

Jarkko Sakkinen (14):
x86/sgx: Add SGX architectural data structures
x86/sgx: Add wrappers for ENCLS functions
x86/cpu/intel: Add nosgx kernel parameter
x86/sgx: Add SGX page allocator functions
x86/sgx: Add SGX misc driver interface
x86/sgx: Add SGX_IOC_ENCLAVE_CREATE
x86/sgx: Add SGX_IOC_ENCLAVE_ADD_PAGES
x86/sgx: Add SGX_IOC_ENCLAVE_INIT
x86/sgx: Add SGX_IOC_ENCLAVE_PROVISION
selftests/x86: Add a selftest for SGX
x86/sgx: Add a page reclaimer
x86/sgx: Add ptrace() support for the SGX driver
docs: x86/sgx: Document SGX kernel architecture
x86/sgx: Update MAINTAINERS

Sean Christopherson (10):
x86/sgx: Initialize metadata for Enclave Page Cache (EPC) sections
x86/cpufeatures: x86/msr: Add Intel SGX hardware bits
x86/cpufeatures: x86/msr: Add Intel SGX Launch Control hardware bits
x86/mm: x86/sgx: Signal SIGSEGV with PF_SGX
x86/cpu/intel: Detect SGX support
mm: Add 'mprotect' hook to struct vm_operations_struct
x86/vdso: Add support for exception fixup in vDSO functions
x86/fault: Add helper function to sanitize error code
x86/traps: Attempt to fixup exceptions in vDSO before signaling
x86/vdso: Implement a vDSO for Intel SGX enclave call

.../admin-guide/kernel-parameters.txt | 2 +
.../userspace-api/ioctl/ioctl-number.rst | 1 +
Documentation/x86/index.rst | 1 +
Documentation/x86/sgx.rst | 211 +++++
MAINTAINERS | 13 +
arch/x86/Kconfig | 17 +
arch/x86/entry/vdso/Makefile | 8 +-
arch/x86/entry/vdso/extable.c | 46 ++
arch/x86/entry/vdso/extable.h | 28 +
arch/x86/entry/vdso/vdso-layout.lds.S | 9 +-
arch/x86/entry/vdso/vdso.lds.S | 1 +
arch/x86/entry/vdso/vdso2c.h | 50 +-
arch/x86/entry/vdso/vsgx.S | 151 ++++
arch/x86/include/asm/cpufeatures.h | 2 +
arch/x86/include/asm/disabled-features.h | 8 +-
arch/x86/include/asm/enclu.h | 9 +
arch/x86/include/asm/msr-index.h | 8 +
arch/x86/include/asm/trap_pf.h | 1 +
arch/x86/include/asm/vdso.h | 5 +
arch/x86/include/uapi/asm/sgx.h | 168 ++++
arch/x86/kernel/cpu/Makefile | 1 +
arch/x86/kernel/cpu/feat_ctl.c | 38 +-
arch/x86/kernel/cpu/sgx/Makefile | 5 +
arch/x86/kernel/cpu/sgx/arch.h | 338 ++++++++
arch/x86/kernel/cpu/sgx/driver.c | 194 +++++
arch/x86/kernel/cpu/sgx/driver.h | 29 +
arch/x86/kernel/cpu/sgx/encl.c | 782 ++++++++++++++++++
arch/x86/kernel/cpu/sgx/encl.h | 107 +++
arch/x86/kernel/cpu/sgx/encls.h | 231 ++++++
arch/x86/kernel/cpu/sgx/ioctl.c | 716 ++++++++++++++++
arch/x86/kernel/cpu/sgx/main.c | 728 ++++++++++++++++
arch/x86/kernel/cpu/sgx/sgx.h | 77 ++
arch/x86/kernel/traps.c | 10 +
arch/x86/mm/fault.c | 45 +-
include/linux/mm.h | 3 +
mm/mprotect.c | 5 +-
tools/testing/selftests/Makefile | 1 +
tools/testing/selftests/sgx/.gitignore | 2 +
tools/testing/selftests/sgx/Makefile | 53 ++
tools/testing/selftests/sgx/call.S | 44 +
tools/testing/selftests/sgx/defines.h | 21 +
tools/testing/selftests/sgx/load.c | 277 +++++++
tools/testing/selftests/sgx/main.c | 243 ++++++
tools/testing/selftests/sgx/main.h | 38 +
tools/testing/selftests/sgx/sigstruct.c | 391 +++++++++
tools/testing/selftests/sgx/test_encl.c | 20 +
tools/testing/selftests/sgx/test_encl.lds | 40 +
.../selftests/sgx/test_encl_bootstrap.S | 89 ++
48 files changed, 5247 insertions(+), 20 deletions(-)
create mode 100644 Documentation/x86/sgx.rst
create mode 100644 arch/x86/entry/vdso/extable.c
create mode 100644 arch/x86/entry/vdso/extable.h
create mode 100644 arch/x86/entry/vdso/vsgx.S
create mode 100644 arch/x86/include/asm/enclu.h
create mode 100644 arch/x86/include/uapi/asm/sgx.h
create mode 100644 arch/x86/kernel/cpu/sgx/Makefile
create mode 100644 arch/x86/kernel/cpu/sgx/arch.h
create mode 100644 arch/x86/kernel/cpu/sgx/driver.c
create mode 100644 arch/x86/kernel/cpu/sgx/driver.h
create mode 100644 arch/x86/kernel/cpu/sgx/encl.c
create mode 100644 arch/x86/kernel/cpu/sgx/encl.h
create mode 100644 arch/x86/kernel/cpu/sgx/encls.h
create mode 100644 arch/x86/kernel/cpu/sgx/ioctl.c
create mode 100644 arch/x86/kernel/cpu/sgx/main.c
create mode 100644 arch/x86/kernel/cpu/sgx/sgx.h
create mode 100644 tools/testing/selftests/sgx/.gitignore
create mode 100644 tools/testing/selftests/sgx/Makefile
create mode 100644 tools/testing/selftests/sgx/call.S
create mode 100644 tools/testing/selftests/sgx/defines.h
create mode 100644 tools/testing/selftests/sgx/load.c
create mode 100644 tools/testing/selftests/sgx/main.c
create mode 100644 tools/testing/selftests/sgx/main.h
create mode 100644 tools/testing/selftests/sgx/sigstruct.c
create mode 100644 tools/testing/selftests/sgx/test_encl.c
create mode 100644 tools/testing/selftests/sgx/test_encl.lds
create mode 100644 tools/testing/selftests/sgx/test_encl_bootstrap.S

--
2.27.0


2020-11-04 14:57:39

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 07/24] x86/cpu/intel: Detect SGX support

From: Sean Christopherson <[email protected]>

Kernel support for SGX is ultimately decided by the state of the launch
control bits in the feature control MSR (MSR_IA32_FEAT_CTL). If the
hardware supports SGX, but neglects to support flexible launch control, the
kernel will not enable SGX.

Enable SGX at feature control MSR initialization and update the associated
X86_FEATURE flags accordingly. Disable X86_FEATURE_SGX (and all
derivatives) if the kernel is not able to establish itself as the authority
over SGX Launch Control.

All checks are performed for each logical CPU (not just boot CPU) in order
to verify that MSR_IA32_FEATURE_CONTROL is correctly configured on all
CPUs. All SGX code in this series expects the same configuration from all
CPUs.

This differs from VMX where X86_FEATURE_VMX is intentionally cleared only
for the current CPU so that KVM can provide additional information if KVM
fails to load like which CPU doesn't support VMX. There’s not much the
kernel or an administrator can do to fix the situation, so SGX neglects to
convey additional details about these kinds of failures if they occur.

Acked-by: Jethro Beekman <[email protected]>
Reviewed-by: Darren Kenny <[email protected]>
Signed-off-by: Sean Christopherson <[email protected]>
Co-developed-by: Jarkko Sakkinen <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
---
arch/x86/kernel/cpu/feat_ctl.c | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/feat_ctl.c b/arch/x86/kernel/cpu/feat_ctl.c
index 29a3bedabd06..d38e97325018 100644
--- a/arch/x86/kernel/cpu/feat_ctl.c
+++ b/arch/x86/kernel/cpu/feat_ctl.c
@@ -93,16 +93,32 @@ static void init_vmx_capabilities(struct cpuinfo_x86 *c)
}
#endif /* CONFIG_X86_VMX_FEATURE_NAMES */

+static void clear_sgx_caps(void)
+{
+ setup_clear_cpu_cap(X86_FEATURE_SGX);
+ setup_clear_cpu_cap(X86_FEATURE_SGX_LC);
+}
+
void init_ia32_feat_ctl(struct cpuinfo_x86 *c)
{
bool tboot = tboot_enabled();
+ bool enable_sgx;
u64 msr;

if (rdmsrl_safe(MSR_IA32_FEAT_CTL, &msr)) {
clear_cpu_cap(c, X86_FEATURE_VMX);
+ clear_sgx_caps();
return;
}

+ /*
+ * Enable SGX if and only if the kernel supports SGX and Launch Control
+ * is supported, i.e. disable SGX if the LE hash MSRs can't be written.
+ */
+ enable_sgx = cpu_has(c, X86_FEATURE_SGX) &&
+ cpu_has(c, X86_FEATURE_SGX_LC) &&
+ IS_ENABLED(CONFIG_X86_SGX);
+
if (msr & FEAT_CTL_LOCKED)
goto update_caps;

@@ -124,13 +140,16 @@ void init_ia32_feat_ctl(struct cpuinfo_x86 *c)
msr |= FEAT_CTL_VMX_ENABLED_INSIDE_SMX;
}

+ if (enable_sgx)
+ msr |= FEAT_CTL_SGX_ENABLED | FEAT_CTL_SGX_LC_ENABLED;
+
wrmsrl(MSR_IA32_FEAT_CTL, msr);

update_caps:
set_cpu_cap(c, X86_FEATURE_MSR_IA32_FEAT_CTL);

if (!cpu_has(c, X86_FEATURE_VMX))
- return;
+ goto update_sgx;

if ( (tboot && !(msr & FEAT_CTL_VMX_ENABLED_INSIDE_SMX)) ||
(!tboot && !(msr & FEAT_CTL_VMX_ENABLED_OUTSIDE_SMX))) {
@@ -143,4 +162,12 @@ void init_ia32_feat_ctl(struct cpuinfo_x86 *c)
init_vmx_capabilities(c);
#endif
}
+
+update_sgx:
+ if (!(msr & FEAT_CTL_SGX_ENABLED) ||
+ !(msr & FEAT_CTL_SGX_LC_ENABLED) || !enable_sgx) {
+ if (enable_sgx)
+ pr_err_once("SGX disabled by BIOS\n");
+ clear_sgx_caps();
+ }
}
--
2.27.0

2020-11-04 14:57:47

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 08/24] x86/cpu/intel: Add nosgx kernel parameter

Add kernel parameter to disable Intel SGX kernel support, along with
supporting Documentation.

Tested-by: Sean Christopherson <[email protected]>
Reviewed-by: Sean Christopherson <[email protected]>
Reviewed-by: Darren Kenny <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
---
Documentation/admin-guide/kernel-parameters.txt | 2 ++
arch/x86/kernel/cpu/feat_ctl.c | 9 +++++++++
2 files changed, 11 insertions(+)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index bd1a5b87a5e2..4684611edf09 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -3385,6 +3385,8 @@

nosep [BUGS=X86-32] Disables x86 SYSENTER/SYSEXIT support.

+ nosgx [X86-64,SGX] Disables Intel SGX kernel support.
+
nosmp [SMP] Tells an SMP kernel to act as a UP kernel,
and disable the IO APIC. legacy for "maxcpus=0".

diff --git a/arch/x86/kernel/cpu/feat_ctl.c b/arch/x86/kernel/cpu/feat_ctl.c
index d38e97325018..3b1b01f2b248 100644
--- a/arch/x86/kernel/cpu/feat_ctl.c
+++ b/arch/x86/kernel/cpu/feat_ctl.c
@@ -99,6 +99,15 @@ static void clear_sgx_caps(void)
setup_clear_cpu_cap(X86_FEATURE_SGX_LC);
}

+static int __init nosgx(char *str)
+{
+ clear_sgx_caps();
+
+ return 0;
+}
+
+early_param("nosgx", nosgx);
+
void init_ia32_feat_ctl(struct cpuinfo_x86 *c)
{
bool tboot = tboot_enabled();
--
2.27.0

2020-11-04 14:57:56

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 09/24] x86/sgx: Add SGX page allocator functions

The previous patch initialized a simple SGX page allocator. Add functions
for runtime allocation and free.

This allocator and its algorithms are as simple as it gets. They do a
linear search across all EPC sections and find the first free page. They
are not NUMA aware and only hand out individual pages. The SGX hardware
does not support large pages, so something more complicated like a buddy
allocator is unwarranted.

The free function (sgx_free_epc_page()) implicitly calls ENCLS[EREMOVE],
which returns the page to the uninitialized state. This ensures that the
page is ready for use at the next allocation.

Acked-by: Jethro Beekman <[email protected]>
Reviewed-by: Darren Kenny <[email protected]>
Co-developed-by: Sean Christopherson <[email protected]>
Signed-off-by: Sean Christopherson <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
---
arch/x86/kernel/cpu/sgx/main.c | 62 ++++++++++++++++++++++++++++++++++
arch/x86/kernel/cpu/sgx/sgx.h | 3 ++
2 files changed, 65 insertions(+)

diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c
index 956055a0eff6..b9ac438a13a4 100644
--- a/arch/x86/kernel/cpu/sgx/main.c
+++ b/arch/x86/kernel/cpu/sgx/main.c
@@ -85,6 +85,68 @@ static bool __init sgx_page_reclaimer_init(void)
return true;
}

+static struct sgx_epc_page *__sgx_alloc_epc_page_from_section(struct sgx_epc_section *section)
+{
+ struct sgx_epc_page *page;
+
+ if (list_empty(&section->page_list))
+ return NULL;
+
+ page = list_first_entry(&section->page_list, struct sgx_epc_page, list);
+ list_del_init(&page->list);
+
+ return page;
+}
+
+/**
+ * __sgx_alloc_epc_page() - Allocate an EPC page
+ *
+ * Iterate through EPC sections and borrow a free EPC page to the caller. When a
+ * page is no longer needed it must be released with sgx_free_epc_page().
+ *
+ * Return:
+ * an EPC page,
+ * -errno on error
+ */
+struct sgx_epc_page *__sgx_alloc_epc_page(void)
+{
+ struct sgx_epc_section *section;
+ struct sgx_epc_page *page;
+ int i;
+
+ for (i = 0; i < sgx_nr_epc_sections; i++) {
+ section = &sgx_epc_sections[i];
+ spin_lock(&section->lock);
+ page = __sgx_alloc_epc_page_from_section(section);
+ spin_unlock(&section->lock);
+
+ if (page)
+ return page;
+ }
+
+ return ERR_PTR(-ENOMEM);
+}
+
+/**
+ * sgx_free_epc_page() - Free an EPC page
+ * @page: an EPC page
+ *
+ * Call EREMOVE for an EPC page and insert it back to the list of free pages.
+ */
+void sgx_free_epc_page(struct sgx_epc_page *page)
+{
+ struct sgx_epc_section *section = &sgx_epc_sections[page->section];
+ int ret;
+
+ ret = __eremove(sgx_get_epc_virt_addr(page));
+ if (WARN_ONCE(ret, "EREMOVE returned %d (0x%x)", ret, ret))
+ return;
+
+ spin_lock(&section->lock);
+ list_add_tail(&page->list, &section->page_list);
+ spin_unlock(&section->lock);
+}
+
static bool __init sgx_setup_epc_section(u64 phys_addr, u64 size,
unsigned long index,
struct sgx_epc_section *section)
diff --git a/arch/x86/kernel/cpu/sgx/sgx.h b/arch/x86/kernel/cpu/sgx/sgx.h
index 02afa84dd8fd..bd9dcb1ffcfa 100644
--- a/arch/x86/kernel/cpu/sgx/sgx.h
+++ b/arch/x86/kernel/cpu/sgx/sgx.h
@@ -57,4 +57,7 @@ static inline void *sgx_get_epc_virt_addr(struct sgx_epc_page *page)
return section->virt_addr + index * PAGE_SIZE;
}

+struct sgx_epc_page *__sgx_alloc_epc_page(void);
+void sgx_free_epc_page(struct sgx_epc_page *page);
+
#endif /* _X86_SGX_H */
--
2.27.0

2020-11-04 14:58:10

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 11/24] x86/sgx: Add SGX misc driver interface

Intel(R) SGX is new hardware functionality that can be used by applications
to set aside private regions of code and data called enclaves. New hardware
protects enclave code and data from outside access and modification.

Add a driver that presents a device file and ioctl API to build and manage
enclaves. Subsequent patches will expend the ioctl()’s functionality.

Cc: [email protected]
Cc: [email protected]
Cc: Andrew Morton <[email protected]>
Cc: Matthew Wilcox <[email protected]>
Acked-by: Jethro Beekman <[email protected]>
Tested-by: Jethro Beekman <[email protected]>
Tested-by: Haitao Huang <[email protected]>
Tested-by: Chunyang Hui <[email protected]>
Tested-by: Jordan Hand <[email protected]>
Tested-by: Nathaniel McCallum <[email protected]>
Tested-by: Seth Moore <[email protected]>
Tested-by: Darren Kenny <[email protected]>
Reviewed-by: Darren Kenny <[email protected]>
Co-developed-by: Sean Christopherson <[email protected]>
Signed-off-by: Sean Christopherson <[email protected]>
Co-developed-by: Suresh Siddha <[email protected]>
Signed-off-by: Suresh Siddha <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
---
Changes from v39:
* Rename /dev/sgx/enclave as /dev/sgx_enclave.
* In the page fault handler, do not check for SGX_ENCL_DEAD. This allows
to do forensics to the memory of debug enclaves.

arch/x86/kernel/cpu/sgx/Makefile | 2 +
arch/x86/kernel/cpu/sgx/driver.c | 112 ++++++++++++++++++
arch/x86/kernel/cpu/sgx/driver.h | 16 +++
arch/x86/kernel/cpu/sgx/encl.c | 188 +++++++++++++++++++++++++++++++
arch/x86/kernel/cpu/sgx/encl.h | 46 ++++++++
arch/x86/kernel/cpu/sgx/main.c | 12 +-
6 files changed, 375 insertions(+), 1 deletion(-)
create mode 100644 arch/x86/kernel/cpu/sgx/driver.c
create mode 100644 arch/x86/kernel/cpu/sgx/driver.h
create mode 100644 arch/x86/kernel/cpu/sgx/encl.c
create mode 100644 arch/x86/kernel/cpu/sgx/encl.h

diff --git a/arch/x86/kernel/cpu/sgx/Makefile b/arch/x86/kernel/cpu/sgx/Makefile
index 79510ce01b3b..3fc451120735 100644
--- a/arch/x86/kernel/cpu/sgx/Makefile
+++ b/arch/x86/kernel/cpu/sgx/Makefile
@@ -1,2 +1,4 @@
obj-y += \
+ driver.o \
+ encl.o \
main.o
diff --git a/arch/x86/kernel/cpu/sgx/driver.c b/arch/x86/kernel/cpu/sgx/driver.c
new file mode 100644
index 000000000000..248213dea78e
--- /dev/null
+++ b/arch/x86/kernel/cpu/sgx/driver.c
@@ -0,0 +1,112 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright(c) 2016-20 Intel Corporation. */
+
+#include <linux/acpi.h>
+#include <linux/miscdevice.h>
+#include <linux/mman.h>
+#include <linux/security.h>
+#include <linux/suspend.h>
+#include <asm/traps.h>
+#include "driver.h"
+#include "encl.h"
+
+static int sgx_open(struct inode *inode, struct file *file)
+{
+ struct sgx_encl *encl;
+
+ encl = kzalloc(sizeof(*encl), GFP_KERNEL);
+ if (!encl)
+ return -ENOMEM;
+
+ xa_init(&encl->page_array);
+ mutex_init(&encl->lock);
+
+ file->private_data = encl;
+
+ return 0;
+}
+
+static int sgx_release(struct inode *inode, struct file *file)
+{
+ struct sgx_encl *encl = file->private_data;
+ struct sgx_encl_page *entry;
+ unsigned long index;
+
+ xa_for_each(&encl->page_array, index, entry) {
+ if (entry->epc_page) {
+ sgx_free_epc_page(entry->epc_page);
+ encl->secs_child_cnt--;
+ entry->epc_page = NULL;
+ }
+
+ kfree(entry);
+ }
+
+ xa_destroy(&encl->page_array);
+
+ if (!encl->secs_child_cnt && encl->secs.epc_page) {
+ sgx_free_epc_page(encl->secs.epc_page);
+ encl->secs.epc_page = NULL;
+ }
+
+ /* Detect EPC page leak's. */
+ WARN_ON_ONCE(encl->secs_child_cnt);
+ WARN_ON_ONCE(encl->secs.epc_page);
+
+ kfree(encl);
+ return 0;
+}
+
+static int sgx_mmap(struct file *file, struct vm_area_struct *vma)
+{
+ struct sgx_encl *encl = file->private_data;
+ int ret;
+
+ ret = sgx_encl_may_map(encl, vma->vm_start, vma->vm_end, vma->vm_flags);
+ if (ret)
+ return ret;
+
+ vma->vm_ops = &sgx_vm_ops;
+ vma->vm_flags |= VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP | VM_IO;
+ vma->vm_private_data = encl;
+
+ return 0;
+}
+
+static unsigned long sgx_get_unmapped_area(struct file *file,
+ unsigned long addr,
+ unsigned long len,
+ unsigned long pgoff,
+ unsigned long flags)
+{
+ if ((flags & MAP_TYPE) == MAP_PRIVATE)
+ return -EINVAL;
+
+ if (flags & MAP_FIXED)
+ return addr;
+
+ return current->mm->get_unmapped_area(file, addr, len, pgoff, flags);
+}
+
+static const struct file_operations sgx_encl_fops = {
+ .owner = THIS_MODULE,
+ .open = sgx_open,
+ .release = sgx_release,
+ .mmap = sgx_mmap,
+ .get_unmapped_area = sgx_get_unmapped_area,
+};
+
+static struct miscdevice sgx_dev_enclave = {
+ .minor = MISC_DYNAMIC_MINOR,
+ .name = "sgx_enclave",
+ .nodename = "sgx_enclave",
+ .fops = &sgx_encl_fops,
+};
+
+int __init sgx_drv_init(void)
+{
+ if (!cpu_feature_enabled(X86_FEATURE_SGX_LC))
+ return -ENODEV;
+
+ return misc_register(&sgx_dev_enclave);
+}
diff --git a/arch/x86/kernel/cpu/sgx/driver.h b/arch/x86/kernel/cpu/sgx/driver.h
new file mode 100644
index 000000000000..cda9c43b7543
--- /dev/null
+++ b/arch/x86/kernel/cpu/sgx/driver.h
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef __ARCH_SGX_DRIVER_H__
+#define __ARCH_SGX_DRIVER_H__
+
+#include <crypto/hash.h>
+#include <linux/kref.h>
+#include <linux/mmu_notifier.h>
+#include <linux/radix-tree.h>
+#include <linux/rwsem.h>
+#include <linux/sched.h>
+#include <linux/workqueue.h>
+#include "sgx.h"
+
+int sgx_drv_init(void);
+
+#endif /* __ARCH_X86_SGX_DRIVER_H__ */
diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c
new file mode 100644
index 000000000000..d47caa106350
--- /dev/null
+++ b/arch/x86/kernel/cpu/sgx/encl.c
@@ -0,0 +1,188 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright(c) 2016-20 Intel Corporation. */
+
+#include <linux/lockdep.h>
+#include <linux/mm.h>
+#include <linux/mman.h>
+#include <linux/shmem_fs.h>
+#include <linux/suspend.h>
+#include <linux/sched/mm.h>
+#include "arch.h"
+#include "encl.h"
+#include "encls.h"
+#include "sgx.h"
+
+static struct sgx_encl_page *sgx_encl_load_page(struct sgx_encl *encl,
+ unsigned long addr,
+ unsigned long vm_flags)
+{
+ unsigned long vm_prot_bits = vm_flags & (VM_READ | VM_WRITE | VM_EXEC);
+ struct sgx_encl_page *entry;
+
+ entry = xa_load(&encl->page_array, PFN_DOWN(addr));
+ if (!entry)
+ return ERR_PTR(-EFAULT);
+
+ /*
+ * Verify that the faulted page has equal or higher build time
+ * permissions than the VMA permissions (i.e. the subset of {VM_READ,
+ * VM_WRITE, VM_EXECUTE} in vma->vm_flags).
+ */
+ if ((entry->vm_max_prot_bits & vm_prot_bits) != vm_prot_bits)
+ return ERR_PTR(-EFAULT);
+
+ /* No page found. */
+ if (!entry->epc_page)
+ return ERR_PTR(-EFAULT);
+
+ /* Entry successfully located. */
+ return entry;
+}
+
+static vm_fault_t sgx_vma_fault(struct vm_fault *vmf)
+{
+ unsigned long addr = (unsigned long)vmf->address;
+ struct vm_area_struct *vma = vmf->vma;
+ struct sgx_encl_page *entry;
+ unsigned long phys_addr;
+ struct sgx_encl *encl;
+ vm_fault_t ret;
+
+ encl = vma->vm_private_data;
+
+ mutex_lock(&encl->lock);
+
+ entry = sgx_encl_load_page(encl, addr, vma->vm_flags);
+ if (IS_ERR(entry)) {
+ mutex_unlock(&encl->lock);
+
+ return VM_FAULT_SIGBUS;
+ }
+
+ phys_addr = sgx_get_epc_phys_addr(entry->epc_page);
+
+ ret = vmf_insert_pfn(vma, addr, PFN_DOWN(phys_addr));
+ if (ret != VM_FAULT_NOPAGE) {
+ mutex_unlock(&encl->lock);
+
+ return VM_FAULT_SIGBUS;
+ }
+
+ mutex_unlock(&encl->lock);
+
+ return VM_FAULT_NOPAGE;
+}
+
+/**
+ * sgx_encl_may_map() - Check if a requested VMA mapping is allowed
+ * @encl: an enclave pointer
+ * @start: lower bound of the address range, inclusive
+ * @end: upper bound of the address range, exclusive
+ * @vm_flags: VMA flags
+ *
+ * Iterate through the enclave pages contained within [@start, @end) to verify
+ * that the permissions requested by a subset of {VM_READ, VM_WRITE, VM_EXEC}
+ * does not contain any permissions that are not contained in the build time
+ * permissions of any of the enclave pages within the given address range.
+ *
+ * An enclave creator must declare the strongest permissions that will be
+ * needed for each enclave page This ensures that mappings have the identical
+ * or weaker permissions that the earlier declared permissions.
+ *
+ * Return: 0 on success, -EACCES otherwise
+ */
+int sgx_encl_may_map(struct sgx_encl *encl, unsigned long start,
+ unsigned long end, unsigned long vm_flags)
+{
+ unsigned long vm_prot_bits = vm_flags & (VM_READ | VM_WRITE | VM_EXEC);
+ struct sgx_encl_page *page;
+ unsigned long count = 0;
+ int ret = 0;
+
+ XA_STATE(xas, &encl->page_array, PFN_DOWN(start));
+
+ /*
+ * Disallow READ_IMPLIES_EXEC tasks as their VMA permissions might
+ * conflict with the enclave page permissions.
+ */
+ if (current->personality & READ_IMPLIES_EXEC)
+ return -EACCES;
+
+ mutex_lock(&encl->lock);
+ xas_lock(&xas);
+ xas_for_each(&xas, page, PFN_DOWN(end - 1)) {
+ if (!page)
+ break;
+
+ if (~page->vm_max_prot_bits & vm_prot_bits) {
+ ret = -EACCES;
+ break;
+ }
+
+ /* Reschedule on every XA_CHECK_SCHED iteration. */
+ if (!(++count % XA_CHECK_SCHED)) {
+ xas_pause(&xas);
+ xas_unlock(&xas);
+ mutex_unlock(&encl->lock);
+
+ cond_resched();
+
+ mutex_lock(&encl->lock);
+ xas_lock(&xas);
+ }
+ }
+ xas_unlock(&xas);
+ mutex_unlock(&encl->lock);
+
+ return ret;
+}
+
+static int sgx_vma_mprotect(struct vm_area_struct *vma,
+ struct vm_area_struct **pprev, unsigned long start,
+ unsigned long end, unsigned long newflags)
+{
+ int ret;
+
+ ret = sgx_encl_may_map(vma->vm_private_data, start, end, newflags);
+ if (ret)
+ return ret;
+
+ return mprotect_fixup(vma, pprev, start, end, newflags);
+}
+
+const struct vm_operations_struct sgx_vm_ops = {
+ .fault = sgx_vma_fault,
+ .mprotect = sgx_vma_mprotect,
+};
+
+/**
+ * sgx_encl_find - find an enclave
+ * @mm: mm struct of the current process
+ * @addr: address in the ELRANGE
+ * @vma: the resulting VMA
+ *
+ * Find an enclave identified by the given address. Give back a VMA that is
+ * part of the enclave and located in that address. The VMA is given back if it
+ * is a proper enclave VMA even if an &sgx_encl instance does not exist yet
+ * (enclave creation has not been performed).
+ *
+ * Return:
+ * 0 on success,
+ * -EINVAL if an enclave was not found,
+ * -ENOENT if the enclave has not been created yet
+ */
+int sgx_encl_find(struct mm_struct *mm, unsigned long addr,
+ struct vm_area_struct **vma)
+{
+ struct vm_area_struct *result;
+ struct sgx_encl *encl;
+
+ result = find_vma(mm, addr);
+ if (!result || result->vm_ops != &sgx_vm_ops || addr < result->vm_start)
+ return -EINVAL;
+
+ encl = result->vm_private_data;
+ *vma = result;
+
+ return encl ? 0 : -ENOENT;
+}
diff --git a/arch/x86/kernel/cpu/sgx/encl.h b/arch/x86/kernel/cpu/sgx/encl.h
new file mode 100644
index 000000000000..8eb34e95feda
--- /dev/null
+++ b/arch/x86/kernel/cpu/sgx/encl.h
@@ -0,0 +1,46 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/**
+ * Copyright(c) 2016-20 Intel Corporation.
+ *
+ * Contains the software defined data structures for enclaves.
+ */
+#ifndef _X86_ENCL_H
+#define _X86_ENCL_H
+
+#include <linux/cpumask.h>
+#include <linux/kref.h>
+#include <linux/list.h>
+#include <linux/mm_types.h>
+#include <linux/mmu_notifier.h>
+#include <linux/mutex.h>
+#include <linux/notifier.h>
+#include <linux/srcu.h>
+#include <linux/workqueue.h>
+#include <linux/xarray.h>
+#include "sgx.h"
+
+struct sgx_encl_page {
+ unsigned long desc;
+ unsigned long vm_max_prot_bits;
+ struct sgx_epc_page *epc_page;
+ struct sgx_encl *encl;
+};
+
+struct sgx_encl {
+ unsigned long base;
+ unsigned long size;
+ unsigned int page_cnt;
+ unsigned int secs_child_cnt;
+ struct mutex lock;
+ struct xarray page_array;
+ struct sgx_encl_page secs;
+};
+
+extern const struct vm_operations_struct sgx_vm_ops;
+
+int sgx_encl_find(struct mm_struct *mm, unsigned long addr,
+ struct vm_area_struct **vma);
+int sgx_encl_may_map(struct sgx_encl *encl, unsigned long start,
+ unsigned long end, unsigned long vm_flags);
+
+#endif /* _X86_ENCL_H */
diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c
index b9ac438a13a4..c2740e0630d1 100644
--- a/arch/x86/kernel/cpu/sgx/main.c
+++ b/arch/x86/kernel/cpu/sgx/main.c
@@ -9,6 +9,8 @@
#include <linux/sched/mm.h>
#include <linux/sched/signal.h>
#include <linux/slab.h>
+#include "driver.h"
+#include "encl.h"
#include "encls.h"

struct sgx_epc_section sgx_epc_sections[SGX_MAX_EPC_SECTIONS];
@@ -229,9 +231,10 @@ static bool __init sgx_page_cache_init(void)

static void __init sgx_init(void)
{
+ int ret;
int i;

- if (!boot_cpu_has(X86_FEATURE_SGX))
+ if (!cpu_feature_enabled(X86_FEATURE_SGX))
return;

if (!sgx_page_cache_init())
@@ -240,8 +243,15 @@ static void __init sgx_init(void)
if (!sgx_page_reclaimer_init())
goto err_page_cache;

+ ret = sgx_drv_init();
+ if (ret)
+ goto err_kthread;
+
return;

+err_kthread:
+ kthread_stop(ksgxswapd_tsk);
+
err_page_cache:
for (i = 0; i < sgx_nr_epc_sections; i++) {
vfree(sgx_epc_sections[i].pages);
--
2.27.0

2020-11-04 14:58:18

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 12/24] x86/sgx: Add SGX_IOC_ENCLAVE_CREATE

Add an ioctl() that performs ECREATE function of ENCLS instruction, which
creates SGX Enclave Control Structure (SECS).

Although the SECS is an in-memory data structure, it is present in enclave
memory and is not directly accessible by software.

Acked-by: Jethro Beekman <[email protected]>
Tested-by: Jethro Beekman <[email protected]>
Tested-by: Haitao Huang <[email protected]>
Tested-by: Chunyang Hui <[email protected]>
Tested-by: Jordan Hand <[email protected]>
Tested-by: Nathaniel McCallum <[email protected]>
Tested-by: Seth Moore <[email protected]>
Tested-by: Darren Kenny <[email protected]>
Reviewed-by: Darren Kenny <[email protected]>
Co-developed-by: Sean Christopherson <[email protected]>
Signed-off-by: Sean Christopherson <[email protected]>
Co-developed-by: Suresh Siddha <[email protected]>
Signed-off-by: Suresh Siddha <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
---
Changes from v39:
* Remove sgx_validate_secs() and let ECREATE do the validation. If it
fails, return -EIO.

.../userspace-api/ioctl/ioctl-number.rst | 1 +
arch/x86/include/uapi/asm/sgx.h | 25 ++++
arch/x86/kernel/cpu/sgx/Makefile | 1 +
arch/x86/kernel/cpu/sgx/driver.c | 12 ++
arch/x86/kernel/cpu/sgx/driver.h | 3 +
arch/x86/kernel/cpu/sgx/encl.c | 8 ++
arch/x86/kernel/cpu/sgx/encl.h | 7 +
arch/x86/kernel/cpu/sgx/ioctl.c | 123 ++++++++++++++++++
8 files changed, 180 insertions(+)
create mode 100644 arch/x86/include/uapi/asm/sgx.h
create mode 100644 arch/x86/kernel/cpu/sgx/ioctl.c

diff --git a/Documentation/userspace-api/ioctl/ioctl-number.rst b/Documentation/userspace-api/ioctl/ioctl-number.rst
index 55a2d9b2ce33..a4c75a28c839 100644
--- a/Documentation/userspace-api/ioctl/ioctl-number.rst
+++ b/Documentation/userspace-api/ioctl/ioctl-number.rst
@@ -323,6 +323,7 @@ Code Seq# Include File Comments
<mailto:[email protected]>
0xA3 90-9F linux/dtlk.h
0xA4 00-1F uapi/linux/tee.h Generic TEE subsystem
+0xA4 00-1F uapi/asm/sgx.h <mailto:[email protected]>
0xAA 00-3F linux/uapi/linux/userfaultfd.h
0xAB 00-1F linux/nbd.h
0xAC 00-1F linux/raw.h
diff --git a/arch/x86/include/uapi/asm/sgx.h b/arch/x86/include/uapi/asm/sgx.h
new file mode 100644
index 000000000000..f31bb17e27c3
--- /dev/null
+++ b/arch/x86/include/uapi/asm/sgx.h
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+/*
+ * Copyright(c) 2016-20 Intel Corporation.
+ */
+#ifndef _UAPI_ASM_X86_SGX_H
+#define _UAPI_ASM_X86_SGX_H
+
+#include <linux/types.h>
+#include <linux/ioctl.h>
+
+#define SGX_MAGIC 0xA4
+
+#define SGX_IOC_ENCLAVE_CREATE \
+ _IOW(SGX_MAGIC, 0x00, struct sgx_enclave_create)
+
+/**
+ * struct sgx_enclave_create - parameter structure for the
+ * %SGX_IOC_ENCLAVE_CREATE ioctl
+ * @src: address for the SECS page data
+ */
+struct sgx_enclave_create {
+ __u64 src;
+};
+
+#endif /* _UAPI_ASM_X86_SGX_H */
diff --git a/arch/x86/kernel/cpu/sgx/Makefile b/arch/x86/kernel/cpu/sgx/Makefile
index 3fc451120735..91d3dc784a29 100644
--- a/arch/x86/kernel/cpu/sgx/Makefile
+++ b/arch/x86/kernel/cpu/sgx/Makefile
@@ -1,4 +1,5 @@
obj-y += \
driver.o \
encl.o \
+ ioctl.o \
main.o
diff --git a/arch/x86/kernel/cpu/sgx/driver.c b/arch/x86/kernel/cpu/sgx/driver.c
index 248213dea78e..9878b542c616 100644
--- a/arch/x86/kernel/cpu/sgx/driver.c
+++ b/arch/x86/kernel/cpu/sgx/driver.c
@@ -88,10 +88,22 @@ static unsigned long sgx_get_unmapped_area(struct file *file,
return current->mm->get_unmapped_area(file, addr, len, pgoff, flags);
}

+#ifdef CONFIG_COMPAT
+static long sgx_compat_ioctl(struct file *filep, unsigned int cmd,
+ unsigned long arg)
+{
+ return sgx_ioctl(filep, cmd, arg);
+}
+#endif
+
static const struct file_operations sgx_encl_fops = {
.owner = THIS_MODULE,
.open = sgx_open,
.release = sgx_release,
+ .unlocked_ioctl = sgx_ioctl,
+#ifdef CONFIG_COMPAT
+ .compat_ioctl = sgx_compat_ioctl,
+#endif
.mmap = sgx_mmap,
.get_unmapped_area = sgx_get_unmapped_area,
};
diff --git a/arch/x86/kernel/cpu/sgx/driver.h b/arch/x86/kernel/cpu/sgx/driver.h
index cda9c43b7543..a728e8e848bd 100644
--- a/arch/x86/kernel/cpu/sgx/driver.h
+++ b/arch/x86/kernel/cpu/sgx/driver.h
@@ -9,8 +9,11 @@
#include <linux/rwsem.h>
#include <linux/sched.h>
#include <linux/workqueue.h>
+#include <uapi/asm/sgx.h>
#include "sgx.h"

+long sgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg);
+
int sgx_drv_init(void);

#endif /* __ARCH_X86_SGX_DRIVER_H__ */
diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c
index d47caa106350..dfcc306d297c 100644
--- a/arch/x86/kernel/cpu/sgx/encl.c
+++ b/arch/x86/kernel/cpu/sgx/encl.c
@@ -46,6 +46,7 @@ static vm_fault_t sgx_vma_fault(struct vm_fault *vmf)
struct sgx_encl_page *entry;
unsigned long phys_addr;
struct sgx_encl *encl;
+ unsigned long pfn;
vm_fault_t ret;

encl = vma->vm_private_data;
@@ -61,6 +62,13 @@ static vm_fault_t sgx_vma_fault(struct vm_fault *vmf)

phys_addr = sgx_get_epc_phys_addr(entry->epc_page);

+ /* Check if another thread got here first to insert the PTE. */
+ if (!follow_pfn(vma, addr, &pfn)) {
+ mutex_unlock(&encl->lock);
+
+ return VM_FAULT_NOPAGE;
+ }
+
ret = vmf_insert_pfn(vma, addr, PFN_DOWN(phys_addr));
if (ret != VM_FAULT_NOPAGE) {
mutex_unlock(&encl->lock);
diff --git a/arch/x86/kernel/cpu/sgx/encl.h b/arch/x86/kernel/cpu/sgx/encl.h
index 8eb34e95feda..ad0d73f63bc9 100644
--- a/arch/x86/kernel/cpu/sgx/encl.h
+++ b/arch/x86/kernel/cpu/sgx/encl.h
@@ -26,9 +26,16 @@ struct sgx_encl_page {
struct sgx_encl *encl;
};

+enum sgx_encl_flags {
+ SGX_ENCL_IOCTL = BIT(0),
+ SGX_ENCL_DEBUG = BIT(1),
+ SGX_ENCL_CREATED = BIT(2),
+};
+
struct sgx_encl {
unsigned long base;
unsigned long size;
+ unsigned long flags;
unsigned int page_cnt;
unsigned int secs_child_cnt;
struct mutex lock;
diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c
new file mode 100644
index 000000000000..1355490843d1
--- /dev/null
+++ b/arch/x86/kernel/cpu/sgx/ioctl.c
@@ -0,0 +1,123 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright(c) 2016-20 Intel Corporation. */
+
+#include <asm/mman.h>
+#include <linux/mman.h>
+#include <linux/delay.h>
+#include <linux/file.h>
+#include <linux/hashtable.h>
+#include <linux/highmem.h>
+#include <linux/ratelimit.h>
+#include <linux/sched/signal.h>
+#include <linux/shmem_fs.h>
+#include <linux/slab.h>
+#include <linux/suspend.h>
+#include "driver.h"
+#include "encl.h"
+#include "encls.h"
+
+static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs)
+{
+ struct sgx_epc_page *secs_epc;
+ struct sgx_pageinfo pginfo;
+ struct sgx_secinfo secinfo;
+ unsigned long encl_size;
+ long ret;
+
+ /* The extra page goes to SECS. */
+ encl_size = secs->size + PAGE_SIZE;
+
+ secs_epc = __sgx_alloc_epc_page();
+ if (IS_ERR(secs_epc))
+ return PTR_ERR(secs_epc);
+
+ encl->secs.epc_page = secs_epc;
+
+ pginfo.addr = 0;
+ pginfo.contents = (unsigned long)secs;
+ pginfo.metadata = (unsigned long)&secinfo;
+ pginfo.secs = 0;
+ memset(&secinfo, 0, sizeof(secinfo));
+
+ ret = __ecreate((void *)&pginfo, sgx_get_epc_virt_addr(secs_epc));
+ if (ret) {
+ ret = -EIO;
+ goto err_out;
+ }
+
+ if (secs->attributes & SGX_ATTR_DEBUG)
+ set_bit(SGX_ENCL_DEBUG, &encl->flags);
+
+ encl->secs.encl = encl;
+ encl->base = secs->base;
+ encl->size = secs->size;
+
+ /* Set only after completion, as encl->lock has not been taken. */
+ set_bit(SGX_ENCL_CREATED, &encl->flags);
+
+ return 0;
+
+err_out:
+ sgx_free_epc_page(encl->secs.epc_page);
+ encl->secs.epc_page = NULL;
+
+ return ret;
+}
+
+/**
+ * sgx_ioc_enclave_create() - handler for %SGX_IOC_ENCLAVE_CREATE
+ * @encl: An enclave pointer.
+ * @arg: The ioctl argument.
+ *
+ * Allocate kernel data structures for the enclave and invoke ECREATE.
+ *
+ * Return:
+ * - 0: Success.
+ * - -EIO: ECREATE failed.
+ * - -errno: POSIX error.
+ */
+static long sgx_ioc_enclave_create(struct sgx_encl *encl, void __user *arg)
+{
+ struct sgx_enclave_create create_arg;
+ void *secs;
+ int ret;
+
+ if (test_bit(SGX_ENCL_CREATED, &encl->flags))
+ return -EINVAL;
+
+ if (copy_from_user(&create_arg, arg, sizeof(create_arg)))
+ return -EFAULT;
+
+ secs = kmalloc(PAGE_SIZE, GFP_KERNEL);
+ if (!secs)
+ return -ENOMEM;
+
+ if (copy_from_user(secs, (void __user *)create_arg.src, PAGE_SIZE))
+ ret = -EFAULT;
+ else
+ ret = sgx_encl_create(encl, secs);
+
+ kfree(secs);
+ return ret;
+}
+
+long sgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
+{
+ struct sgx_encl *encl = filep->private_data;
+ int ret;
+
+ if (test_and_set_bit(SGX_ENCL_IOCTL, &encl->flags))
+ return -EBUSY;
+
+ switch (cmd) {
+ case SGX_IOC_ENCLAVE_CREATE:
+ ret = sgx_ioc_enclave_create(encl, (void __user *)arg);
+ break;
+ default:
+ ret = -ENOIOCTLCMD;
+ break;
+ }
+
+ clear_bit(SGX_ENCL_IOCTL, &encl->flags);
+ return ret;
+}
--
2.27.0

2020-11-04 14:58:22

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 13/24] x86/sgx: Add SGX_IOC_ENCLAVE_ADD_PAGES

SGX enclave pages are inaccessible to normal software. They must be
populated with data by copying from normal memory with the help of the EADD
and EEXTEND functions of the ENCLS instruction.

Add an ioctl() which performs EADD that adds new data to an enclave, and
optionally EEXTEND functions that hash the page contents and use the hash
as part of enclave “measurement” to ensure enclave integrity.

The enclave author gets to decide which pages will be included in the
enclave measurement with EEXTEND. Measurement is very slow and has
sometimes has very little value. For instance, an enclave _could_ measure
every page of data and code, but would be slow to initialize. Or, it might
just measure its code and then trust that code to initialize the bulk of
its data after it starts running.

Acked-by: Jethro Beekman <[email protected]>
Tested-by: Jethro Beekman <[email protected]>
Tested-by: Haitao Huang <[email protected]>
Tested-by: Chunyang Hui <[email protected]>
Tested-by: Jordan Hand <[email protected]>
Tested-by: Nathaniel McCallum <[email protected]>
Tested-by: Seth Moore <[email protected]>
Tested-by: Darren Kenny <[email protected]>
Reviewed-by: Darren Kenny <[email protected]>
Co-developed-by: Sean Christopherson <[email protected]>
Signed-off-by: Sean Christopherson <[email protected]>
Co-developed-by: Suresh Siddha <[email protected]>
Signed-off-by: Suresh Siddha <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
---
Changes from v39:
* Remove unneeded access_ok(). It is taken care of by get_user_pages().
* Define SGX_EEXTEND_BLOCK_SIZE to capture the block size used with
EEXTEND.
* When EADD or EEXTEND fail, just return -EIO. Leave the enclave cleanup
as the duty of VFS and the page reclaimer.
* Remove SGX_MAX_ADD_PAGES_LENGTH, as the ioctl can be interrupted
anyway.

arch/x86/include/uapi/asm/sgx.h | 30 ++++
arch/x86/kernel/cpu/sgx/ioctl.c | 284 ++++++++++++++++++++++++++++++++
arch/x86/kernel/cpu/sgx/sgx.h | 1 +
3 files changed, 315 insertions(+)

diff --git a/arch/x86/include/uapi/asm/sgx.h b/arch/x86/include/uapi/asm/sgx.h
index f31bb17e27c3..835f7e588f0d 100644
--- a/arch/x86/include/uapi/asm/sgx.h
+++ b/arch/x86/include/uapi/asm/sgx.h
@@ -8,10 +8,21 @@
#include <linux/types.h>
#include <linux/ioctl.h>

+/**
+ * enum sgx_epage_flags - page control flags
+ * %SGX_PAGE_MEASURE: Measure the page contents with a sequence of
+ * ENCLS[EEXTEND] operations.
+ */
+enum sgx_page_flags {
+ SGX_PAGE_MEASURE = 0x01,
+};
+
#define SGX_MAGIC 0xA4

#define SGX_IOC_ENCLAVE_CREATE \
_IOW(SGX_MAGIC, 0x00, struct sgx_enclave_create)
+#define SGX_IOC_ENCLAVE_ADD_PAGES \
+ _IOWR(SGX_MAGIC, 0x01, struct sgx_enclave_add_pages)

/**
* struct sgx_enclave_create - parameter structure for the
@@ -22,4 +33,23 @@ struct sgx_enclave_create {
__u64 src;
};

+/**
+ * struct sgx_enclave_add_pages - parameter structure for the
+ * %SGX_IOC_ENCLAVE_ADD_PAGE ioctl
+ * @src: start address for the page data
+ * @offset: starting page offset
+ * @length: length of the data (multiple of the page size)
+ * @secinfo: address for the SECINFO data
+ * @flags: page control flags
+ * @count: number of bytes added (multiple of the page size)
+ */
+struct sgx_enclave_add_pages {
+ __u64 src;
+ __u64 offset;
+ __u64 length;
+ __u64 secinfo;
+ __u64 flags;
+ __u64 count;
+};
+
#endif /* _UAPI_ASM_X86_SGX_H */
diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c
index 1355490843d1..82acff7bda60 100644
--- a/arch/x86/kernel/cpu/sgx/ioctl.c
+++ b/arch/x86/kernel/cpu/sgx/ioctl.c
@@ -101,6 +101,287 @@ static long sgx_ioc_enclave_create(struct sgx_encl *encl, void __user *arg)
return ret;
}

+static struct sgx_encl_page *sgx_encl_page_alloc(struct sgx_encl *encl,
+ unsigned long offset,
+ u64 secinfo_flags)
+{
+ struct sgx_encl_page *encl_page;
+ unsigned long prot;
+
+ encl_page = kzalloc(sizeof(*encl_page), GFP_KERNEL);
+ if (!encl_page)
+ return ERR_PTR(-ENOMEM);
+
+ encl_page->desc = encl->base + offset;
+ encl_page->encl = encl;
+
+ prot = _calc_vm_trans(secinfo_flags, SGX_SECINFO_R, PROT_READ) |
+ _calc_vm_trans(secinfo_flags, SGX_SECINFO_W, PROT_WRITE) |
+ _calc_vm_trans(secinfo_flags, SGX_SECINFO_X, PROT_EXEC);
+
+ /*
+ * TCS pages must always RW set for CPU access while the SECINFO
+ * permissions are *always* zero - the CPU ignores the user provided
+ * values and silently overwrites them with zero permissions.
+ */
+ if ((secinfo_flags & SGX_SECINFO_PAGE_TYPE_MASK) == SGX_SECINFO_TCS)
+ prot |= PROT_READ | PROT_WRITE;
+
+ /* Calculate maximum of the VM flags for the page. */
+ encl_page->vm_max_prot_bits = calc_vm_prot_bits(prot, 0);
+
+ return encl_page;
+}
+
+static int sgx_validate_secinfo(struct sgx_secinfo *secinfo)
+{
+ u64 perm = secinfo->flags & SGX_SECINFO_PERMISSION_MASK;
+ u64 pt = secinfo->flags & SGX_SECINFO_PAGE_TYPE_MASK;
+
+ if (pt != SGX_SECINFO_REG && pt != SGX_SECINFO_TCS)
+ return -EINVAL;
+
+ if ((perm & SGX_SECINFO_W) && !(perm & SGX_SECINFO_R))
+ return -EINVAL;
+
+ /*
+ * CPU will silently overwrite the permissions as zero, which means
+ * that we need to validate it ourselves.
+ */
+ if (pt == SGX_SECINFO_TCS && perm)
+ return -EINVAL;
+
+ if (secinfo->flags & SGX_SECINFO_RESERVED_MASK)
+ return -EINVAL;
+
+ if (memchr_inv(secinfo->reserved, 0, sizeof(secinfo->reserved)))
+ return -EINVAL;
+
+ return 0;
+}
+
+static int __sgx_encl_add_page(struct sgx_encl *encl,
+ struct sgx_encl_page *encl_page,
+ struct sgx_epc_page *epc_page,
+ struct sgx_secinfo *secinfo, unsigned long src)
+{
+ struct sgx_pageinfo pginfo;
+ struct vm_area_struct *vma;
+ struct page *src_page;
+ int ret;
+
+ /* Deny noexec. */
+ vma = find_vma(current->mm, src);
+ if (!vma)
+ return -EFAULT;
+
+ if (!(vma->vm_flags & VM_MAYEXEC))
+ return -EACCES;
+
+ ret = get_user_pages(src, 1, 0, &src_page, NULL);
+ if (ret < 1)
+ return -EFAULT;
+
+ pginfo.secs = (unsigned long)sgx_get_epc_virt_addr(encl->secs.epc_page);
+ pginfo.addr = encl_page->desc & PAGE_MASK;
+ pginfo.metadata = (unsigned long)secinfo;
+ pginfo.contents = (unsigned long)kmap_atomic(src_page);
+
+ ret = __eadd(&pginfo, sgx_get_epc_virt_addr(epc_page));
+
+ kunmap_atomic((void *)pginfo.contents);
+ put_page(src_page);
+
+ return ret ? -EIO : 0;
+}
+
+/*
+ * If the caller requires measurement of the page as a proof for the content,
+ * use EEXTEND to add a measurement for 256 bytes of the page. Repeat this
+ * operation until the entire page is measured."
+ */
+static int __sgx_encl_extend(struct sgx_encl *encl,
+ struct sgx_epc_page *epc_page)
+{
+ unsigned long offset;
+ int ret;
+
+ for (offset = 0; offset < PAGE_SIZE; offset += SGX_EEXTEND_BLOCK_SIZE) {
+ ret = __eextend(sgx_get_epc_virt_addr(encl->secs.epc_page),
+ sgx_get_epc_virt_addr(epc_page) + offset);
+ if (ret) {
+ if (encls_failed(ret))
+ ENCLS_WARN(ret, "EEXTEND");
+
+ return -EIO;
+ }
+ }
+
+ return 0;
+}
+
+static int sgx_encl_add_page(struct sgx_encl *encl, unsigned long src,
+ unsigned long offset, struct sgx_secinfo *secinfo,
+ unsigned long flags)
+{
+ struct sgx_encl_page *encl_page;
+ struct sgx_epc_page *epc_page;
+ int ret;
+
+ encl_page = sgx_encl_page_alloc(encl, offset, secinfo->flags);
+ if (IS_ERR(encl_page))
+ return PTR_ERR(encl_page);
+
+ epc_page = __sgx_alloc_epc_page();
+ if (IS_ERR(epc_page)) {
+ kfree(encl_page);
+ return PTR_ERR(epc_page);
+ }
+
+ mmap_read_lock(current->mm);
+ mutex_lock(&encl->lock);
+
+ /*
+ * Insert prior to EADD in case of OOM. EADD modifies MRENCLAVE, i.e.
+ * can't be gracefully unwound, while failure on EADD/EXTEND is limited
+ * to userspace errors (or kernel/hardware bugs).
+ */
+ ret = xa_insert(&encl->page_array, PFN_DOWN(encl_page->desc),
+ encl_page, GFP_KERNEL);
+ if (ret)
+ goto err_out_unlock;
+
+ ret = __sgx_encl_add_page(encl, encl_page, epc_page, secinfo,
+ src);
+ if (ret)
+ goto err_out;
+
+ /*
+ * Complete the "add" before doing the "extend" so that the "add"
+ * isn't in a half-baked state in the extremely unlikely scenario
+ * the enclave will be destroyed in response to EEXTEND failure.
+ */
+ encl_page->encl = encl;
+ encl_page->epc_page = epc_page;
+ encl->secs_child_cnt++;
+
+ if (flags & SGX_PAGE_MEASURE) {
+ ret = __sgx_encl_extend(encl, epc_page);
+ if (ret)
+ goto err_out;
+ }
+
+ mutex_unlock(&encl->lock);
+ mmap_read_unlock(current->mm);
+ return ret;
+
+err_out:
+ xa_erase(&encl->page_array, PFN_DOWN(encl_page->desc));
+
+err_out_unlock:
+ mutex_unlock(&encl->lock);
+ mmap_read_unlock(current->mm);
+
+ sgx_free_epc_page(epc_page);
+ kfree(encl_page);
+
+ return ret;
+}
+
+/**
+ * sgx_ioc_enclave_add_pages() - The handler for %SGX_IOC_ENCLAVE_ADD_PAGES
+ * @encl: an enclave pointer
+ * @arg: a user pointer to a struct sgx_enclave_add_pages instance
+ *
+ * Add one or more pages to an uninitialized enclave, and optionally extend the
+ * measurement with the contents of the page. The SECINFO and measurement mask
+ * are applied to all pages.
+ *
+ * A SECINFO for a TCS is required to always contain zero permissions because
+ * CPU silently zeros them. Allowing anything else would cause a mismatch in
+ * the measurement.
+ *
+ * mmap()'s protection bits are capped by the page permissions. For each page
+ * address, the maximum protection bits are computed with the following
+ * heuristics:
+ *
+ * 1. A regular page: PROT_R, PROT_W and PROT_X match the SECINFO permissions.
+ * 2. A TCS page: PROT_R | PROT_W.
+ *
+ * mmap() is not allowed to surpass the minimum of the maximum protection bits
+ * within the given address range.
+ *
+ * The function deinitializes kernel data structures for enclave and returns
+ * -EIO in any of the following conditions:
+ *
+ * - Enclave Page Cache (EPC), the physical memory holding enclaves, has
+ * been invalidated. This will cause EADD and EEXTEND to fail.
+ * - If the source address is corrupted somehow when executing EADD.
+ *
+ * Return:
+ * - 0: Success.
+ * - -EACCES: The source page is located in a noexec partition.
+ * - -ENOMEM: Out of EPC pages.
+ * - -EINTR: The call was interrupted before data was processed.
+ * - -EIO: Either EADD or EEXTEND failed because invalid source address
+ * or power cycle.
+ * - -errno: POSIX error.
+ */
+static long sgx_ioc_enclave_add_pages(struct sgx_encl *encl, void __user *arg)
+{
+ struct sgx_enclave_add_pages add_arg;
+ struct sgx_secinfo secinfo;
+ unsigned long c;
+ int ret;
+
+ if (!test_bit(SGX_ENCL_CREATED, &encl->flags))
+ return -EINVAL;
+
+ if (copy_from_user(&add_arg, arg, sizeof(add_arg)))
+ return -EFAULT;
+
+ if (!IS_ALIGNED(add_arg.offset, PAGE_SIZE) ||
+ !IS_ALIGNED(add_arg.src, PAGE_SIZE))
+ return -EINVAL;
+
+ if (add_arg.length & (PAGE_SIZE - 1))
+ return -EINVAL;
+
+ if (add_arg.offset + add_arg.length - PAGE_SIZE >= encl->size)
+ return -EINVAL;
+
+ if (copy_from_user(&secinfo, (void __user *)add_arg.secinfo,
+ sizeof(secinfo)))
+ return -EFAULT;
+
+ if (sgx_validate_secinfo(&secinfo))
+ return -EINVAL;
+
+ for (c = 0 ; c < add_arg.length; c += PAGE_SIZE) {
+ if (signal_pending(current)) {
+ if (!c)
+ ret = -EINTR;
+
+ break;
+ }
+
+ if (need_resched())
+ cond_resched();
+
+ ret = sgx_encl_add_page(encl, add_arg.src + c, add_arg.offset + c,
+ &secinfo, add_arg.flags);
+ if (ret)
+ break;
+ }
+
+ add_arg.count = c;
+
+ if (copy_to_user(arg, &add_arg, sizeof(add_arg)))
+ return -EFAULT;
+
+ return ret;
+}
+
long sgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
{
struct sgx_encl *encl = filep->private_data;
@@ -113,6 +394,9 @@ long sgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
case SGX_IOC_ENCLAVE_CREATE:
ret = sgx_ioc_enclave_create(encl, (void __user *)arg);
break;
+ case SGX_IOC_ENCLAVE_ADD_PAGES:
+ ret = sgx_ioc_enclave_add_pages(encl, (void __user *)arg);
+ break;
default:
ret = -ENOIOCTLCMD;
break;
diff --git a/arch/x86/kernel/cpu/sgx/sgx.h b/arch/x86/kernel/cpu/sgx/sgx.h
index bd9dcb1ffcfa..91234f425b89 100644
--- a/arch/x86/kernel/cpu/sgx/sgx.h
+++ b/arch/x86/kernel/cpu/sgx/sgx.h
@@ -14,6 +14,7 @@
#define pr_fmt(fmt) "sgx: " fmt

#define SGX_MAX_EPC_SECTIONS 8
+#define SGX_EEXTEND_BLOCK_SIZE 256

struct sgx_epc_page {
unsigned int section;
--
2.27.0

2020-11-04 14:58:38

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 15/24] x86/sgx: Add SGX_IOC_ENCLAVE_PROVISION

The whole point of SGX is to create a hardware protected place to do
“stuff”. But, before someone is willing to hand the keys to the castle
over, an enclave must often prove that it is running on an SGX-protected
processor. Provisioning enclaves play a key role in providing proof.

There are actually three different enclaves in play in order to make this
happen:

1. The application enclave. The familiar one we know and love that runs
the actual code that’s doing real work. There can be many of these on
a single system, or even in a single application.
2. The quoting enclave (QE). The QE is mentioned in lots of silly
whitepapers, but, for the purposes of kernel enabling, just pretend they
do not exist.
3. The provisioning enclave. There is typically only one of these
enclaves per system. Provisioning enclaves have access to a special
hardware key.

They can use this key to help to generate certificates which serve as
proof that enclaves are running on trusted SGX hardware. These
certificates can be passed around without revealing the special key.

Any user which can create a provisioning enclave can access the
processor-unique Provisioning Certificate Key which has privacy and
fingerprinting implications. Even if a user is permitted to create normal
application enclaves (via /dev/sgx_enclave), they should not be able to
create provisioning enclaves. That means a separate permissions scheme is
needed to control provisioning enclave privileges.

Implement a separate device file (/dev/sgx_provision) which permits
creating provisioning enclaves. This device will typically have more
strict permissions than the plain enclave device.

The actual device “driver” is an empty stub. Open file descriptors for
this device will represent a token which allows provisioning enclave duty.
This file descriptor can be passed around and ultimately given as an
argument to the /dev/sgx_enclave driver ioctl().

Cc: [email protected]
Acked-by: Jethro Beekman <[email protected]>
Reviewed-by: Darren Kenny <[email protected]>
Suggested-by: Andy Lutomirski <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
---
Changes from v39:
* Rename /dev/sgx/provision as /dev/sgx_provision.

arch/x86/include/uapi/asm/sgx.h | 11 ++++++++++
arch/x86/kernel/cpu/sgx/driver.c | 24 ++++++++++++++++++++-
arch/x86/kernel/cpu/sgx/driver.h | 2 ++
arch/x86/kernel/cpu/sgx/ioctl.c | 37 ++++++++++++++++++++++++++++++++
4 files changed, 73 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/uapi/asm/sgx.h b/arch/x86/include/uapi/asm/sgx.h
index 66f2d32cb4d7..c32210235bf5 100644
--- a/arch/x86/include/uapi/asm/sgx.h
+++ b/arch/x86/include/uapi/asm/sgx.h
@@ -25,6 +25,8 @@ enum sgx_page_flags {
_IOWR(SGX_MAGIC, 0x01, struct sgx_enclave_add_pages)
#define SGX_IOC_ENCLAVE_INIT \
_IOW(SGX_MAGIC, 0x02, struct sgx_enclave_init)
+#define SGX_IOC_ENCLAVE_PROVISION \
+ _IOW(SGX_MAGIC, 0x03, struct sgx_enclave_provision)

/**
* struct sgx_enclave_create - parameter structure for the
@@ -63,4 +65,13 @@ struct sgx_enclave_init {
__u64 sigstruct;
};

+/**
+ * struct sgx_enclave_provision - parameter structure for the
+ * %SGX_IOC_ENCLAVE_PROVISION ioctl
+ * @fd: file handle of /dev/sgx_provision
+ */
+struct sgx_enclave_provision {
+ __u64 fd;
+};
+
#endif /* _UAPI_ASM_X86_SGX_H */
diff --git a/arch/x86/kernel/cpu/sgx/driver.c b/arch/x86/kernel/cpu/sgx/driver.c
index ef14abbb67e1..f618a04c4224 100644
--- a/arch/x86/kernel/cpu/sgx/driver.c
+++ b/arch/x86/kernel/cpu/sgx/driver.c
@@ -112,6 +112,10 @@ static const struct file_operations sgx_encl_fops = {
.get_unmapped_area = sgx_get_unmapped_area,
};

+const struct file_operations sgx_provision_fops = {
+ .owner = THIS_MODULE,
+};
+
static struct miscdevice sgx_dev_enclave = {
.minor = MISC_DYNAMIC_MINOR,
.name = "sgx_enclave",
@@ -119,11 +123,19 @@ static struct miscdevice sgx_dev_enclave = {
.fops = &sgx_encl_fops,
};

+static struct miscdevice sgx_dev_provision = {
+ .minor = MISC_DYNAMIC_MINOR,
+ .name = "sgx_provision",
+ .nodename = "sgx_provision",
+ .fops = &sgx_provision_fops,
+};
+
int __init sgx_drv_init(void)
{
unsigned int eax, ebx, ecx, edx;
u64 attr_mask;
u64 xfrm_mask;
+ int ret;

if (!cpu_feature_enabled(X86_FEATURE_SGX_LC))
return -ENODEV;
@@ -147,5 +159,15 @@ int __init sgx_drv_init(void)
sgx_xfrm_reserved_mask = ~xfrm_mask;
}

- return misc_register(&sgx_dev_enclave);
+ ret = misc_register(&sgx_dev_enclave);
+ if (ret)
+ return ret;
+
+ ret = misc_register(&sgx_dev_provision);
+ if (ret) {
+ misc_deregister(&sgx_dev_enclave);
+ return ret;
+ }
+
+ return 0;
}
diff --git a/arch/x86/kernel/cpu/sgx/driver.h b/arch/x86/kernel/cpu/sgx/driver.h
index 6b0063221659..4eddb4d571ef 100644
--- a/arch/x86/kernel/cpu/sgx/driver.h
+++ b/arch/x86/kernel/cpu/sgx/driver.h
@@ -20,6 +20,8 @@ extern u64 sgx_attributes_reserved_mask;
extern u64 sgx_xfrm_reserved_mask;
extern u32 sgx_misc_reserved_mask;

+extern const struct file_operations sgx_provision_fops;
+
long sgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg);

int sgx_drv_init(void);
diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c
index e036819ea5c1..0ba0e670e2f0 100644
--- a/arch/x86/kernel/cpu/sgx/ioctl.c
+++ b/arch/x86/kernel/cpu/sgx/ioctl.c
@@ -569,6 +569,40 @@ static long sgx_ioc_enclave_init(struct sgx_encl *encl, void __user *arg)
return ret;
}

+/**
+ * sgx_ioc_enclave_provision() - handler for %SGX_IOC_ENCLAVE_PROVISION
+ * @enclave: an enclave pointer
+ * @arg: userspace pointer to a struct sgx_enclave_provision instance
+ *
+ * Allow ATTRIBUTE.PROVISION_KEY for an enclave by providing a file handle to
+ * /dev/sgx_provision.
+ *
+ * Return:
+ * - 0: Success.
+ * - -errno: Otherwise.
+ */
+static long sgx_ioc_enclave_provision(struct sgx_encl *encl, void __user *arg)
+{
+ struct sgx_enclave_provision params;
+ struct file *file;
+
+ if (copy_from_user(&params, arg, sizeof(params)))
+ return -EFAULT;
+
+ file = fget(params.fd);
+ if (!file)
+ return -EINVAL;
+
+ if (file->f_op != &sgx_provision_fops) {
+ fput(file);
+ return -EINVAL;
+ }
+
+ encl->attributes_mask |= SGX_ATTR_PROVISIONKEY;
+
+ fput(file);
+ return 0;
+}

long sgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
{
@@ -588,6 +622,9 @@ long sgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
case SGX_IOC_ENCLAVE_INIT:
ret = sgx_ioc_enclave_init(encl, (void __user *)arg);
break;
+ case SGX_IOC_ENCLAVE_PROVISION:
+ ret = sgx_ioc_enclave_provision(encl, (void __user *)arg);
+ break;
default:
ret = -ENOIOCTLCMD;
break;
--
2.27.0

2020-11-04 14:59:05

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 14/24] x86/sgx: Add SGX_IOC_ENCLAVE_INIT

Enclaves have two basic states. They are either being built and are
malleable and can be modified by doing things like adding pages. Or, they
are locked down and not accepting changes. They can only be run after they
have been locked down. The ENCLS[EINIT] function induces the transition
from being malleable to locked-down.

Add an ioctl() that performs ENCLS[EINIT]. After this, new pages can no
longer be added with ENCLS[EADD]. This is also the time where the enclave
can be measured to verify its integrity.

Acked-by: Jethro Beekman <[email protected]>
Tested-by: Jethro Beekman <[email protected]>
Tested-by: Haitao Huang <[email protected]>
Tested-by: Chunyang Hui <[email protected]>
Tested-by: Jordan Hand <[email protected]>
Tested-by: Nathaniel McCallum <[email protected]>
Tested-by: Seth Moore <[email protected]>
Tested-by: Darren Kenny <[email protected]>
Reviewed-by: Darren Kenny <[email protected]>
Co-developed-by: Sean Christopherson <[email protected]>
Signed-off-by: Sean Christopherson <[email protected]>
Co-developed-by: Suresh Siddha <[email protected]>
Signed-off-by: Suresh Siddha <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
---
Changes from v39:
* Declare 'k' for the MSR updating loop. It was incorrectly using 'i'.
* Return -EIO instead of -EFAULT on EINIT failure, just like happens
when EADD or EEXTEND fails.
* When EINIT fails, just return -EIO. Leave the enclave cleanup as the
duty of VFS and the page reclaimer.

arch/x86/include/uapi/asm/sgx.h | 11 ++
arch/x86/kernel/cpu/sgx/driver.c | 27 +++++
arch/x86/kernel/cpu/sgx/driver.h | 8 ++
arch/x86/kernel/cpu/sgx/encl.h | 3 +
arch/x86/kernel/cpu/sgx/ioctl.c | 193 ++++++++++++++++++++++++++++++-
5 files changed, 241 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/uapi/asm/sgx.h b/arch/x86/include/uapi/asm/sgx.h
index 835f7e588f0d..66f2d32cb4d7 100644
--- a/arch/x86/include/uapi/asm/sgx.h
+++ b/arch/x86/include/uapi/asm/sgx.h
@@ -23,6 +23,8 @@ enum sgx_page_flags {
_IOW(SGX_MAGIC, 0x00, struct sgx_enclave_create)
#define SGX_IOC_ENCLAVE_ADD_PAGES \
_IOWR(SGX_MAGIC, 0x01, struct sgx_enclave_add_pages)
+#define SGX_IOC_ENCLAVE_INIT \
+ _IOW(SGX_MAGIC, 0x02, struct sgx_enclave_init)

/**
* struct sgx_enclave_create - parameter structure for the
@@ -52,4 +54,13 @@ struct sgx_enclave_add_pages {
__u64 count;
};

+/**
+ * struct sgx_enclave_init - parameter structure for the
+ * %SGX_IOC_ENCLAVE_INIT ioctl
+ * @sigstruct: address for the SIGSTRUCT data
+ */
+struct sgx_enclave_init {
+ __u64 sigstruct;
+};
+
#endif /* _UAPI_ASM_X86_SGX_H */
diff --git a/arch/x86/kernel/cpu/sgx/driver.c b/arch/x86/kernel/cpu/sgx/driver.c
index 9878b542c616..ef14abbb67e1 100644
--- a/arch/x86/kernel/cpu/sgx/driver.c
+++ b/arch/x86/kernel/cpu/sgx/driver.c
@@ -10,6 +10,10 @@
#include "driver.h"
#include "encl.h"

+u64 sgx_attributes_reserved_mask;
+u64 sgx_xfrm_reserved_mask = ~0x3;
+u32 sgx_misc_reserved_mask;
+
static int sgx_open(struct inode *inode, struct file *file)
{
struct sgx_encl *encl;
@@ -117,8 +121,31 @@ static struct miscdevice sgx_dev_enclave = {

int __init sgx_drv_init(void)
{
+ unsigned int eax, ebx, ecx, edx;
+ u64 attr_mask;
+ u64 xfrm_mask;
+
if (!cpu_feature_enabled(X86_FEATURE_SGX_LC))
return -ENODEV;

+ cpuid_count(SGX_CPUID, 0, &eax, &ebx, &ecx, &edx);
+
+ if (!(eax & 1)) {
+ pr_err("SGX disabled: SGX1 instruction support not available.\n");
+ return -ENODEV;
+ }
+
+ sgx_misc_reserved_mask = ~ebx | SGX_MISC_RESERVED_MASK;
+
+ cpuid_count(SGX_CPUID, 1, &eax, &ebx, &ecx, &edx);
+
+ attr_mask = (((u64)ebx) << 32) + (u64)eax;
+ sgx_attributes_reserved_mask = ~attr_mask | SGX_ATTR_RESERVED_MASK;
+
+ if (cpu_feature_enabled(X86_FEATURE_OSXSAVE)) {
+ xfrm_mask = (((u64)edx) << 32) + (u64)ecx;
+ sgx_xfrm_reserved_mask = ~xfrm_mask;
+ }
+
return misc_register(&sgx_dev_enclave);
}
diff --git a/arch/x86/kernel/cpu/sgx/driver.h b/arch/x86/kernel/cpu/sgx/driver.h
index a728e8e848bd..6b0063221659 100644
--- a/arch/x86/kernel/cpu/sgx/driver.h
+++ b/arch/x86/kernel/cpu/sgx/driver.h
@@ -12,6 +12,14 @@
#include <uapi/asm/sgx.h>
#include "sgx.h"

+#define SGX_EINIT_SPIN_COUNT 20
+#define SGX_EINIT_SLEEP_COUNT 50
+#define SGX_EINIT_SLEEP_TIME 20
+
+extern u64 sgx_attributes_reserved_mask;
+extern u64 sgx_xfrm_reserved_mask;
+extern u32 sgx_misc_reserved_mask;
+
long sgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg);

int sgx_drv_init(void);
diff --git a/arch/x86/kernel/cpu/sgx/encl.h b/arch/x86/kernel/cpu/sgx/encl.h
index ad0d73f63bc9..cb7495854095 100644
--- a/arch/x86/kernel/cpu/sgx/encl.h
+++ b/arch/x86/kernel/cpu/sgx/encl.h
@@ -30,6 +30,7 @@ enum sgx_encl_flags {
SGX_ENCL_IOCTL = BIT(0),
SGX_ENCL_DEBUG = BIT(1),
SGX_ENCL_CREATED = BIT(2),
+ SGX_ENCL_INITIALIZED = BIT(3),
};

struct sgx_encl {
@@ -41,6 +42,8 @@ struct sgx_encl {
struct mutex lock;
struct xarray page_array;
struct sgx_encl_page secs;
+ unsigned long attributes;
+ unsigned long attributes_mask;
};

extern const struct vm_operations_struct sgx_vm_ops;
diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c
index 82acff7bda60..e036819ea5c1 100644
--- a/arch/x86/kernel/cpu/sgx/ioctl.c
+++ b/arch/x86/kernel/cpu/sgx/ioctl.c
@@ -51,6 +51,8 @@ static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs)
encl->secs.encl = encl;
encl->base = secs->base;
encl->size = secs->size;
+ encl->attributes = secs->attributes;
+ encl->attributes_mask = SGX_ATTR_DEBUG | SGX_ATTR_MODE64BIT | SGX_ATTR_KSS;

/* Set only after completion, as encl->lock has not been taken. */
set_bit(SGX_ENCL_CREATED, &encl->flags);
@@ -334,7 +336,8 @@ static long sgx_ioc_enclave_add_pages(struct sgx_encl *encl, void __user *arg)
unsigned long c;
int ret;

- if (!test_bit(SGX_ENCL_CREATED, &encl->flags))
+ if (!test_bit(SGX_ENCL_CREATED, &encl->flags) ||
+ test_bit(SGX_ENCL_INITIALIZED, &encl->flags))
return -EINVAL;

if (copy_from_user(&add_arg, arg, sizeof(add_arg)))
@@ -382,6 +385,191 @@ static long sgx_ioc_enclave_add_pages(struct sgx_encl *encl, void __user *arg)
return ret;
}

+static int __sgx_get_key_hash(struct crypto_shash *tfm, const void *modulus,
+ void *hash)
+{
+ SHASH_DESC_ON_STACK(shash, tfm);
+
+ shash->tfm = tfm;
+
+ return crypto_shash_digest(shash, modulus, SGX_MODULUS_SIZE, hash);
+}
+
+static int sgx_get_key_hash(const void *modulus, void *hash)
+{
+ struct crypto_shash *tfm;
+ int ret;
+
+ tfm = crypto_alloc_shash("sha256", 0, CRYPTO_ALG_ASYNC);
+ if (IS_ERR(tfm))
+ return PTR_ERR(tfm);
+
+ ret = __sgx_get_key_hash(tfm, modulus, hash);
+
+ crypto_free_shash(tfm);
+ return ret;
+}
+
+static int sgx_encl_init(struct sgx_encl *encl, struct sgx_sigstruct *sigstruct,
+ void *token)
+{
+ u64 mrsigner[4];
+ int i, j, k;
+ void *addr;
+ int ret;
+
+ /*
+ * Deny initializing enclaves with attributes (namely provisioning)
+ * that have not been explicitly allowed.
+ */
+ if (encl->attributes & ~encl->attributes_mask)
+ return -EACCES;
+
+ /*
+ * Attributes should not be enforced *only* against what's available on
+ * platform (done in sgx_encl_create) but checked and enforced against
+ * the mask for enforcement in sigstruct. For example an enclave could
+ * opt to sign with AVX bit in xfrm, but still be loadable on a platform
+ * without it if the sigstruct->body.attributes_mask does not turn that
+ * bit on.
+ */
+ if (sigstruct->body.attributes & sigstruct->body.attributes_mask &
+ sgx_attributes_reserved_mask)
+ return -EINVAL;
+
+ if (sigstruct->body.miscselect & sigstruct->body.misc_mask &
+ sgx_misc_reserved_mask)
+ return -EINVAL;
+
+ if (sigstruct->body.xfrm & sigstruct->body.xfrm_mask &
+ sgx_xfrm_reserved_mask)
+ return -EINVAL;
+
+ ret = sgx_get_key_hash(sigstruct->modulus, mrsigner);
+ if (ret)
+ return ret;
+
+ mutex_lock(&encl->lock);
+
+ /*
+ * ENCLS[EINIT] is interruptible because it has such a high latency,
+ * e.g. 50k+ cycles on success. If an IRQ/NMI/SMI becomes pending,
+ * EINIT may fail with SGX_UNMASKED_EVENT so that the event can be
+ * serviced.
+ */
+ for (i = 0; i < SGX_EINIT_SLEEP_COUNT; i++) {
+ for (j = 0; j < SGX_EINIT_SPIN_COUNT; j++) {
+ addr = sgx_get_epc_virt_addr(encl->secs.epc_page);
+
+ preempt_disable();
+
+ for (k = 0; k < 4; k++)
+ wrmsrl(MSR_IA32_SGXLEPUBKEYHASH0 + k, mrsigner[k]);
+
+ ret = __einit(sigstruct, token, addr);
+
+ preempt_enable();
+
+ if (ret == SGX_UNMASKED_EVENT)
+ continue;
+ else
+ break;
+ }
+
+ if (ret != SGX_UNMASKED_EVENT)
+ break;
+
+ msleep_interruptible(SGX_EINIT_SLEEP_TIME);
+
+ if (signal_pending(current)) {
+ ret = -ERESTARTSYS;
+ goto err_out;
+ }
+ }
+
+ if (ret & ENCLS_FAULT_FLAG) {
+ if (encls_failed(ret))
+ ENCLS_WARN(ret, "EINIT");
+
+ ret = -EIO;
+ } else if (ret) {
+ pr_debug("EINIT returned %d\n", ret);
+ ret = -EPERM;
+ } else {
+ set_bit(SGX_ENCL_INITIALIZED, &encl->flags);
+ }
+
+err_out:
+ mutex_unlock(&encl->lock);
+ return ret;
+}
+
+/**
+ * sgx_ioc_enclave_init() - handler for %SGX_IOC_ENCLAVE_INIT
+ * @encl: an enclave pointer
+ * @arg: userspace pointer to a struct sgx_enclave_init instance
+ *
+ * Flush any outstanding enqueued EADD operations and perform EINIT. The
+ * Launch Enclave Public Key Hash MSRs are rewritten as necessary to match
+ * the enclave's MRSIGNER, which is caculated from the provided sigstruct.
+ *
+ * Return:
+ * - 0: Success.
+ * - -EPERM: Invalid SIGSTRUCT.
+ * - -EIO: EINIT failed because of a power cycle.
+ * - -errno: POSIX error.
+ */
+static long sgx_ioc_enclave_init(struct sgx_encl *encl, void __user *arg)
+{
+ struct sgx_sigstruct *sigstruct;
+ struct sgx_enclave_init init_arg;
+ struct page *initp_page;
+ void *token;
+ int ret;
+
+ if (!test_bit(SGX_ENCL_CREATED, &encl->flags) ||
+ test_bit(SGX_ENCL_INITIALIZED, &encl->flags))
+ return -EINVAL;
+
+ if (copy_from_user(&init_arg, arg, sizeof(init_arg)))
+ return -EFAULT;
+
+ initp_page = alloc_page(GFP_KERNEL);
+ if (!initp_page)
+ return -ENOMEM;
+
+ sigstruct = kmap(initp_page);
+ token = (void *)((unsigned long)sigstruct + PAGE_SIZE / 2);
+ memset(token, 0, SGX_LAUNCH_TOKEN_SIZE);
+
+ if (copy_from_user(sigstruct, (void __user *)init_arg.sigstruct,
+ sizeof(*sigstruct))) {
+ ret = -EFAULT;
+ goto out;
+ }
+
+ /*
+ * A legacy field used with Intel signed enclaves. These used to mean
+ * regular and architectural enclaves. The CPU only accepts these values
+ * but they do not have any other meaning.
+ *
+ * Thus, reject any other values.
+ */
+ if (sigstruct->header.vendor != 0x0000 &&
+ sigstruct->header.vendor != 0x8086) {
+ ret = -EINVAL;
+ goto out;
+ }
+
+ ret = sgx_encl_init(encl, sigstruct, token);
+
+out:
+ kunmap(initp_page);
+ __free_page(initp_page);
+ return ret;
+}
+
+
long sgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
{
struct sgx_encl *encl = filep->private_data;
@@ -397,6 +585,9 @@ long sgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
case SGX_IOC_ENCLAVE_ADD_PAGES:
ret = sgx_ioc_enclave_add_pages(encl, (void __user *)arg);
break;
+ case SGX_IOC_ENCLAVE_INIT:
+ ret = sgx_ioc_enclave_init(encl, (void __user *)arg);
+ break;
default:
ret = -ENOIOCTLCMD;
break;
--
2.27.0

2020-11-04 14:59:27

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 20/24] selftests/x86: Add a selftest for SGX

Add a selftest for SGX. It is a trivial test where a simple enclave copies
one 64-bit word of memory between two memory locations, but ensures that
all SGX hardware and software infrastructure is functioning.

Cc: Shuah Khan <[email protected]>
Cc: [email protected]
Signed-off-by: Jarkko Sakkinen <[email protected]>
---
tools/testing/selftests/Makefile | 1 +
tools/testing/selftests/sgx/.gitignore | 2 +
tools/testing/selftests/sgx/Makefile | 53 +++
tools/testing/selftests/sgx/call.S | 44 ++
tools/testing/selftests/sgx/defines.h | 21 +
tools/testing/selftests/sgx/load.c | 277 +++++++++++++
tools/testing/selftests/sgx/main.c | 243 +++++++++++
tools/testing/selftests/sgx/main.h | 38 ++
tools/testing/selftests/sgx/sigstruct.c | 391 ++++++++++++++++++
tools/testing/selftests/sgx/test_encl.c | 20 +
tools/testing/selftests/sgx/test_encl.lds | 40 ++
.../selftests/sgx/test_encl_bootstrap.S | 89 ++++
12 files changed, 1219 insertions(+)
create mode 100644 tools/testing/selftests/sgx/.gitignore
create mode 100644 tools/testing/selftests/sgx/Makefile
create mode 100644 tools/testing/selftests/sgx/call.S
create mode 100644 tools/testing/selftests/sgx/defines.h
create mode 100644 tools/testing/selftests/sgx/load.c
create mode 100644 tools/testing/selftests/sgx/main.c
create mode 100644 tools/testing/selftests/sgx/main.h
create mode 100644 tools/testing/selftests/sgx/sigstruct.c
create mode 100644 tools/testing/selftests/sgx/test_encl.c
create mode 100644 tools/testing/selftests/sgx/test_encl.lds
create mode 100644 tools/testing/selftests/sgx/test_encl_bootstrap.S

diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile
index d9c283503159..aa06e3ea0250 100644
--- a/tools/testing/selftests/Makefile
+++ b/tools/testing/selftests/Makefile
@@ -68,6 +68,7 @@ TARGETS += user
TARGETS += vm
TARGETS += x86
TARGETS += zram
+TARGETS += sgx
#Please keep the TARGETS list alphabetically sorted
# Run "make quicktest=1 run_tests" or
# "make quicktest=1 kselftest" from top level Makefile
diff --git a/tools/testing/selftests/sgx/.gitignore b/tools/testing/selftests/sgx/.gitignore
new file mode 100644
index 000000000000..fbaf0bda9a92
--- /dev/null
+++ b/tools/testing/selftests/sgx/.gitignore
@@ -0,0 +1,2 @@
+test_sgx
+test_encl.elf
diff --git a/tools/testing/selftests/sgx/Makefile b/tools/testing/selftests/sgx/Makefile
new file mode 100644
index 000000000000..95e5c4df8014
--- /dev/null
+++ b/tools/testing/selftests/sgx/Makefile
@@ -0,0 +1,53 @@
+top_srcdir = ../../../..
+
+include ../lib.mk
+
+.PHONY: all clean
+
+CAN_BUILD_X86_64 := $(shell ../x86/check_cc.sh $(CC) \
+ ../x86/trivial_64bit_program.c)
+
+ifndef OBJCOPY
+OBJCOPY := $(CROSS_COMPILE)objcopy
+endif
+
+INCLUDES := -I$(top_srcdir)/tools/include
+HOST_CFLAGS := -Wall -Werror -g $(INCLUDES) -fPIC -z noexecstack
+ENCL_CFLAGS := -Wall -Werror -static -nostdlib -nostartfiles -fPIC \
+ -fno-stack-protector -mrdrnd $(INCLUDES)
+
+TEST_CUSTOM_PROGS := $(OUTPUT)/test_sgx $(OUTPUT)/test_encl.elf
+
+ifeq ($(CAN_BUILD_X86_64), 1)
+all: $(TEST_CUSTOM_PROGS)
+endif
+
+$(OUTPUT)/test_sgx: $(OUTPUT)/main.o \
+ $(OUTPUT)/load.o \
+ $(OUTPUT)/sigstruct.o \
+ $(OUTPUT)/call.o
+ $(CC) $(HOST_CFLAGS) -o $@ $^ -lcrypto
+
+$(OUTPUT)/main.o: main.c
+ $(CC) $(HOST_CFLAGS) -c $< -o $@
+
+$(OUTPUT)/load.o: load.c
+ $(CC) $(HOST_CFLAGS) -c $< -o $@
+
+$(OUTPUT)/sigstruct.o: sigstruct.c
+ $(CC) $(HOST_CFLAGS) -c $< -o $@
+
+$(OUTPUT)/call.o: call.S
+ $(CC) $(HOST_CFLAGS) -c $< -o $@
+
+$(OUTPUT)/test_encl.elf: test_encl.lds test_encl.c test_encl_bootstrap.S
+ $(CC) $(ENCL_CFLAGS) -T $^ -o $@
+
+EXTRA_CLEAN := \
+ $(OUTPUT)/test_encl.elf \
+ $(OUTPUT)/load.o \
+ $(OUTPUT)/call.o \
+ $(OUTPUT)/main.o \
+ $(OUTPUT)/sigstruct.o \
+ $(OUTPUT)/test_sgx \
+ $(OUTPUT)/test_sgx.o \
diff --git a/tools/testing/selftests/sgx/call.S b/tools/testing/selftests/sgx/call.S
new file mode 100644
index 000000000000..4ecadc7490f4
--- /dev/null
+++ b/tools/testing/selftests/sgx/call.S
@@ -0,0 +1,44 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/**
+* Copyright(c) 2016-20 Intel Corporation.
+*/
+
+ .text
+
+ .global sgx_call_vdso
+sgx_call_vdso:
+ .cfi_startproc
+ push %r15
+ .cfi_adjust_cfa_offset 8
+ .cfi_rel_offset %r15, 0
+ push %r14
+ .cfi_adjust_cfa_offset 8
+ .cfi_rel_offset %r14, 0
+ push %r13
+ .cfi_adjust_cfa_offset 8
+ .cfi_rel_offset %r13, 0
+ push %r12
+ .cfi_adjust_cfa_offset 8
+ .cfi_rel_offset %r12, 0
+ push %rbx
+ .cfi_adjust_cfa_offset 8
+ .cfi_rel_offset %rbx, 0
+ push $0
+ .cfi_adjust_cfa_offset 8
+ push 0x38(%rsp)
+ .cfi_adjust_cfa_offset 8
+ call *eenter(%rip)
+ add $0x10, %rsp
+ .cfi_adjust_cfa_offset -0x10
+ pop %rbx
+ .cfi_adjust_cfa_offset -8
+ pop %r12
+ .cfi_adjust_cfa_offset -8
+ pop %r13
+ .cfi_adjust_cfa_offset -8
+ pop %r14
+ .cfi_adjust_cfa_offset -8
+ pop %r15
+ .cfi_adjust_cfa_offset -8
+ ret
+ .cfi_endproc
diff --git a/tools/testing/selftests/sgx/defines.h b/tools/testing/selftests/sgx/defines.h
new file mode 100644
index 000000000000..592c1ccf4576
--- /dev/null
+++ b/tools/testing/selftests/sgx/defines.h
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright(c) 2016-20 Intel Corporation.
+ */
+
+#ifndef DEFINES_H
+#define DEFINES_H
+
+#include <stdint.h>
+
+#define PAGE_SIZE 4096
+#define PAGE_MASK (~(PAGE_SIZE - 1))
+
+#define __aligned(x) __attribute__((__aligned__(x)))
+#define __packed __attribute__((packed))
+
+#include "../../../../arch/x86/kernel/cpu/sgx/arch.h"
+#include "../../../../arch/x86/include/asm/enclu.h"
+#include "../../../../arch/x86/include/uapi/asm/sgx.h"
+
+#endif /* DEFINES_H */
diff --git a/tools/testing/selftests/sgx/load.c b/tools/testing/selftests/sgx/load.c
new file mode 100644
index 000000000000..089a7cca5074
--- /dev/null
+++ b/tools/testing/selftests/sgx/load.c
@@ -0,0 +1,277 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright(c) 2016-20 Intel Corporation. */
+
+#include <assert.h>
+#include <elf.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include "defines.h"
+#include "main.h"
+
+void encl_delete(struct encl *encl)
+{
+ if (encl->encl_base)
+ munmap((void *)encl->encl_base, encl->encl_size);
+
+ if (encl->bin)
+ munmap(encl->bin, encl->bin_size);
+
+ if (encl->fd)
+ close(encl->fd);
+
+ if (encl->segment_tbl)
+ free(encl->segment_tbl);
+
+ memset(encl, 0, sizeof(*encl));
+}
+
+static bool encl_map_bin(const char *path, struct encl *encl)
+{
+ struct stat sb;
+ void *bin;
+ int ret;
+ int fd;
+
+ fd = open(path, O_RDONLY);
+ if (fd == -1) {
+ perror("open()");
+ return false;
+ }
+
+ ret = stat(path, &sb);
+ if (ret) {
+ perror("stat()");
+ goto err;
+ }
+
+ bin = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
+ if (bin == MAP_FAILED) {
+ perror("mmap()");
+ goto err;
+ }
+
+ encl->bin = bin;
+ encl->bin_size = sb.st_size;
+
+ close(fd);
+ return true;
+
+err:
+ close(fd);
+ return false;
+}
+
+static bool encl_ioc_create(struct encl *encl)
+{
+ struct sgx_secs *secs = &encl->secs;
+ struct sgx_enclave_create ioc;
+ int rc;
+
+ assert(encl->encl_base != 0);
+
+ memset(secs, 0, sizeof(*secs));
+ secs->ssa_frame_size = 1;
+ secs->attributes = SGX_ATTR_MODE64BIT;
+ secs->xfrm = 3;
+ secs->base = encl->encl_base;
+ secs->size = encl->encl_size;
+
+ ioc.src = (unsigned long)secs;
+ rc = ioctl(encl->fd, SGX_IOC_ENCLAVE_CREATE, &ioc);
+ if (rc) {
+ fprintf(stderr, "SGX_IOC_ENCLAVE_CREATE failed: errno=%d\n",
+ errno);
+ munmap((void *)secs->base, encl->encl_size);
+ return false;
+ }
+
+ return true;
+}
+
+static bool encl_ioc_add_pages(struct encl *encl, struct encl_segment *seg)
+{
+ struct sgx_enclave_add_pages ioc;
+ struct sgx_secinfo secinfo;
+ int rc;
+
+ memset(&secinfo, 0, sizeof(secinfo));
+ secinfo.flags = seg->flags;
+
+ ioc.src = (uint64_t)encl->src + seg->offset;
+ ioc.offset = seg->offset;
+ ioc.length = seg->size;
+ ioc.secinfo = (unsigned long)&secinfo;
+ ioc.flags = SGX_PAGE_MEASURE;
+
+ rc = ioctl(encl->fd, SGX_IOC_ENCLAVE_ADD_PAGES, &ioc);
+ if (rc < 0) {
+ fprintf(stderr, "SGX_IOC_ENCLAVE_ADD_PAGES failed: errno=%d.\n",
+ errno);
+ return false;
+ }
+
+ return true;
+}
+
+bool encl_load(const char *path, struct encl *encl)
+{
+ Elf64_Phdr *phdr_tbl;
+ off_t src_offset;
+ Elf64_Ehdr *ehdr;
+ int i, j;
+ int ret;
+
+ memset(encl, 0, sizeof(*encl));
+
+ ret = open("/dev/sgx/enclave", O_RDWR);
+ if (ret < 0) {
+ fprintf(stderr, "Unable to open /dev/sgx\n");
+ goto err;
+ }
+
+ encl->fd = ret;
+
+ if (!encl_map_bin(path, encl))
+ goto err;
+
+ ehdr = encl->bin;
+ phdr_tbl = encl->bin + ehdr->e_phoff;
+
+ for (i = 0; i < ehdr->e_phnum; i++) {
+ Elf64_Phdr *phdr = &phdr_tbl[i];
+
+ if (phdr->p_type == PT_LOAD)
+ encl->nr_segments++;
+ }
+
+ encl->segment_tbl = calloc(encl->nr_segments,
+ sizeof(struct encl_segment));
+ if (!encl->segment_tbl)
+ goto err;
+
+ for (i = 0, j = 0; i < ehdr->e_phnum; i++) {
+ Elf64_Phdr *phdr = &phdr_tbl[i];
+ unsigned int flags = phdr->p_flags;
+ struct encl_segment *seg;
+
+ if (phdr->p_type != PT_LOAD)
+ continue;
+
+ seg = &encl->segment_tbl[j];
+
+ if (!!(flags & ~(PF_R | PF_W | PF_X))) {
+ fprintf(stderr,
+ "%d has invalid segment flags 0x%02x.\n", i,
+ phdr->p_flags);
+ goto err;
+ }
+
+ if (j == 0 && flags != (PF_R | PF_W)) {
+ fprintf(stderr,
+ "TCS has invalid segment flags 0x%02x.\n",
+ phdr->p_flags);
+ goto err;
+ }
+
+ if (j == 0) {
+ src_offset = (phdr->p_offset & PAGE_MASK) - src_offset;
+
+ seg->prot = PROT_READ | PROT_WRITE;
+ seg->flags = SGX_PAGE_TYPE_TCS << 8;
+ } else {
+ seg->prot = (phdr->p_flags & PF_R) ? PROT_READ : 0;
+ seg->prot |= (phdr->p_flags & PF_W) ? PROT_WRITE : 0;
+ seg->prot |= (phdr->p_flags & PF_X) ? PROT_EXEC : 0;
+ seg->flags = (SGX_PAGE_TYPE_REG << 8) | seg->prot;
+ }
+
+ seg->offset = (phdr->p_offset & PAGE_MASK) - src_offset;
+ seg->size = (phdr->p_filesz + PAGE_SIZE - 1) & PAGE_MASK;
+
+ printf("0x%016lx 0x%016lx 0x%02x\n", seg->offset, seg->size,
+ seg->prot);
+
+ j++;
+ }
+
+ assert(j == encl->nr_segments);
+
+ encl->src = encl->bin + src_offset;
+ encl->src_size = encl->segment_tbl[j - 1].offset +
+ encl->segment_tbl[j - 1].size;
+
+ for (encl->encl_size = 4096; encl->encl_size < encl->src_size; )
+ encl->encl_size <<= 1;
+
+ return true;
+
+err:
+ encl_delete(encl);
+ return false;
+}
+
+static bool encl_map_area(struct encl *encl)
+{
+ size_t encl_size = encl->encl_size;
+ void *area;
+
+ area = mmap(NULL, encl_size * 2, PROT_NONE,
+ MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+ if (area == MAP_FAILED) {
+ perror("mmap");
+ return false;
+ }
+
+ encl->encl_base = ((uint64_t)area + encl_size - 1) & ~(encl_size - 1);
+
+ munmap(area, encl->encl_base - (uint64_t)area);
+ munmap((void *)(encl->encl_base + encl_size),
+ (uint64_t)area + encl_size - encl->encl_base);
+
+ return true;
+}
+
+bool encl_build(struct encl *encl)
+{
+ struct sgx_enclave_init ioc;
+ int ret;
+ int i;
+
+ if (!encl_map_area(encl))
+ return false;
+
+ if (!encl_ioc_create(encl))
+ return false;
+
+ /*
+ * Pages must be added before mapping VMAs because their permissions
+ * cap the VMA permissions.
+ */
+ for (i = 0; i < encl->nr_segments; i++) {
+ struct encl_segment *seg = &encl->segment_tbl[i];
+
+ if (!encl_ioc_add_pages(encl, seg))
+ return false;
+ }
+
+ ioc.sigstruct = (uint64_t)&encl->sigstruct;
+ ret = ioctl(encl->fd, SGX_IOC_ENCLAVE_INIT, &ioc);
+ if (ret) {
+ fprintf(stderr, "SGX_IOC_ENCLAVE_INIT failed: errno=%d\n",
+ errno);
+ return false;
+ }
+
+ return true;
+}
diff --git a/tools/testing/selftests/sgx/main.c b/tools/testing/selftests/sgx/main.c
new file mode 100644
index 000000000000..8f197a9bb24a
--- /dev/null
+++ b/tools/testing/selftests/sgx/main.c
@@ -0,0 +1,243 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright(c) 2016-20 Intel Corporation. */
+
+#include <elf.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include "defines.h"
+#include "main.h"
+
+static const uint64_t MAGIC = 0x1122334455667788ULL;
+vdso_sgx_enter_enclave_t eenter;
+
+struct vdso_symtab {
+ Elf64_Sym *elf_symtab;
+ const char *elf_symstrtab;
+ Elf64_Word *elf_hashtab;
+};
+
+static void *vdso_get_base_addr(char *envp[])
+{
+ Elf64_auxv_t *auxv;
+ int i;
+
+ for (i = 0; envp[i]; i++)
+ ;
+
+ auxv = (Elf64_auxv_t *)&envp[i + 1];
+
+ for (i = 0; auxv[i].a_type != AT_NULL; i++) {
+ if (auxv[i].a_type == AT_SYSINFO_EHDR)
+ return (void *)auxv[i].a_un.a_val;
+ }
+
+ return NULL;
+}
+
+static Elf64_Dyn *vdso_get_dyntab(void *addr)
+{
+ Elf64_Ehdr *ehdr = addr;
+ Elf64_Phdr *phdrtab = addr + ehdr->e_phoff;
+ int i;
+
+ for (i = 0; i < ehdr->e_phnum; i++)
+ if (phdrtab[i].p_type == PT_DYNAMIC)
+ return addr + phdrtab[i].p_offset;
+
+ return NULL;
+}
+
+static void *vdso_get_dyn(void *addr, Elf64_Dyn *dyntab, Elf64_Sxword tag)
+{
+ int i;
+
+ for (i = 0; dyntab[i].d_tag != DT_NULL; i++)
+ if (dyntab[i].d_tag == tag)
+ return addr + dyntab[i].d_un.d_ptr;
+
+ return NULL;
+}
+
+static bool vdso_get_symtab(void *addr, struct vdso_symtab *symtab)
+{
+ Elf64_Dyn *dyntab = vdso_get_dyntab(addr);
+
+ symtab->elf_symtab = vdso_get_dyn(addr, dyntab, DT_SYMTAB);
+ if (!symtab->elf_symtab)
+ return false;
+
+ symtab->elf_symstrtab = vdso_get_dyn(addr, dyntab, DT_STRTAB);
+ if (!symtab->elf_symstrtab)
+ return false;
+
+ symtab->elf_hashtab = vdso_get_dyn(addr, dyntab, DT_HASH);
+ if (!symtab->elf_hashtab)
+ return false;
+
+ return true;
+}
+
+static unsigned long elf_sym_hash(const char *name)
+{
+ unsigned long h = 0, high;
+
+ while (*name) {
+ h = (h << 4) + *name++;
+ high = h & 0xf0000000;
+
+ if (high)
+ h ^= high >> 24;
+
+ h &= ~high;
+ }
+
+ return h;
+}
+
+static Elf64_Sym *vdso_symtab_get(struct vdso_symtab *symtab, const char *name)
+{
+ Elf64_Word bucketnum = symtab->elf_hashtab[0];
+ Elf64_Word *buckettab = &symtab->elf_hashtab[2];
+ Elf64_Word *chaintab = &symtab->elf_hashtab[2 + bucketnum];
+ Elf64_Sym *sym;
+ Elf64_Word i;
+
+ for (i = buckettab[elf_sym_hash(name) % bucketnum]; i != STN_UNDEF;
+ i = chaintab[i]) {
+ sym = &symtab->elf_symtab[i];
+ if (!strcmp(name, &symtab->elf_symstrtab[sym->st_name]))
+ return sym;
+ }
+
+ return NULL;
+}
+
+bool report_results(struct sgx_enclave_run *run, int ret, uint64_t result,
+ const char *test)
+{
+ bool valid = true;
+
+ if (ret) {
+ printf("FAIL: %s() returned: %d\n", test, ret);
+ valid = false;
+ }
+
+ if (run->function != EEXIT) {
+ printf("FAIL: %s() function, expected: %u, got: %u\n", test, EEXIT,
+ run->function);
+ valid = false;
+ }
+
+ if (result != MAGIC) {
+ printf("FAIL: %s(), expected: 0x%lx, got: 0x%lx\n", test, MAGIC,
+ result);
+ valid = false;
+ }
+
+ if (run->user_data) {
+ printf("FAIL: %s() user data, expected: 0x0, got: 0x%llx\n",
+ test, run->user_data);
+ valid = false;
+ }
+
+ return valid;
+}
+
+static int user_handler(long rdi, long rsi, long rdx, long ursp, long r8, long r9,
+ struct sgx_enclave_run *run)
+{
+ run->user_data = 0;
+ return 0;
+}
+
+int main(int argc, char *argv[], char *envp[])
+{
+ struct sgx_enclave_run run;
+ struct vdso_symtab symtab;
+ Elf64_Sym *eenter_sym;
+ uint64_t result = 0;
+ struct encl encl;
+ unsigned int i;
+ void *addr;
+ int ret;
+
+ memset(&run, 0, sizeof(run));
+
+ if (!encl_load("test_encl.elf", &encl))
+ goto err;
+
+ if (!encl_measure(&encl))
+ goto err;
+
+ if (!encl_build(&encl))
+ goto err;
+
+ /*
+ * An enclave consumer only must do this.
+ */
+ for (i = 0; i < encl.nr_segments; i++) {
+ struct encl_segment *seg = &encl.segment_tbl[i];
+
+ addr = mmap((void *)encl.encl_base + seg->offset, seg->size,
+ seg->prot, MAP_SHARED | MAP_FIXED, encl.fd, 0);
+ if (addr == MAP_FAILED) {
+ fprintf(stderr, "mmap() failed, errno=%d.\n", errno);
+ exit(1);
+ }
+ }
+
+ memset(&run, 0, sizeof(run));
+ run.tcs = encl.encl_base;
+
+ addr = vdso_get_base_addr(envp);
+ if (!addr)
+ goto err;
+
+ if (!vdso_get_symtab(addr, &symtab))
+ goto err;
+
+ eenter_sym = vdso_symtab_get(&symtab, "__vdso_sgx_enter_enclave");
+ if (!eenter_sym)
+ goto err;
+
+ eenter = addr + eenter_sym->st_value;
+
+ ret = sgx_call_vdso((void *)&MAGIC, &result, 0, EENTER, NULL, NULL, &run);
+ if (!report_results(&run, ret, result, "sgx_call_vdso"))
+ goto err;
+
+
+ /* Invoke the vDSO directly. */
+ result = 0;
+ ret = eenter((unsigned long)&MAGIC, (unsigned long)&result, 0, EENTER,
+ 0, 0, &run);
+ if (!report_results(&run, ret, result, "eenter"))
+ goto err;
+
+ /* And with an exit handler. */
+ run.user_handler = (__u64)user_handler;
+ run.user_data = 0xdeadbeef;
+ ret = eenter((unsigned long)&MAGIC, (unsigned long)&result, 0, EENTER,
+ 0, 0, &run);
+ if (!report_results(&run, ret, result, "user_handler"))
+ goto err;
+
+ printf("SUCCESS\n");
+ encl_delete(&encl);
+ exit(0);
+
+err:
+ encl_delete(&encl);
+ exit(1);
+}
diff --git a/tools/testing/selftests/sgx/main.h b/tools/testing/selftests/sgx/main.h
new file mode 100644
index 000000000000..45e6ab65442a
--- /dev/null
+++ b/tools/testing/selftests/sgx/main.h
@@ -0,0 +1,38 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright(c) 2016-20 Intel Corporation.
+ */
+
+#ifndef MAIN_H
+#define MAIN_H
+
+struct encl_segment {
+ off_t offset;
+ size_t size;
+ unsigned int prot;
+ unsigned int flags;
+};
+
+struct encl {
+ int fd;
+ void *bin;
+ off_t bin_size;
+ void *src;
+ size_t src_size;
+ size_t encl_size;
+ off_t encl_base;
+ unsigned int nr_segments;
+ struct encl_segment *segment_tbl;
+ struct sgx_secs secs;
+ struct sgx_sigstruct sigstruct;
+};
+
+void encl_delete(struct encl *ctx);
+bool encl_load(const char *path, struct encl *encl);
+bool encl_measure(struct encl *encl);
+bool encl_build(struct encl *encl);
+
+int sgx_call_vdso(void *rdi, void *rsi, long rdx, u32 function, void *r8, void *r9,
+ struct sgx_enclave_run *run);
+
+#endif /* MAIN_H */
diff --git a/tools/testing/selftests/sgx/sigstruct.c b/tools/testing/selftests/sgx/sigstruct.c
new file mode 100644
index 000000000000..cc06f108bae7
--- /dev/null
+++ b/tools/testing/selftests/sgx/sigstruct.c
@@ -0,0 +1,391 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright(c) 2016-20 Intel Corporation. */
+
+#define _GNU_SOURCE
+#include <assert.h>
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include "defines.h"
+#include "main.h"
+
+struct q1q2_ctx {
+ BN_CTX *bn_ctx;
+ BIGNUM *m;
+ BIGNUM *s;
+ BIGNUM *q1;
+ BIGNUM *qr;
+ BIGNUM *q2;
+};
+
+static void free_q1q2_ctx(struct q1q2_ctx *ctx)
+{
+ BN_CTX_free(ctx->bn_ctx);
+ BN_free(ctx->m);
+ BN_free(ctx->s);
+ BN_free(ctx->q1);
+ BN_free(ctx->qr);
+ BN_free(ctx->q2);
+}
+
+static bool alloc_q1q2_ctx(const uint8_t *s, const uint8_t *m,
+ struct q1q2_ctx *ctx)
+{
+ ctx->bn_ctx = BN_CTX_new();
+ ctx->s = BN_bin2bn(s, SGX_MODULUS_SIZE, NULL);
+ ctx->m = BN_bin2bn(m, SGX_MODULUS_SIZE, NULL);
+ ctx->q1 = BN_new();
+ ctx->qr = BN_new();
+ ctx->q2 = BN_new();
+
+ if (!ctx->bn_ctx || !ctx->s || !ctx->m || !ctx->q1 || !ctx->qr ||
+ !ctx->q2) {
+ free_q1q2_ctx(ctx);
+ return false;
+ }
+
+ return true;
+}
+
+static bool calc_q1q2(const uint8_t *s, const uint8_t *m, uint8_t *q1,
+ uint8_t *q2)
+{
+ struct q1q2_ctx ctx;
+
+ if (!alloc_q1q2_ctx(s, m, &ctx)) {
+ fprintf(stderr, "Not enough memory for Q1Q2 calculation\n");
+ return false;
+ }
+
+ if (!BN_mul(ctx.q1, ctx.s, ctx.s, ctx.bn_ctx))
+ goto out;
+
+ if (!BN_div(ctx.q1, ctx.qr, ctx.q1, ctx.m, ctx.bn_ctx))
+ goto out;
+
+ if (BN_num_bytes(ctx.q1) > SGX_MODULUS_SIZE) {
+ fprintf(stderr, "Too large Q1 %d bytes\n",
+ BN_num_bytes(ctx.q1));
+ goto out;
+ }
+
+ if (!BN_mul(ctx.q2, ctx.s, ctx.qr, ctx.bn_ctx))
+ goto out;
+
+ if (!BN_div(ctx.q2, NULL, ctx.q2, ctx.m, ctx.bn_ctx))
+ goto out;
+
+ if (BN_num_bytes(ctx.q2) > SGX_MODULUS_SIZE) {
+ fprintf(stderr, "Too large Q2 %d bytes\n",
+ BN_num_bytes(ctx.q2));
+ goto out;
+ }
+
+ BN_bn2bin(ctx.q1, q1);
+ BN_bn2bin(ctx.q2, q2);
+
+ free_q1q2_ctx(&ctx);
+ return true;
+out:
+ free_q1q2_ctx(&ctx);
+ return false;
+}
+
+struct sgx_sigstruct_payload {
+ struct sgx_sigstruct_header header;
+ struct sgx_sigstruct_body body;
+};
+
+static bool check_crypto_errors(void)
+{
+ int err;
+ bool had_errors = false;
+ const char *filename;
+ int line;
+ char str[256];
+
+ for ( ; ; ) {
+ if (ERR_peek_error() == 0)
+ break;
+
+ had_errors = true;
+ err = ERR_get_error_line(&filename, &line);
+ ERR_error_string_n(err, str, sizeof(str));
+ fprintf(stderr, "crypto: %s: %s:%d\n", str, filename, line);
+ }
+
+ return had_errors;
+}
+
+static inline const BIGNUM *get_modulus(RSA *key)
+{
+ const BIGNUM *n;
+
+ RSA_get0_key(key, &n, NULL, NULL);
+ return n;
+}
+
+static RSA *gen_sign_key(void)
+{
+ BIGNUM *e;
+ RSA *key;
+ int ret;
+
+ e = BN_new();
+ key = RSA_new();
+
+ if (!e || !key)
+ goto err;
+
+ ret = BN_set_word(e, RSA_3);
+ if (ret != 1)
+ goto err;
+
+ ret = RSA_generate_key_ex(key, 3072, e, NULL);
+ if (ret != 1)
+ goto err;
+
+ BN_free(e);
+
+ return key;
+
+err:
+ RSA_free(key);
+ BN_free(e);
+
+ return NULL;
+}
+
+static void reverse_bytes(void *data, int length)
+{
+ int i = 0;
+ int j = length - 1;
+ uint8_t temp;
+ uint8_t *ptr = data;
+
+ while (i < j) {
+ temp = ptr[i];
+ ptr[i] = ptr[j];
+ ptr[j] = temp;
+ i++;
+ j--;
+ }
+}
+
+enum mrtags {
+ MRECREATE = 0x0045544145524345,
+ MREADD = 0x0000000044444145,
+ MREEXTEND = 0x00444E4554584545,
+};
+
+static bool mrenclave_update(EVP_MD_CTX *ctx, const void *data)
+{
+ if (!EVP_DigestUpdate(ctx, data, 64)) {
+ fprintf(stderr, "digest update failed\n");
+ return false;
+ }
+
+ return true;
+}
+
+static bool mrenclave_commit(EVP_MD_CTX *ctx, uint8_t *mrenclave)
+{
+ unsigned int size;
+
+ if (!EVP_DigestFinal_ex(ctx, (unsigned char *)mrenclave, &size)) {
+ fprintf(stderr, "digest commit failed\n");
+ return false;
+ }
+
+ if (size != 32) {
+ fprintf(stderr, "invalid digest size = %u\n", size);
+ return false;
+ }
+
+ return true;
+}
+
+struct mrecreate {
+ uint64_t tag;
+ uint32_t ssaframesize;
+ uint64_t size;
+ uint8_t reserved[44];
+} __attribute__((__packed__));
+
+
+static bool mrenclave_ecreate(EVP_MD_CTX *ctx, uint64_t blob_size)
+{
+ struct mrecreate mrecreate;
+ uint64_t encl_size;
+
+ for (encl_size = 0x1000; encl_size < blob_size; )
+ encl_size <<= 1;
+
+ memset(&mrecreate, 0, sizeof(mrecreate));
+ mrecreate.tag = MRECREATE;
+ mrecreate.ssaframesize = 1;
+ mrecreate.size = encl_size;
+
+ if (!EVP_DigestInit_ex(ctx, EVP_sha256(), NULL))
+ return false;
+
+ return mrenclave_update(ctx, &mrecreate);
+}
+
+struct mreadd {
+ uint64_t tag;
+ uint64_t offset;
+ uint64_t flags; /* SECINFO flags */
+ uint8_t reserved[40];
+} __attribute__((__packed__));
+
+static bool mrenclave_eadd(EVP_MD_CTX *ctx, uint64_t offset, uint64_t flags)
+{
+ struct mreadd mreadd;
+
+ memset(&mreadd, 0, sizeof(mreadd));
+ mreadd.tag = MREADD;
+ mreadd.offset = offset;
+ mreadd.flags = flags;
+
+ return mrenclave_update(ctx, &mreadd);
+}
+
+struct mreextend {
+ uint64_t tag;
+ uint64_t offset;
+ uint8_t reserved[48];
+} __attribute__((__packed__));
+
+static bool mrenclave_eextend(EVP_MD_CTX *ctx, uint64_t offset,
+ const uint8_t *data)
+{
+ struct mreextend mreextend;
+ int i;
+
+ for (i = 0; i < 0x1000; i += 0x100) {
+ memset(&mreextend, 0, sizeof(mreextend));
+ mreextend.tag = MREEXTEND;
+ mreextend.offset = offset + i;
+
+ if (!mrenclave_update(ctx, &mreextend))
+ return false;
+
+ if (!mrenclave_update(ctx, &data[i + 0x00]))
+ return false;
+
+ if (!mrenclave_update(ctx, &data[i + 0x40]))
+ return false;
+
+ if (!mrenclave_update(ctx, &data[i + 0x80]))
+ return false;
+
+ if (!mrenclave_update(ctx, &data[i + 0xC0]))
+ return false;
+ }
+
+ return true;
+}
+
+static bool mrenclave_segment(EVP_MD_CTX *ctx, struct encl *encl,
+ struct encl_segment *seg)
+{
+ uint64_t end = seg->offset + seg->size;
+ uint64_t offset;
+
+ for (offset = seg->offset; offset < end; offset += PAGE_SIZE) {
+ if (!mrenclave_eadd(ctx, offset, seg->flags))
+ return false;
+
+ if (!mrenclave_eextend(ctx, offset, encl->src + offset))
+ return false;
+ }
+
+ return true;
+}
+
+bool encl_measure(struct encl *encl)
+{
+ uint64_t header1[2] = {0x000000E100000006, 0x0000000000010000};
+ uint64_t header2[2] = {0x0000006000000101, 0x0000000100000060};
+ struct sgx_sigstruct *sigstruct = &encl->sigstruct;
+ struct sgx_sigstruct_payload payload;
+ uint8_t digest[SHA256_DIGEST_LENGTH];
+ unsigned int siglen;
+ RSA *key = NULL;
+ EVP_MD_CTX *ctx;
+ int i;
+
+ memset(sigstruct, 0, sizeof(*sigstruct));
+
+ sigstruct->header.header1[0] = header1[0];
+ sigstruct->header.header1[1] = header1[1];
+ sigstruct->header.header2[0] = header2[0];
+ sigstruct->header.header2[1] = header2[1];
+ sigstruct->exponent = 3;
+ sigstruct->body.attributes = SGX_ATTR_MODE64BIT;
+ sigstruct->body.xfrm = 3;
+
+ /* sanity check */
+ if (check_crypto_errors())
+ goto err;
+
+ key = gen_sign_key();
+ if (!key)
+ goto err;
+
+ BN_bn2bin(get_modulus(key), sigstruct->modulus);
+
+ ctx = EVP_MD_CTX_create();
+ if (!ctx)
+ goto err;
+
+ if (!mrenclave_ecreate(ctx, encl->src_size))
+ goto err;
+
+ for (i = 0; i < encl->nr_segments; i++) {
+ struct encl_segment *seg = &encl->segment_tbl[i];
+
+ if (!mrenclave_segment(ctx, encl, seg))
+ goto err;
+ }
+
+ if (!mrenclave_commit(ctx, sigstruct->body.mrenclave))
+ goto err;
+
+ memcpy(&payload.header, &sigstruct->header, sizeof(sigstruct->header));
+ memcpy(&payload.body, &sigstruct->body, sizeof(sigstruct->body));
+
+ SHA256((unsigned char *)&payload, sizeof(payload), digest);
+
+ if (!RSA_sign(NID_sha256, digest, SHA256_DIGEST_LENGTH,
+ sigstruct->signature, &siglen, key))
+ goto err;
+
+ if (!calc_q1q2(sigstruct->signature, sigstruct->modulus, sigstruct->q1,
+ sigstruct->q2))
+ goto err;
+
+ /* BE -> LE */
+ reverse_bytes(sigstruct->signature, SGX_MODULUS_SIZE);
+ reverse_bytes(sigstruct->modulus, SGX_MODULUS_SIZE);
+ reverse_bytes(sigstruct->q1, SGX_MODULUS_SIZE);
+ reverse_bytes(sigstruct->q2, SGX_MODULUS_SIZE);
+
+ EVP_MD_CTX_destroy(ctx);
+ RSA_free(key);
+ return true;
+
+err:
+ EVP_MD_CTX_destroy(ctx);
+ RSA_free(key);
+ return false;
+}
diff --git a/tools/testing/selftests/sgx/test_encl.c b/tools/testing/selftests/sgx/test_encl.c
new file mode 100644
index 000000000000..cf25b5dc1e03
--- /dev/null
+++ b/tools/testing/selftests/sgx/test_encl.c
@@ -0,0 +1,20 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright(c) 2016-20 Intel Corporation. */
+
+#include <stddef.h>
+#include "defines.h"
+
+static void *memcpy(void *dest, const void *src, size_t n)
+{
+ size_t i;
+
+ for (i = 0; i < n; i++)
+ ((char *)dest)[i] = ((char *)src)[i];
+
+ return dest;
+}
+
+void encl_body(void *rdi, void *rsi)
+{
+ memcpy(rsi, rdi, 8);
+}
diff --git a/tools/testing/selftests/sgx/test_encl.lds b/tools/testing/selftests/sgx/test_encl.lds
new file mode 100644
index 000000000000..0fbbda7e665e
--- /dev/null
+++ b/tools/testing/selftests/sgx/test_encl.lds
@@ -0,0 +1,40 @@
+OUTPUT_FORMAT(elf64-x86-64)
+
+PHDRS
+{
+ tcs PT_LOAD;
+ text PT_LOAD;
+ data PT_LOAD;
+}
+
+SECTIONS
+{
+ . = 0;
+ .tcs : {
+ *(.tcs*)
+ } : tcs
+
+ . = ALIGN(4096);
+ .text : {
+ *(.text*)
+ *(.rodata*)
+ } : text
+
+ . = ALIGN(4096);
+ .data : {
+ *(.data*)
+ } : data
+
+ /DISCARD/ : {
+ *(.comment*)
+ *(.note*)
+ *(.debug*)
+ *(.eh_frame*)
+ }
+}
+
+ASSERT(!DEFINED(.altinstructions), "ALTERNATIVES are not supported in enclaves")
+ASSERT(!DEFINED(.altinstr_replacement), "ALTERNATIVES are not supported in enclaves")
+ASSERT(!DEFINED(.discard.retpoline_safe), "RETPOLINE ALTERNATIVES are not supported in enclaves")
+ASSERT(!DEFINED(.discard.nospec), "RETPOLINE ALTERNATIVES are not supported in enclaves")
+ASSERT(!DEFINED(.got.plt), "Libcalls are not supported in enclaves")
diff --git a/tools/testing/selftests/sgx/test_encl_bootstrap.S b/tools/testing/selftests/sgx/test_encl_bootstrap.S
new file mode 100644
index 000000000000..5d5680d4ea39
--- /dev/null
+++ b/tools/testing/selftests/sgx/test_encl_bootstrap.S
@@ -0,0 +1,89 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright(c) 2016-20 Intel Corporation.
+ */
+
+ .macro ENCLU
+ .byte 0x0f, 0x01, 0xd7
+ .endm
+
+ .section ".tcs", "aw"
+ .balign 4096
+
+ .fill 1, 8, 0 # STATE (set by CPU)
+ .fill 1, 8, 0 # FLAGS
+ .quad encl_ssa # OSSA
+ .fill 1, 4, 0 # CSSA (set by CPU)
+ .fill 1, 4, 1 # NSSA
+ .quad encl_entry # OENTRY
+ .fill 1, 8, 0 # AEP (set by EENTER and ERESUME)
+ .fill 1, 8, 0 # OFSBASE
+ .fill 1, 8, 0 # OGSBASE
+ .fill 1, 4, 0xFFFFFFFF # FSLIMIT
+ .fill 1, 4, 0xFFFFFFFF # GSLIMIT
+ .fill 4024, 1, 0 # Reserved
+
+ # Identical to the previous TCS.
+ .fill 1, 8, 0 # STATE (set by CPU)
+ .fill 1, 8, 0 # FLAGS
+ .quad encl_ssa # OSSA
+ .fill 1, 4, 0 # CSSA (set by CPU)
+ .fill 1, 4, 1 # NSSA
+ .quad encl_entry # OENTRY
+ .fill 1, 8, 0 # AEP (set by EENTER and ERESUME)
+ .fill 1, 8, 0 # OFSBASE
+ .fill 1, 8, 0 # OGSBASE
+ .fill 1, 4, 0xFFFFFFFF # FSLIMIT
+ .fill 1, 4, 0xFFFFFFFF # GSLIMIT
+ .fill 4024, 1, 0 # Reserved
+
+ .text
+
+encl_entry:
+ # RBX contains the base address for TCS, which is also the first address
+ # inside the enclave. By adding the value of le_stack_end to it, we get
+ # the absolute address for the stack.
+ lea (encl_stack)(%rbx), %rax
+ xchg %rsp, %rax
+ push %rax
+
+ push %rcx # push the address after EENTER
+ push %rbx # push the enclave base address
+
+ call encl_body
+
+ pop %rbx # pop the enclave base address
+
+ /* Clear volatile GPRs, except RAX (EEXIT function). */
+ xor %rcx, %rcx
+ xor %rdx, %rdx
+ xor %rdi, %rdi
+ xor %rsi, %rsi
+ xor %r8, %r8
+ xor %r9, %r9
+ xor %r10, %r10
+ xor %r11, %r11
+
+ # Reset status flags.
+ add %rdx, %rdx # OF = SF = AF = CF = 0; ZF = PF = 1
+
+ # Prepare EEXIT target by popping the address of the instruction after
+ # EENTER to RBX.
+ pop %rbx
+
+ # Restore the caller stack.
+ pop %rax
+ mov %rax, %rsp
+
+ # EEXIT
+ mov $4, %rax
+ enclu
+
+ .section ".data", "aw"
+
+encl_ssa:
+ .space 4096
+
+ .balign 4096
+ .space 8192
+encl_stack:
--
2.27.0

2020-11-04 14:59:59

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

From: Sean Christopherson <[email protected]>

Background
==========

1. SGX enclave pages are populated with data by copying from normal memory
via ioctl() (SGX_IOC_ENCLAVE_ADD_PAGES), which will be added later in
this series.
2. It is desirable to be able to restrict those normal memory data sources.
For instance, to ensure that the source data is executable before
copying data to an executable enclave page.
3. Enclave page permissions are dynamic (just like normal permissions) and
can be adjusted at runtime with mprotect().

This creates a problem because the original data source may have long since
vanished at the time when enclave page permissions are established (mmap()
or mprotect()).

The solution (elsewhere in this series) is to force enclaves creators to
declare their paging permission *intent* up front to the ioctl(). This
intent can me immediately compared to the source data’s mapping and
rejected if necessary.

The “intent” is also stashed off for later comparison with enclave
PTEs. This ensures that any future mmap()/mprotect() operations
performed by the enclave creator or done on behalf of the enclave
can be compared with the earlier declared permissions.

Problem
=======

There is an existing mmap() hook which allows SGX to perform this
permission comparison at mmap() time. However, there is no corresponding
->mprotect() hook.

Solution
========

Add a vm_ops->mprotect() hook so that mprotect() operations which are
inconsistent with any page's stashed intent can be rejected by the driver.

Cc: [email protected]
Cc: Andrew Morton <[email protected]>
Cc: Matthew Wilcox <[email protected]>
Acked-by: Jethro Beekman <[email protected]>
Reviewed-by: Darren Kenny <[email protected]>
Signed-off-by: Sean Christopherson <[email protected]>
Co-developed-by: Jarkko Sakkinen <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
---
include/linux/mm.h | 3 +++
mm/mprotect.c | 5 ++++-
2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/include/linux/mm.h b/include/linux/mm.h
index ef360fe70aaf..eb38eabc5039 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -559,6 +559,9 @@ struct vm_operations_struct {
void (*close)(struct vm_area_struct * area);
int (*split)(struct vm_area_struct * area, unsigned long addr);
int (*mremap)(struct vm_area_struct * area);
+ int (*mprotect)(struct vm_area_struct *vma,
+ struct vm_area_struct **pprev, unsigned long start,
+ unsigned long end, unsigned long newflags);
vm_fault_t (*fault)(struct vm_fault *vmf);
vm_fault_t (*huge_fault)(struct vm_fault *vmf,
enum page_entry_size pe_size);
diff --git a/mm/mprotect.c b/mm/mprotect.c
index 56c02beb6041..1fd4fa71ce16 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -616,7 +616,10 @@ static int do_mprotect_pkey(unsigned long start, size_t len,
tmp = vma->vm_end;
if (tmp > end)
tmp = end;
- error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
+ if (vma->vm_ops && vma->vm_ops->mprotect)
+ error = vma->vm_ops->mprotect(vma, &prev, nstart, tmp, newflags);
+ else
+ error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
if (error)
goto out;
nstart = tmp;
--
2.27.0

2020-11-04 15:00:44

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 22/24] x86/sgx: Add ptrace() support for the SGX driver

Enclave memory is normally inaccessible from outside the enclave. This
makes enclaves hard to debug. However, enclaves can be put in a debug mode
when they are being built. In debug enclaves data *can* be read and/or
written by using the ENCLS[EDBGRD] and ENCLS[EDBGWR] functions.

This is obviously only for debugging and destroys all the protections
afforded to normal enclaves. But, enclaves know their own debug status and
can adjust their behavior appropriately.

Add a vm_ops->access() implementation which can be used to read and write
memory inside debug enclaves. This is typically used via ptrace() APIs.

Cc: [email protected]
Cc: Andrew Morton <[email protected]>
Cc: Matthew Wilcox <[email protected]>
Acked-by: Jethro Beekman <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
---
Changes from v39:
* Check only for SGX_ENCL_DEBUG in sgx_vma_access(), so that a debug
enclave's memory can read and written at any phase of its life-cycle.

arch/x86/kernel/cpu/sgx/encl.c | 111 +++++++++++++++++++++++++++++++++
1 file changed, 111 insertions(+)

diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c
index 328d5f61f1cc..5551c7d36483 100644
--- a/arch/x86/kernel/cpu/sgx/encl.c
+++ b/arch/x86/kernel/cpu/sgx/encl.c
@@ -282,10 +282,121 @@ static int sgx_vma_mprotect(struct vm_area_struct *vma,
return mprotect_fixup(vma, pprev, start, end, newflags);
}

+static int sgx_encl_debug_read(struct sgx_encl *encl, struct sgx_encl_page *page,
+ unsigned long addr, void *data)
+{
+ unsigned long offset = addr & ~PAGE_MASK;
+ int ret;
+
+
+ ret = __edbgrd(sgx_get_epc_virt_addr(page->epc_page) + offset, data);
+ if (ret)
+ return -EIO;
+
+ return 0;
+}
+
+static int sgx_encl_debug_write(struct sgx_encl *encl, struct sgx_encl_page *page,
+ unsigned long addr, void *data)
+{
+ unsigned long offset = addr & ~PAGE_MASK;
+ int ret;
+
+ ret = __edbgwr(sgx_get_epc_virt_addr(page->epc_page) + offset, data);
+ if (ret)
+ return -EIO;
+
+ return 0;
+}
+
+/*
+ * Load an enclave page to EPC if required, and take encl->lock.
+ */
+static struct sgx_encl_page *sgx_encl_reserve_page(struct sgx_encl *encl,
+ unsigned long addr,
+ unsigned long vm_flags)
+{
+ struct sgx_encl_page *entry;
+
+ for ( ; ; ) {
+ mutex_lock(&encl->lock);
+
+ entry = sgx_encl_load_page(encl, addr, vm_flags);
+ if (PTR_ERR(entry) != -EBUSY)
+ break;
+
+ mutex_unlock(&encl->lock);
+ }
+
+ if (IS_ERR(entry))
+ mutex_unlock(&encl->lock);
+
+ return entry;
+}
+
+static int sgx_vma_access(struct vm_area_struct *vma, unsigned long addr,
+ void *buf, int len, int write)
+{
+ struct sgx_encl *encl = vma->vm_private_data;
+ struct sgx_encl_page *entry = NULL;
+ char data[sizeof(unsigned long)];
+ unsigned long align;
+ int offset;
+ int cnt;
+ int ret = 0;
+ int i;
+
+ /*
+ * If process was forked, VMA is still there but vm_private_data is set
+ * to NULL.
+ */
+ if (!encl)
+ return -EFAULT;
+
+ if (!test_bit(SGX_ENCL_DEBUG, &encl->flags))
+ return -EFAULT;
+
+ for (i = 0; i < len; i += cnt) {
+ entry = sgx_encl_reserve_page(encl, (addr + i) & PAGE_MASK,
+ vma->vm_flags);
+ if (IS_ERR(entry)) {
+ ret = PTR_ERR(entry);
+ break;
+ }
+
+ align = ALIGN_DOWN(addr + i, sizeof(unsigned long));
+ offset = (addr + i) & (sizeof(unsigned long) - 1);
+ cnt = sizeof(unsigned long) - offset;
+ cnt = min(cnt, len - i);
+
+ ret = sgx_encl_debug_read(encl, entry, align, data);
+ if (ret)
+ goto out;
+
+ if (write) {
+ memcpy(data + offset, buf + i, cnt);
+ ret = sgx_encl_debug_write(encl, entry, align, data);
+ if (ret)
+ goto out;
+ } else {
+ memcpy(buf + i, data + offset, cnt);
+ }
+
+out:
+ mutex_unlock(&encl->lock);
+
+ if (ret)
+ break;
+ }
+
+ return ret < 0 ? ret : i;
+}
+
const struct vm_operations_struct sgx_vm_ops = {
.fault = sgx_vma_fault,
.mprotect = sgx_vma_mprotect,
.open = sgx_vma_open,
+ .access = sgx_vma_access,
};

/**
--
2.27.0

2020-11-04 15:00:52

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 17/24] x86/fault: Add helper function to sanitize error code

From: Sean Christopherson <[email protected]>

vDSO exception fixup is a replacement for signals in limited situations.
Signals and vDSO exception fixup need to provide similar information to
userspace, including the hardware error code.

That hardware error code needs to be sanitized. For instance, if userspace
accesses a kernel address, the error code could indicate to userspace
whether the address had a Present=1 PTE. That can leak information about
the kernel layout to userspace, which is bad.

The existing signal code does this sanitization, but fairly late in the
signal process. The vDSO exception code runs before the sanitization
happens.

Move error code sanitization out of the signal code and into a helper.
Call the helper in the signal code.

Acked-by: Jethro Beekman <[email protected]>
Signed-off-by: Sean Christopherson <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
---
Changes from v39:
* Add the missing change to the set_signal_archinfo() that removes the
snippet contained in sanitize_error_code().

arch/x86/mm/fault.c | 26 ++++++++++++++------------
1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 9339fee83784..0161d4acf3ad 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -602,11 +602,9 @@ pgtable_bad(struct pt_regs *regs, unsigned long error_code,
oops_end(flags, regs, sig);
}

-static void set_signal_archinfo(unsigned long address,
- unsigned long error_code)
+static void sanitize_error_code(unsigned long address,
+ unsigned long *error_code)
{
- struct task_struct *tsk = current;
-
/*
* To avoid leaking information about the kernel page
* table layout, pretend that user-mode accesses to
@@ -617,7 +615,13 @@ static void set_signal_archinfo(unsigned long address,
* information and does not appear to cause any problems.
*/
if (address >= TASK_SIZE_MAX)
- error_code |= X86_PF_PROT;
+ *error_code |= X86_PF_PROT;
+}
+
+static void set_signal_archinfo(unsigned long address,
+ unsigned long error_code)
+{
+ struct task_struct *tsk = current;

tsk->thread.trap_nr = X86_TRAP_PF;
tsk->thread.error_code = error_code | X86_PF_USER;
@@ -658,6 +662,8 @@ no_context(struct pt_regs *regs, unsigned long error_code,
* faulting through the emulate_vsyscall() logic.
*/
if (current->thread.sig_on_uaccess_err && signal) {
+ sanitize_error_code(address, &error_code);
+
set_signal_archinfo(address, error_code);

/* XXX: hwpoison faults will set the wrong code. */
@@ -806,13 +812,7 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
if (is_errata100(regs, address))
return;

- /*
- * To avoid leaking information about the kernel page table
- * layout, pretend that user-mode accesses to kernel addresses
- * are always protection faults.
- */
- if (address >= TASK_SIZE_MAX)
- error_code |= X86_PF_PROT;
+ sanitize_error_code(address, &error_code);

if (likely(show_unhandled_signals))
show_signal_msg(regs, error_code, address, tsk);
@@ -931,6 +931,8 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
if (is_prefetch(regs, error_code, address))
return;

+ sanitize_error_code(address, &error_code);
+
set_signal_archinfo(address, error_code);

#ifdef CONFIG_MEMORY_FAILURE
--
2.27.0

2020-11-04 15:00:59

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 18/24] x86/traps: Attempt to fixup exceptions in vDSO before signaling

From: Sean Christopherson <[email protected]>

vDSO functions can now leverage an exception fixup mechanism similar to
kernel exception fixup. For vDSO exception fixup, the initial user is
Intel's Software Guard Extensions (SGX), which will wrap the low-level
transitions to/from the enclave, i.e. EENTER and ERESUME instructions,
in a vDSO function and leverage fixup to intercept exceptions that would
otherwise generate a signal. This allows the vDSO wrapper to return the
fault information directly to its caller, obviating the need for SGX
applications and libraries to juggle signal handlers.

Attempt to fixup vDSO exceptions immediately prior to populating and
sending signal information. Except for the delivery mechanism, an
exception in a vDSO function should be treated like any other exception
in userspace, e.g. any fault that is successfully handled by the kernel
should not be directly visible to userspace.

Although it's debatable whether or not all exceptions are of interest to
enclaves, defer to the vDSO fixup to decide whether to do fixup or
generate a signal. Future users of vDSO fixup, if there ever are any,
will undoubtedly have different requirements than SGX enclaves, e.g. the
fixup vs. signal logic can be made function specific if/when necessary.

Suggested-by: Andy Lutomirski <[email protected]>
Acked-by: Jethro Beekman <[email protected]>
Signed-off-by: Sean Christopherson <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
---
arch/x86/kernel/traps.c | 10 ++++++++++
arch/x86/mm/fault.c | 7 +++++++
2 files changed, 17 insertions(+)

diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index e19df6cde35d..7798d862983f 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -60,6 +60,7 @@
#include <asm/umip.h>
#include <asm/insn.h>
#include <asm/insn-eval.h>
+#include <asm/vdso.h>

#ifdef CONFIG_X86_64
#include <asm/x86_init.h>
@@ -117,6 +118,9 @@ do_trap_no_signal(struct task_struct *tsk, int trapnr, const char *str,
tsk->thread.error_code = error_code;
tsk->thread.trap_nr = trapnr;
die(str, regs, error_code);
+ } else {
+ if (fixup_vdso_exception(regs, trapnr, error_code, 0))
+ return 0;
}

/*
@@ -550,6 +554,9 @@ DEFINE_IDTENTRY_ERRORCODE(exc_general_protection)
tsk->thread.error_code = error_code;
tsk->thread.trap_nr = X86_TRAP_GP;

+ if (fixup_vdso_exception(regs, X86_TRAP_GP, error_code, 0))
+ return;
+
show_signal(tsk, SIGSEGV, "", desc, regs, error_code);
force_sig(SIGSEGV);
goto exit;
@@ -1048,6 +1055,9 @@ static void math_error(struct pt_regs *regs, int trapnr)
if (!si_code)
goto exit;

+ if (fixup_vdso_exception(regs, trapnr, 0, 0))
+ return;
+
force_sig_fault(SIGFPE, si_code,
(void __user *)uprobe_get_trap_addr(regs));
exit:
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 0161d4acf3ad..f1f1b5a0956a 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -30,6 +30,7 @@
#include <asm/cpu_entry_area.h> /* exception stack */
#include <asm/pgtable_areas.h> /* VMALLOC_START, ... */
#include <asm/kvm_para.h> /* kvm_handle_async_pf */
+#include <asm/vdso.h> /* fixup_vdso_exception() */

#define CREATE_TRACE_POINTS
#include <asm/trace/exceptions.h>
@@ -814,6 +815,9 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,

sanitize_error_code(address, &error_code);

+ if (fixup_vdso_exception(regs, X86_TRAP_PF, error_code, address))
+ return;
+
if (likely(show_unhandled_signals))
show_signal_msg(regs, error_code, address, tsk);

@@ -933,6 +937,9 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,

sanitize_error_code(address, &error_code);

+ if (fixup_vdso_exception(regs, X86_TRAP_PF, error_code, address))
+ return;
+
set_signal_archinfo(address, error_code);

#ifdef CONFIG_MEMORY_FAILURE
--
2.27.0

2020-11-04 15:01:14

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 16/24] x86/vdso: Add support for exception fixup in vDSO functions

From: Sean Christopherson <[email protected]>

Signals are a horrid little mechanism. They are especially nasty in
multi-threaded environments because signal state like handlers is global
across the entire process. But, signals are basically the only way that
userspace can “gracefully” handle and recover from exceptions.

The kernel generally does not like exceptions to occur during execution.
But, exceptions are a fact of life and must be handled in some
circumstances. The kernel handles them by keeping a list of individual
instructions which may cause exceptions. Instead of truly handling the
exception and returning to the instruction that caused it, the kernel
instead restarts execution at a *different* instruction. This makes it
obvious to that thread of execution that the exception occurred and lets
*that* code handle the exception instead of the handler.

This is not dissimilar to the try/catch exceptions mechanisms that some
programming languages have, but applied *very* surgically to single
instructions. It effectively changes the visible architecture of the
instruction.

Problem
=======

SGX generates a lot of signals, and the code to enter and exit enclaves and
muck with signal handling is truly horrid. At the same time, an approach
like kernel exception fixup can not be easily applied to userspace
instructions because it changes the visible instruction architecture.

Solution
========

The vDSO is a special page of kernel-provided instructions that run in
userspace. Any userspace calling into the vDSO knows that it is special.
This allows the kernel a place to legitimately rewrite the user/kernel
contract and change instruction behavior.

Add support for fixing up exceptions that occur while executing in the
vDSO. This replaces what could traditionally only be done with signal
handling.

This new mechanism will be used to replace previously direct use of SGX
instructions by userspace.

Just introduce the vDSO infrastructure. Later patches will actually
replace signal generation with vDSO exception fixup.

Suggested-by: Andy Lutomirski <[email protected]>
Acked-by: Jethro Beekman <[email protected]>
Signed-off-by: Sean Christopherson <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
---
arch/x86/entry/vdso/Makefile | 6 ++--
arch/x86/entry/vdso/extable.c | 46 ++++++++++++++++++++++++
arch/x86/entry/vdso/extable.h | 28 +++++++++++++++
arch/x86/entry/vdso/vdso-layout.lds.S | 9 ++++-
arch/x86/entry/vdso/vdso2c.h | 50 ++++++++++++++++++++++++++-
arch/x86/include/asm/vdso.h | 5 +++
6 files changed, 139 insertions(+), 5 deletions(-)
create mode 100644 arch/x86/entry/vdso/extable.c
create mode 100644 arch/x86/entry/vdso/extable.h

diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
index 21243747965d..2ad757fb3c23 100644
--- a/arch/x86/entry/vdso/Makefile
+++ b/arch/x86/entry/vdso/Makefile
@@ -29,7 +29,7 @@ vobjs32-y := vdso32/note.o vdso32/system_call.o vdso32/sigreturn.o
vobjs32-y += vdso32/vclock_gettime.o

# files to link into kernel
-obj-y += vma.o
+obj-y += vma.o extable.o
KASAN_SANITIZE_vma.o := y
UBSAN_SANITIZE_vma.o := y
KCSAN_SANITIZE_vma.o := y
@@ -128,8 +128,8 @@ $(obj)/%-x32.o: $(obj)/%.o FORCE

targets += vdsox32.lds $(vobjx32s-y)

-$(obj)/%.so: OBJCOPYFLAGS := -S
-$(obj)/%.so: $(obj)/%.so.dbg FORCE
+$(obj)/%.so: OBJCOPYFLAGS := -S --remove-section __ex_table
+$(obj)/%.so: $(obj)/%.so.dbg
$(call if_changed,objcopy)

$(obj)/vdsox32.so.dbg: $(obj)/vdsox32.lds $(vobjx32s) FORCE
diff --git a/arch/x86/entry/vdso/extable.c b/arch/x86/entry/vdso/extable.c
new file mode 100644
index 000000000000..afcf5b65beef
--- /dev/null
+++ b/arch/x86/entry/vdso/extable.c
@@ -0,0 +1,46 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <linux/err.h>
+#include <linux/mm.h>
+#include <asm/current.h>
+#include <asm/traps.h>
+#include <asm/vdso.h>
+
+struct vdso_exception_table_entry {
+ int insn, fixup;
+};
+
+bool fixup_vdso_exception(struct pt_regs *regs, int trapnr,
+ unsigned long error_code, unsigned long fault_addr)
+{
+ const struct vdso_image *image = current->mm->context.vdso_image;
+ const struct vdso_exception_table_entry *extable;
+ unsigned int nr_entries, i;
+ unsigned long base;
+
+ /*
+ * Do not attempt to fixup #DB or #BP. It's impossible to identify
+ * whether or not a #DB/#BP originated from within an SGX enclave and
+ * SGX enclaves are currently the only use case for vDSO fixup.
+ */
+ if (trapnr == X86_TRAP_DB || trapnr == X86_TRAP_BP)
+ return false;
+
+ if (!current->mm->context.vdso)
+ return false;
+
+ base = (unsigned long)current->mm->context.vdso + image->extable_base;
+ nr_entries = image->extable_len / (sizeof(*extable));
+ extable = image->extable;
+
+ for (i = 0; i < nr_entries; i++) {
+ if (regs->ip == base + extable[i].insn) {
+ regs->ip = base + extable[i].fixup;
+ regs->di = trapnr;
+ regs->si = error_code;
+ regs->dx = fault_addr;
+ return true;
+ }
+ }
+
+ return false;
+}
diff --git a/arch/x86/entry/vdso/extable.h b/arch/x86/entry/vdso/extable.h
new file mode 100644
index 000000000000..b56f6b012941
--- /dev/null
+++ b/arch/x86/entry/vdso/extable.h
@@ -0,0 +1,28 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef __VDSO_EXTABLE_H
+#define __VDSO_EXTABLE_H
+
+/*
+ * Inject exception fixup for vDSO code. Unlike normal exception fixup,
+ * vDSO uses a dedicated handler the addresses are relative to the overall
+ * exception table, not each individual entry.
+ */
+#ifdef __ASSEMBLY__
+#define _ASM_VDSO_EXTABLE_HANDLE(from, to) \
+ ASM_VDSO_EXTABLE_HANDLE from to
+
+.macro ASM_VDSO_EXTABLE_HANDLE from:req to:req
+ .pushsection __ex_table, "a"
+ .long (\from) - __ex_table
+ .long (\to) - __ex_table
+ .popsection
+.endm
+#else
+#define _ASM_VDSO_EXTABLE_HANDLE(from, to) \
+ ".pushsection __ex_table, \"a\"\n" \
+ ".long (" #from ") - __ex_table\n" \
+ ".long (" #to ") - __ex_table\n" \
+ ".popsection\n"
+#endif
+
+#endif /* __VDSO_EXTABLE_H */
diff --git a/arch/x86/entry/vdso/vdso-layout.lds.S b/arch/x86/entry/vdso/vdso-layout.lds.S
index 4d152933547d..dc8da7695859 100644
--- a/arch/x86/entry/vdso/vdso-layout.lds.S
+++ b/arch/x86/entry/vdso/vdso-layout.lds.S
@@ -75,11 +75,18 @@ SECTIONS
* stuff that isn't used at runtime in between.
*/

- .text : { *(.text*) } :text =0x90909090,
+ .text : {
+ *(.text*)
+ *(.fixup)
+ } :text =0x90909090,
+
+

.altinstructions : { *(.altinstructions) } :text
.altinstr_replacement : { *(.altinstr_replacement) } :text

+ __ex_table : { *(__ex_table) } :text
+
/DISCARD/ : {
*(.discard)
*(.discard.*)
diff --git a/arch/x86/entry/vdso/vdso2c.h b/arch/x86/entry/vdso/vdso2c.h
index 6f46e11ce539..1c7cfac7e64a 100644
--- a/arch/x86/entry/vdso/vdso2c.h
+++ b/arch/x86/entry/vdso/vdso2c.h
@@ -5,6 +5,41 @@
* are built for 32-bit userspace.
*/

+static void BITSFUNC(copy)(FILE *outfile, const unsigned char *data, size_t len)
+{
+ size_t i;
+
+ for (i = 0; i < len; i++) {
+ if (i % 10 == 0)
+ fprintf(outfile, "\n\t");
+ fprintf(outfile, "0x%02X, ", (int)(data)[i]);
+ }
+}
+
+
+/*
+ * Extract a section from the input data into a standalone blob. Used to
+ * capture kernel-only data that needs to persist indefinitely, e.g. the
+ * exception fixup tables, but only in the kernel, i.e. the section can
+ * be stripped from the final vDSO image.
+ */
+static void BITSFUNC(extract)(const unsigned char *data, size_t data_len,
+ FILE *outfile, ELF(Shdr) *sec, const char *name)
+{
+ unsigned long offset;
+ size_t len;
+
+ offset = (unsigned long)GET_LE(&sec->sh_offset);
+ len = (size_t)GET_LE(&sec->sh_size);
+
+ if (offset + len > data_len)
+ fail("section to extract overruns input data");
+
+ fprintf(outfile, "static const unsigned char %s[%lu] = {", name, len);
+ BITSFUNC(copy)(outfile, data + offset, len);
+ fprintf(outfile, "\n};\n\n");
+}
+
static void BITSFUNC(go)(void *raw_addr, size_t raw_len,
void *stripped_addr, size_t stripped_len,
FILE *outfile, const char *image_name)
@@ -15,7 +50,7 @@ static void BITSFUNC(go)(void *raw_addr, size_t raw_len,
ELF(Ehdr) *hdr = (ELF(Ehdr) *)raw_addr;
unsigned long i, syms_nr;
ELF(Shdr) *symtab_hdr = NULL, *strtab_hdr, *secstrings_hdr,
- *alt_sec = NULL;
+ *alt_sec = NULL, *extable_sec = NULL;
ELF(Dyn) *dyn = 0, *dyn_end = 0;
const char *secstrings;
INT_BITS syms[NSYMS] = {};
@@ -77,6 +112,8 @@ static void BITSFUNC(go)(void *raw_addr, size_t raw_len,
if (!strcmp(secstrings + GET_LE(&sh->sh_name),
".altinstructions"))
alt_sec = sh;
+ if (!strcmp(secstrings + GET_LE(&sh->sh_name), "__ex_table"))
+ extable_sec = sh;
}

if (!symtab_hdr)
@@ -155,6 +192,9 @@ static void BITSFUNC(go)(void *raw_addr, size_t raw_len,
(int)((unsigned char *)stripped_addr)[i]);
}
fprintf(outfile, "\n};\n\n");
+ if (extable_sec)
+ BITSFUNC(extract)(raw_addr, raw_len, outfile,
+ extable_sec, "extable");

fprintf(outfile, "const struct vdso_image %s = {\n", image_name);
fprintf(outfile, "\t.data = raw_data,\n");
@@ -165,6 +205,14 @@ static void BITSFUNC(go)(void *raw_addr, size_t raw_len,
fprintf(outfile, "\t.alt_len = %lu,\n",
(unsigned long)GET_LE(&alt_sec->sh_size));
}
+ if (extable_sec) {
+ fprintf(outfile, "\t.extable_base = %lu,\n",
+ (unsigned long)GET_LE(&extable_sec->sh_offset));
+ fprintf(outfile, "\t.extable_len = %lu,\n",
+ (unsigned long)GET_LE(&extable_sec->sh_size));
+ fprintf(outfile, "\t.extable = extable,\n");
+ }
+
for (i = 0; i < NSYMS; i++) {
if (required_syms[i].export && syms[i])
fprintf(outfile, "\t.sym_%s = %" PRIi64 ",\n",
diff --git a/arch/x86/include/asm/vdso.h b/arch/x86/include/asm/vdso.h
index bbcdc7b8f963..b5d23470f56b 100644
--- a/arch/x86/include/asm/vdso.h
+++ b/arch/x86/include/asm/vdso.h
@@ -15,6 +15,8 @@ struct vdso_image {
unsigned long size; /* Always a multiple of PAGE_SIZE */

unsigned long alt, alt_len;
+ unsigned long extable_base, extable_len;
+ const void *extable;

long sym_vvar_start; /* Negative offset to the vvar area */

@@ -45,6 +47,9 @@ extern void __init init_vdso_image(const struct vdso_image *image);

extern int map_vdso_once(const struct vdso_image *image, unsigned long addr);

+extern bool fixup_vdso_exception(struct pt_regs *regs, int trapnr,
+ unsigned long error_code,
+ unsigned long fault_addr);
#endif /* __ASSEMBLER__ */

#endif /* _ASM_X86_VDSO_H */
--
2.27.0

2020-11-04 15:01:43

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 21/24] x86/sgx: Add a page reclaimer

Just like normal RAM, there is a limited amount of enclave memory available
and overcommitting it is a very valuable tool to reduce resource use.
Introduce a simple reclaim mechanism for enclave pages.

In contrast to normal page reclaim, the kernel cannot directly access
enclave memory. To get around this, the SGX architecture provides a set of
functions to help. Among other things, these functions copy enclave memory
to and from normal memory, encrypting it and protecting its integrity in
the process.

Implement a page reclaimer by using these functions. Picks victim pages in
LRU fashion from all the enclaves running in the system. A new kernel
thread (ksgxswapd) reclaims pages in the background based on watermarks,
similar to normal kswapd.

All enclave pages can be reclaimed, architecturally. But, there are some
limits on this, such as the special SECS metadata page which must be
reclaimed last. The page version array (used to mitigate replaying old
reclaimed pages) is also architecturally reclaimable, but not yet
implemented. The end result is that the vast majority of enclave pages are
currently reclaimable.

Cc: [email protected]
Acked-by: Jethro Beekman <[email protected]>
Tested-by: Jethro Beekman <[email protected]>
Tested-by: Jordan Hand <[email protected]>
Tested-by: Nathaniel McCallum <[email protected]>
Tested-by: Chunyang Hui <[email protected]>
Tested-by: Seth Moore <[email protected]>
Co-developed-by: Sean Christopherson <[email protected]>
Signed-off-by: Sean Christopherson <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
---
Changes from v39:
* Remove SGX_ENCL_DEAD checks from the page reclaimer. They are no
longer needed as enclave contents are deleted only when it is
released.

arch/x86/kernel/cpu/sgx/driver.c | 59 ++--
arch/x86/kernel/cpu/sgx/encl.c | 483 ++++++++++++++++++++++++++++++-
arch/x86/kernel/cpu/sgx/encl.h | 51 ++++
arch/x86/kernel/cpu/sgx/ioctl.c | 89 +++++-
arch/x86/kernel/cpu/sgx/main.c | 466 +++++++++++++++++++++++++++++
arch/x86/kernel/cpu/sgx/sgx.h | 13 +
6 files changed, 1134 insertions(+), 27 deletions(-)

diff --git a/arch/x86/kernel/cpu/sgx/driver.c b/arch/x86/kernel/cpu/sgx/driver.c
index f618a04c4224..f2eac41bb4ff 100644
--- a/arch/x86/kernel/cpu/sgx/driver.c
+++ b/arch/x86/kernel/cpu/sgx/driver.c
@@ -17,13 +17,24 @@ u32 sgx_misc_reserved_mask;
static int sgx_open(struct inode *inode, struct file *file)
{
struct sgx_encl *encl;
+ int ret;

encl = kzalloc(sizeof(*encl), GFP_KERNEL);
if (!encl)
return -ENOMEM;

+ kref_init(&encl->refcount);
xa_init(&encl->page_array);
mutex_init(&encl->lock);
+ INIT_LIST_HEAD(&encl->va_pages);
+ INIT_LIST_HEAD(&encl->mm_list);
+ spin_lock_init(&encl->mm_lock);
+
+ ret = init_srcu_struct(&encl->srcu);
+ if (ret) {
+ kfree(encl);
+ return ret;
+ }

file->private_data = encl;

@@ -33,31 +44,37 @@ static int sgx_open(struct inode *inode, struct file *file)
static int sgx_release(struct inode *inode, struct file *file)
{
struct sgx_encl *encl = file->private_data;
- struct sgx_encl_page *entry;
- unsigned long index;
-
- xa_for_each(&encl->page_array, index, entry) {
- if (entry->epc_page) {
- sgx_free_epc_page(entry->epc_page);
- encl->secs_child_cnt--;
- entry->epc_page = NULL;
+ struct sgx_encl_mm *encl_mm;
+
+ /*
+ * Drain the remaining mm_list entries. At this point the list contains
+ * entries for processes, which have closed the enclave file but have
+ * not exited yet. The processes, which have exited, are gone from the
+ * list by sgx_mmu_notifier_release().
+ */
+ for ( ; ; ) {
+ spin_lock(&encl->mm_lock);
+
+ if (list_empty(&encl->mm_list)) {
+ encl_mm = NULL;
+ } else {
+ encl_mm = list_first_entry(&encl->mm_list,
+ struct sgx_encl_mm, list);
+ list_del_rcu(&encl_mm->list);
}

- kfree(entry);
- }
+ spin_unlock(&encl->mm_lock);

- xa_destroy(&encl->page_array);
+ /* The enclave is no longer mapped by any mm. */
+ if (!encl_mm)
+ break;

- if (!encl->secs_child_cnt && encl->secs.epc_page) {
- sgx_free_epc_page(encl->secs.epc_page);
- encl->secs.epc_page = NULL;
+ synchronize_srcu(&encl->srcu);
+ mmu_notifier_unregister(&encl_mm->mmu_notifier, encl_mm->mm);
+ kfree(encl_mm);
}

- /* Detect EPC page leak's. */
- WARN_ON_ONCE(encl->secs_child_cnt);
- WARN_ON_ONCE(encl->secs.epc_page);
-
- kfree(encl);
+ kref_put(&encl->refcount, sgx_encl_release);
return 0;
}

@@ -70,6 +87,10 @@ static int sgx_mmap(struct file *file, struct vm_area_struct *vma)
if (ret)
return ret;

+ ret = sgx_encl_mm_add(encl, vma->vm_mm);
+ if (ret)
+ return ret;
+
vma->vm_ops = &sgx_vm_ops;
vma->vm_flags |= VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP | VM_IO;
vma->vm_private_data = encl;
diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c
index dfcc306d297c..328d5f61f1cc 100644
--- a/arch/x86/kernel/cpu/sgx/encl.c
+++ b/arch/x86/kernel/cpu/sgx/encl.c
@@ -12,11 +12,90 @@
#include "encls.h"
#include "sgx.h"

+/*
+ * ELDU: Load an EPC page as unblocked. For more info, see "OS Management of EPC
+ * Pages" in the SDM.
+ */
+static int __sgx_encl_eldu(struct sgx_encl_page *encl_page,
+ struct sgx_epc_page *epc_page,
+ struct sgx_epc_page *secs_page)
+{
+ unsigned long va_offset = encl_page->desc & SGX_ENCL_PAGE_VA_OFFSET_MASK;
+ struct sgx_encl *encl = encl_page->encl;
+ struct sgx_pageinfo pginfo;
+ struct sgx_backing b;
+ pgoff_t page_index;
+ int ret;
+
+ if (secs_page)
+ page_index = PFN_DOWN(encl_page->desc - encl_page->encl->base);
+ else
+ page_index = PFN_DOWN(encl->size);
+
+ ret = sgx_encl_get_backing(encl, page_index, &b);
+ if (ret)
+ return ret;
+
+ pginfo.addr = encl_page->desc & PAGE_MASK;
+ pginfo.contents = (unsigned long)kmap_atomic(b.contents);
+ pginfo.metadata = (unsigned long)kmap_atomic(b.pcmd) +
+ b.pcmd_offset;
+
+ if (secs_page)
+ pginfo.secs = (u64)sgx_get_epc_virt_addr(secs_page);
+ else
+ pginfo.secs = 0;
+
+ ret = __eldu(&pginfo, sgx_get_epc_virt_addr(epc_page),
+ sgx_get_epc_virt_addr(encl_page->va_page->epc_page) + va_offset);
+ if (ret) {
+ if (encls_failed(ret))
+ ENCLS_WARN(ret, "ELDU");
+
+ ret = -EFAULT;
+ }
+
+ kunmap_atomic((void *)(unsigned long)(pginfo.metadata - b.pcmd_offset));
+ kunmap_atomic((void *)(unsigned long)pginfo.contents);
+
+ sgx_encl_put_backing(&b, false);
+
+ return ret;
+}
+
+static struct sgx_epc_page *sgx_encl_eldu(struct sgx_encl_page *encl_page,
+ struct sgx_epc_page *secs_page)
+{
+
+ unsigned long va_offset = encl_page->desc & SGX_ENCL_PAGE_VA_OFFSET_MASK;
+ struct sgx_encl *encl = encl_page->encl;
+ struct sgx_epc_page *epc_page;
+ int ret;
+
+ epc_page = sgx_alloc_epc_page(encl_page, false);
+ if (IS_ERR(epc_page))
+ return epc_page;
+
+ ret = __sgx_encl_eldu(encl_page, epc_page, secs_page);
+ if (ret) {
+ sgx_free_epc_page(epc_page);
+ return ERR_PTR(ret);
+ }
+
+ sgx_free_va_slot(encl_page->va_page, va_offset);
+ list_move(&encl_page->va_page->list, &encl->va_pages);
+ encl_page->desc &= ~SGX_ENCL_PAGE_VA_OFFSET_MASK;
+ encl_page->epc_page = epc_page;
+
+ return epc_page;
+}
+
static struct sgx_encl_page *sgx_encl_load_page(struct sgx_encl *encl,
unsigned long addr,
unsigned long vm_flags)
{
unsigned long vm_prot_bits = vm_flags & (VM_READ | VM_WRITE | VM_EXEC);
+ struct sgx_epc_page *epc_page;
struct sgx_encl_page *entry;

entry = xa_load(&encl->page_array, PFN_DOWN(addr));
@@ -31,11 +110,27 @@ static struct sgx_encl_page *sgx_encl_load_page(struct sgx_encl *encl,
if ((entry->vm_max_prot_bits & vm_prot_bits) != vm_prot_bits)
return ERR_PTR(-EFAULT);

- /* No page found. */
- if (!entry->epc_page)
- return ERR_PTR(-EFAULT);
-
/* Entry successfully located. */
+ if (entry->epc_page) {
+ if (entry->desc & SGX_ENCL_PAGE_BEING_RECLAIMED)
+ return ERR_PTR(-EBUSY);
+
+ return entry;
+ }
+
+ if (!(encl->secs.epc_page)) {
+ epc_page = sgx_encl_eldu(&encl->secs, NULL);
+ if (IS_ERR(epc_page))
+ return ERR_CAST(epc_page);
+ }
+
+ epc_page = sgx_encl_eldu(entry, encl->secs.epc_page);
+ if (IS_ERR(epc_page))
+ return ERR_CAST(epc_page);
+
+ encl->secs_child_cnt++;
+ sgx_mark_page_reclaimable(entry->epc_page);
+
return entry;
}

@@ -51,12 +146,23 @@ static vm_fault_t sgx_vma_fault(struct vm_fault *vmf)

encl = vma->vm_private_data;

+ /*
+ * It's very unlikely but possible that allocating memory for the
+ * mm_list entry of a forked process failed in sgx_vma_open(). When
+ * this happens, vm_private_data is set to NULL.
+ */
+ if (unlikely(!encl))
+ return VM_FAULT_SIGBUS;
+
mutex_lock(&encl->lock);

entry = sgx_encl_load_page(encl, addr, vma->vm_flags);
if (IS_ERR(entry)) {
mutex_unlock(&encl->lock);

+ if (PTR_ERR(entry) == -EBUSY)
+ return VM_FAULT_NOPAGE;
+
return VM_FAULT_SIGBUS;
}

@@ -76,11 +182,29 @@ static vm_fault_t sgx_vma_fault(struct vm_fault *vmf)
return VM_FAULT_SIGBUS;
}

+ sgx_encl_test_and_clear_young(vma->vm_mm, entry);
mutex_unlock(&encl->lock);

return VM_FAULT_NOPAGE;
}

+static void sgx_vma_open(struct vm_area_struct *vma)
+{
+ struct sgx_encl *encl = vma->vm_private_data;
+
+ /*
+ * It's possible but unlikely that vm_private_data is NULL. This can
+ * happen in a grandchild of a process, when sgx_encl_mm_add() had
+ * failed to allocate memory in this callback.
+ */
+ if (unlikely(!encl))
+ return;
+
+ if (sgx_encl_mm_add(encl, vma->vm_mm))
+ vma->vm_private_data = NULL;
+}
+
+
/**
* sgx_encl_may_map() - Check if a requested VMA mapping is allowed
* @encl: an enclave pointer
@@ -161,6 +285,7 @@ static int sgx_vma_mprotect(struct vm_area_struct *vma,
const struct vm_operations_struct sgx_vm_ops = {
.fault = sgx_vma_fault,
.mprotect = sgx_vma_mprotect,
+ .open = sgx_vma_open,
};

/**
@@ -194,3 +319,353 @@ int sgx_encl_find(struct mm_struct *mm, unsigned long addr,

return encl ? 0 : -ENOENT;
}
+
+/**
+ * sgx_encl_release - Destroy an enclave instance
+ * @kref: address of a kref inside &sgx_encl
+ *
+ * Used together with kref_put(). Frees all the resources associated with the
+ * enclave and the instance itself.
+ */
+void sgx_encl_release(struct kref *ref)
+{
+ struct sgx_encl *encl = container_of(ref, struct sgx_encl, refcount);
+ struct sgx_va_page *va_page;
+ struct sgx_encl_page *entry;
+ unsigned long index;
+
+ xa_for_each(&encl->page_array, index, entry) {
+ if (entry->epc_page) {
+ /*
+ * The page and its radix tree entry cannot be freed
+ * if the page is being held by the reclaimer.
+ */
+ if (sgx_unmark_page_reclaimable(entry->epc_page))
+ continue;
+
+ sgx_free_epc_page(entry->epc_page);
+ encl->secs_child_cnt--;
+ entry->epc_page = NULL;
+ }
+
+ kfree(entry);
+ }
+
+ xa_destroy(&encl->page_array);
+
+ if (!encl->secs_child_cnt && encl->secs.epc_page) {
+ sgx_free_epc_page(encl->secs.epc_page);
+ encl->secs.epc_page = NULL;
+ }
+
+ while (!list_empty(&encl->va_pages)) {
+ va_page = list_first_entry(&encl->va_pages, struct sgx_va_page,
+ list);
+ list_del(&va_page->list);
+ sgx_free_epc_page(va_page->epc_page);
+ kfree(va_page);
+ }
+
+ if (encl->backing)
+ fput(encl->backing);
+
+ cleanup_srcu_struct(&encl->srcu);
+
+ WARN_ON_ONCE(!list_empty(&encl->mm_list));
+
+ /* Detect EPC page leak's. */
+ WARN_ON_ONCE(encl->secs_child_cnt);
+ WARN_ON_ONCE(encl->secs.epc_page);
+
+ kfree(encl);
+}
+
+/*
+ * 'mm' is exiting and no longer needs mmu notifications.
+ */
+static void sgx_mmu_notifier_release(struct mmu_notifier *mn,
+ struct mm_struct *mm)
+{
+ struct sgx_encl_mm *encl_mm = container_of(mn, struct sgx_encl_mm, mmu_notifier);
+ struct sgx_encl_mm *tmp = NULL;
+
+ /*
+ * The enclave itself can remove encl_mm. Note, objects can't be moved
+ * off an RCU protected list, but deletion is ok.
+ */
+ spin_lock(&encl_mm->encl->mm_lock);
+ list_for_each_entry(tmp, &encl_mm->encl->mm_list, list) {
+ if (tmp == encl_mm) {
+ list_del_rcu(&encl_mm->list);
+ break;
+ }
+ }
+ spin_unlock(&encl_mm->encl->mm_lock);
+
+ if (tmp == encl_mm) {
+ synchronize_srcu(&encl_mm->encl->srcu);
+ mmu_notifier_put(mn);
+ }
+}
+
+static void sgx_mmu_notifier_free(struct mmu_notifier *mn)
+{
+ struct sgx_encl_mm *encl_mm = container_of(mn, struct sgx_encl_mm, mmu_notifier);
+
+ kfree(encl_mm);
+}
+
+static const struct mmu_notifier_ops sgx_mmu_notifier_ops = {
+ .release = sgx_mmu_notifier_release,
+ .free_notifier = sgx_mmu_notifier_free,
+};
+
+static struct sgx_encl_mm *sgx_encl_find_mm(struct sgx_encl *encl,
+ struct mm_struct *mm)
+{
+ struct sgx_encl_mm *encl_mm = NULL;
+ struct sgx_encl_mm *tmp;
+ int idx;
+
+ idx = srcu_read_lock(&encl->srcu);
+
+ list_for_each_entry_rcu(tmp, &encl->mm_list, list) {
+ if (tmp->mm == mm) {
+ encl_mm = tmp;
+ break;
+ }
+ }
+
+ srcu_read_unlock(&encl->srcu, idx);
+
+ return encl_mm;
+}
+
+int sgx_encl_mm_add(struct sgx_encl *encl, struct mm_struct *mm)
+{
+ struct sgx_encl_mm *encl_mm;
+ int ret;
+
+ /*
+ * Even though a single enclave may be mapped into an mm more than once,
+ * each 'mm' only appears once on encl->mm_list. This is guaranteed by
+ * holding the mm's mmap lock for write before an mm can be added or
+ * remove to an encl->mm_list.
+ */
+ mmap_assert_write_locked(mm);
+
+ /*
+ * It's possible that an entry already exists in the mm_list, because it
+ * is removed only on VFS release or process exit.
+ */
+ if (sgx_encl_find_mm(encl, mm))
+ return 0;
+
+ encl_mm = kzalloc(sizeof(*encl_mm), GFP_KERNEL);
+ if (!encl_mm)
+ return -ENOMEM;
+
+ encl_mm->encl = encl;
+ encl_mm->mm = mm;
+ encl_mm->mmu_notifier.ops = &sgx_mmu_notifier_ops;
+
+ ret = __mmu_notifier_register(&encl_mm->mmu_notifier, mm);
+ if (ret) {
+ kfree(encl_mm);
+ return ret;
+ }
+
+ spin_lock(&encl->mm_lock);
+ list_add_rcu(&encl_mm->list, &encl->mm_list);
+ /* Pairs with smp_rmb() in sgx_reclaimer_block(). */
+ smp_wmb();
+ encl->mm_list_version++;
+ spin_unlock(&encl->mm_lock);
+
+ return 0;
+}
+
+static struct page *sgx_encl_get_backing_page(struct sgx_encl *encl,
+ pgoff_t index)
+{
+ struct inode *inode = encl->backing->f_path.dentry->d_inode;
+ struct address_space *mapping = inode->i_mapping;
+ gfp_t gfpmask = mapping_gfp_mask(mapping);
+
+ return shmem_read_mapping_page_gfp(mapping, index, gfpmask);
+}
+
+/**
+ * sgx_encl_get_backing() - Pin the backing storage
+ * @encl: an enclave pointer
+ * @page_index: enclave page index
+ * @backing: data for accessing backing storage for the page
+ *
+ * Pin the backing storage pages for storing the encrypted contents and Paging
+ * Crypto MetaData (PCMD) of an enclave page.
+ *
+ * Return:
+ * 0 on success,
+ * -errno otherwise.
+ */
+int sgx_encl_get_backing(struct sgx_encl *encl, unsigned long page_index,
+ struct sgx_backing *backing)
+{
+ pgoff_t pcmd_index = PFN_DOWN(encl->size) + 1 + (page_index >> 5);
+ struct page *contents;
+ struct page *pcmd;
+
+ contents = sgx_encl_get_backing_page(encl, page_index);
+ if (IS_ERR(contents))
+ return PTR_ERR(contents);
+
+ pcmd = sgx_encl_get_backing_page(encl, pcmd_index);
+ if (IS_ERR(pcmd)) {
+ put_page(contents);
+ return PTR_ERR(pcmd);
+ }
+
+ backing->page_index = page_index;
+ backing->contents = contents;
+ backing->pcmd = pcmd;
+ backing->pcmd_offset =
+ (page_index & (PAGE_SIZE / sizeof(struct sgx_pcmd) - 1)) *
+ sizeof(struct sgx_pcmd);
+
+ return 0;
+}
+
+/**
+ * sgx_encl_put_backing() - Unpin the backing storage
+ * @backing: data for accessing backing storage for the page
+ * @do_write: mark pages dirty
+ */
+void sgx_encl_put_backing(struct sgx_backing *backing, bool do_write)
+{
+ if (do_write) {
+ set_page_dirty(backing->pcmd);
+ set_page_dirty(backing->contents);
+ }
+
+ put_page(backing->pcmd);
+ put_page(backing->contents);
+}
+
+static int sgx_encl_test_and_clear_young_cb(pte_t *ptep, unsigned long addr,
+ void *data)
+{
+ pte_t pte;
+ int ret;
+
+ ret = pte_young(*ptep);
+ if (ret) {
+ pte = pte_mkold(*ptep);
+ set_pte_at((struct mm_struct *)data, addr, ptep, pte);
+ }
+
+ return ret;
+}
+
+/**
+ * sgx_encl_test_and_clear_young() - Test and reset the accessed bit
+ * @mm: mm_struct that is checked
+ * @page: enclave page to be tested for recent access
+ *
+ * Checks the Access (A) bit from the PTE corresponding to the enclave page and
+ * clears it.
+ *
+ * Return: 1 if the page has been recently accessed and 0 if not.
+ */
+int sgx_encl_test_and_clear_young(struct mm_struct *mm,
+ struct sgx_encl_page *page)
+{
+ unsigned long addr = page->desc & PAGE_MASK;
+ struct sgx_encl *encl = page->encl;
+ struct vm_area_struct *vma;
+ int ret;
+
+ ret = sgx_encl_find(mm, addr, &vma);
+ if (ret)
+ return 0;
+
+ if (encl != vma->vm_private_data)
+ return 0;
+
+ ret = apply_to_page_range(vma->vm_mm, addr, PAGE_SIZE,
+ sgx_encl_test_and_clear_young_cb, vma->vm_mm);
+ if (ret < 0)
+ return 0;
+
+ return ret;
+}
+
+/**
+ * sgx_alloc_va_page() - Allocate a Version Array (VA) page
+ *
+ * Allocate a free EPC page and convert it to a Version Array (VA) page.
+ *
+ * Return:
+ * a VA page,
+ * -errno otherwise
+ */
+struct sgx_epc_page *sgx_alloc_va_page(void)
+{
+ struct sgx_epc_page *epc_page;
+ int ret;
+
+ epc_page = sgx_alloc_epc_page(NULL, true);
+ if (IS_ERR(epc_page))
+ return ERR_CAST(epc_page);
+
+ ret = __epa(sgx_get_epc_virt_addr(epc_page));
+ if (ret) {
+ WARN_ONCE(1, "EPA returned %d (0x%x)", ret, ret);
+ sgx_free_epc_page(epc_page);
+ return ERR_PTR(-EFAULT);
+ }
+
+ return epc_page;
+}
+
+/**
+ * sgx_alloc_va_slot - allocate a VA slot
+ * @va_page: a &struct sgx_va_page instance
+ *
+ * Allocates a slot from a &struct sgx_va_page instance.
+ *
+ * Return: offset of the slot inside the VA page
+ */
+unsigned int sgx_alloc_va_slot(struct sgx_va_page *va_page)
+{
+ int slot = find_first_zero_bit(va_page->slots, SGX_VA_SLOT_COUNT);
+
+ if (slot < SGX_VA_SLOT_COUNT)
+ set_bit(slot, va_page->slots);
+
+ return slot << 3;
+}
+
+/**
+ * sgx_free_va_slot - free a VA slot
+ * @va_page: a &struct sgx_va_page instance
+ * @offset: offset of the slot inside the VA page
+ *
+ * Frees a slot from a &struct sgx_va_page instance.
+ */
+void sgx_free_va_slot(struct sgx_va_page *va_page, unsigned int offset)
+{
+ clear_bit(offset >> 3, va_page->slots);
+}
+
+/**
+ * sgx_va_page_full - is the VA page full?
+ * @va_page: a &struct sgx_va_page instance
+ *
+ * Return: true if all slots have been taken
+ */
+bool sgx_va_page_full(struct sgx_va_page *va_page)
+{
+ int slot = find_first_zero_bit(va_page->slots, SGX_VA_SLOT_COUNT);
+
+ return slot == SGX_VA_SLOT_COUNT;
+}
diff --git a/arch/x86/kernel/cpu/sgx/encl.h b/arch/x86/kernel/cpu/sgx/encl.h
index cb7495854095..244e1d93fce2 100644
--- a/arch/x86/kernel/cpu/sgx/encl.h
+++ b/arch/x86/kernel/cpu/sgx/encl.h
@@ -19,11 +19,18 @@
#include <linux/xarray.h>
#include "sgx.h"

+/* 'desc' bits holding the offset in the VA (version array) page. */
+#define SGX_ENCL_PAGE_VA_OFFSET_MASK GENMASK_ULL(11, 3)
+
+/* 'desc' bit marking that the page is being reclaimed. */
+#define SGX_ENCL_PAGE_BEING_RECLAIMED BIT(3)
+
struct sgx_encl_page {
unsigned long desc;
unsigned long vm_max_prot_bits;
struct sgx_epc_page *epc_page;
struct sgx_encl *encl;
+ struct sgx_va_page *va_page;
};

enum sgx_encl_flags {
@@ -33,6 +40,13 @@ enum sgx_encl_flags {
SGX_ENCL_INITIALIZED = BIT(3),
};

+struct sgx_encl_mm {
+ struct sgx_encl *encl;
+ struct mm_struct *mm;
+ struct list_head list;
+ struct mmu_notifier mmu_notifier;
+};
+
struct sgx_encl {
unsigned long base;
unsigned long size;
@@ -44,6 +58,30 @@ struct sgx_encl {
struct sgx_encl_page secs;
unsigned long attributes;
unsigned long attributes_mask;
+
+ cpumask_t cpumask;
+ struct file *backing;
+ struct kref refcount;
+ struct list_head va_pages;
+ unsigned long mm_list_version;
+ struct list_head mm_list;
+ spinlock_t mm_lock;
+ struct srcu_struct srcu;
+};
+
+#define SGX_VA_SLOT_COUNT 512
+
+struct sgx_va_page {
+ struct sgx_epc_page *epc_page;
+ DECLARE_BITMAP(slots, SGX_VA_SLOT_COUNT);
+ struct list_head list;
+};
+
+struct sgx_backing {
+ pgoff_t page_index;
+ struct page *contents;
+ struct page *pcmd;
+ unsigned long pcmd_offset;
};

extern const struct vm_operations_struct sgx_vm_ops;
@@ -53,4 +91,17 @@ int sgx_encl_find(struct mm_struct *mm, unsigned long addr,
int sgx_encl_may_map(struct sgx_encl *encl, unsigned long start,
unsigned long end, unsigned long vm_flags);

+void sgx_encl_release(struct kref *ref);
+int sgx_encl_mm_add(struct sgx_encl *encl, struct mm_struct *mm);
+int sgx_encl_get_backing(struct sgx_encl *encl, unsigned long page_index,
+ struct sgx_backing *backing);
+void sgx_encl_put_backing(struct sgx_backing *backing, bool do_write);
+int sgx_encl_test_and_clear_young(struct mm_struct *mm,
+ struct sgx_encl_page *page);
+
+struct sgx_epc_page *sgx_alloc_va_page(void);
+unsigned int sgx_alloc_va_slot(struct sgx_va_page *va_page);
+void sgx_free_va_slot(struct sgx_va_page *va_page, unsigned int offset);
+bool sgx_va_page_full(struct sgx_va_page *va_page);
+
#endif /* _X86_ENCL_H */
diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c
index 0ba0e670e2f0..6d37117ac8a0 100644
--- a/arch/x86/kernel/cpu/sgx/ioctl.c
+++ b/arch/x86/kernel/cpu/sgx/ioctl.c
@@ -16,20 +16,77 @@
#include "encl.h"
#include "encls.h"

+static struct sgx_va_page *sgx_encl_grow(struct sgx_encl *encl)
+{
+ struct sgx_va_page *va_page = NULL;
+ void *err;
+
+ BUILD_BUG_ON(SGX_VA_SLOT_COUNT !=
+ (SGX_ENCL_PAGE_VA_OFFSET_MASK >> 3) + 1);
+
+ if (!(encl->page_cnt % SGX_VA_SLOT_COUNT)) {
+ va_page = kzalloc(sizeof(*va_page), GFP_KERNEL);
+ if (!va_page)
+ return ERR_PTR(-ENOMEM);
+
+ va_page->epc_page = sgx_alloc_va_page();
+ if (IS_ERR(va_page->epc_page)) {
+ err = ERR_CAST(va_page->epc_page);
+ kfree(va_page);
+ return err;
+ }
+
+ WARN_ON_ONCE(encl->page_cnt % SGX_VA_SLOT_COUNT);
+ }
+ encl->page_cnt++;
+ return va_page;
+}
+
+static void sgx_encl_shrink(struct sgx_encl *encl, struct sgx_va_page *va_page)
+{
+ encl->page_cnt--;
+
+ if (va_page) {
+ sgx_free_epc_page(va_page->epc_page);
+ list_del(&va_page->list);
+ kfree(va_page);
+ }
+}
+
static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs)
{
struct sgx_epc_page *secs_epc;
+ struct sgx_va_page *va_page;
struct sgx_pageinfo pginfo;
struct sgx_secinfo secinfo;
unsigned long encl_size;
+ struct file *backing;
long ret;

+ va_page = sgx_encl_grow(encl);
+ if (IS_ERR(va_page))
+ return PTR_ERR(va_page);
+ else if (va_page)
+ list_add(&va_page->list, &encl->va_pages);
+ /* else the tail page of the VA page list had free slots. */
+
/* The extra page goes to SECS. */
encl_size = secs->size + PAGE_SIZE;

- secs_epc = __sgx_alloc_epc_page();
- if (IS_ERR(secs_epc))
- return PTR_ERR(secs_epc);
+ backing = shmem_file_setup("SGX backing", encl_size + (encl_size >> 5),
+ VM_NORESERVE);
+ if (IS_ERR(backing)) {
+ ret = PTR_ERR(backing);
+ goto err_out_shrink;
+ }
+
+ encl->backing = backing;
+
+ secs_epc = sgx_alloc_epc_page(&encl->secs, true);
+ if (IS_ERR(secs_epc)) {
+ ret = PTR_ERR(secs_epc);
+ goto err_out_backing;
+ }

encl->secs.epc_page = secs_epc;

@@ -63,6 +120,13 @@ static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs)
sgx_free_epc_page(encl->secs.epc_page);
encl->secs.epc_page = NULL;

+err_out_backing:
+ fput(encl->backing);
+ encl->backing = NULL;
+
+err_out_shrink:
+ sgx_encl_shrink(encl, va_page);
+
return ret;
}

@@ -228,21 +292,35 @@ static int sgx_encl_add_page(struct sgx_encl *encl, unsigned long src,
{
struct sgx_encl_page *encl_page;
struct sgx_epc_page *epc_page;
+ struct sgx_va_page *va_page;
int ret;

encl_page = sgx_encl_page_alloc(encl, offset, secinfo->flags);
if (IS_ERR(encl_page))
return PTR_ERR(encl_page);

- epc_page = __sgx_alloc_epc_page();
+ epc_page = sgx_alloc_epc_page(encl_page, true);
if (IS_ERR(epc_page)) {
kfree(encl_page);
return PTR_ERR(epc_page);
}

+ va_page = sgx_encl_grow(encl);
+ if (IS_ERR(va_page)) {
+ ret = PTR_ERR(va_page);
+ goto err_out_free;
+ }
+
mmap_read_lock(current->mm);
mutex_lock(&encl->lock);

+ /*
+ * Adding to encl->va_pages must be done under encl->lock. Ditto for
+ * deleting (via sgx_encl_shrink()) in the error path.
+ */
+ if (va_page)
+ list_add(&va_page->list, &encl->va_pages);
+
/*
* Insert prior to EADD in case of OOM. EADD modifies MRENCLAVE, i.e.
* can't be gracefully unwound, while failure on EADD/EXTEND is limited
@@ -273,6 +351,7 @@ static int sgx_encl_add_page(struct sgx_encl *encl, unsigned long src,
goto err_out;
}

+ sgx_mark_page_reclaimable(encl_page->epc_page);
mutex_unlock(&encl->lock);
mmap_read_unlock(current->mm);
return ret;
@@ -281,9 +360,11 @@ static int sgx_encl_add_page(struct sgx_encl *encl, unsigned long src,
xa_erase(&encl->page_array, PFN_DOWN(encl_page->desc));

err_out_unlock:
+ sgx_encl_shrink(encl, va_page);
mutex_unlock(&encl->lock);
mmap_read_unlock(current->mm);

+err_out_free:
sgx_free_epc_page(epc_page);
kfree(encl_page);

diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c
index c2740e0630d1..1588dad06bab 100644
--- a/arch/x86/kernel/cpu/sgx/main.c
+++ b/arch/x86/kernel/cpu/sgx/main.c
@@ -16,6 +16,15 @@
struct sgx_epc_section sgx_epc_sections[SGX_MAX_EPC_SECTIONS];
static int sgx_nr_epc_sections;
static struct task_struct *ksgxswapd_tsk;
+static DECLARE_WAIT_QUEUE_HEAD(ksgxswapd_waitq);
+
+/*
+ * These variables are part of the state of the reclaimer, and must be accessed
+ * with sgx_reclaimer_lock acquired.
+ */
+static LIST_HEAD(sgx_active_page_list);
+
+static DEFINE_SPINLOCK(sgx_reclaimer_lock);

/*
* Reset dirty EPC pages to uninitialized state. Laundry can be left with SECS
@@ -50,6 +59,348 @@ static void sgx_sanitize_section(struct sgx_epc_section *section)
list_splice(&dirty, &section->laundry_list);
}

+static bool sgx_reclaimer_age(struct sgx_epc_page *epc_page)
+{
+ struct sgx_encl_page *page = epc_page->owner;
+ struct sgx_encl *encl = page->encl;
+ struct sgx_encl_mm *encl_mm;
+ bool ret = true;
+ int idx;
+
+ idx = srcu_read_lock(&encl->srcu);
+
+ list_for_each_entry_rcu(encl_mm, &encl->mm_list, list) {
+ if (!mmget_not_zero(encl_mm->mm))
+ continue;
+
+ mmap_read_lock(encl_mm->mm);
+ ret = !sgx_encl_test_and_clear_young(encl_mm->mm, page);
+ mmap_read_unlock(encl_mm->mm);
+
+ mmput_async(encl_mm->mm);
+
+ if (!ret)
+ break;
+ }
+
+ srcu_read_unlock(&encl->srcu, idx);
+
+ if (!ret)
+ return false;
+
+ return true;
+}
+
+static void sgx_reclaimer_block(struct sgx_epc_page *epc_page)
+{
+ struct sgx_encl_page *page = epc_page->owner;
+ unsigned long addr = page->desc & PAGE_MASK;
+ struct sgx_encl *encl = page->encl;
+ unsigned long mm_list_version;
+ struct sgx_encl_mm *encl_mm;
+ struct vm_area_struct *vma;
+ int idx, ret;
+
+ do {
+ mm_list_version = encl->mm_list_version;
+
+ /* Pairs with smp_rmb() in sgx_encl_mm_add(). */
+ smp_rmb();
+
+ idx = srcu_read_lock(&encl->srcu);
+
+ list_for_each_entry_rcu(encl_mm, &encl->mm_list, list) {
+ if (!mmget_not_zero(encl_mm->mm))
+ continue;
+
+ mmap_read_lock(encl_mm->mm);
+
+ ret = sgx_encl_find(encl_mm->mm, addr, &vma);
+ if (!ret && encl == vma->vm_private_data)
+ zap_vma_ptes(vma, addr, PAGE_SIZE);
+
+ mmap_read_unlock(encl_mm->mm);
+
+ mmput_async(encl_mm->mm);
+ }
+
+ srcu_read_unlock(&encl->srcu, idx);
+ } while (unlikely(encl->mm_list_version != mm_list_version));
+
+ mutex_lock(&encl->lock);
+
+ ret = __eblock(sgx_get_epc_virt_addr(epc_page));
+ if (encls_failed(ret))
+ ENCLS_WARN(ret, "EBLOCK");
+
+ mutex_unlock(&encl->lock);
+}
+
+static int __sgx_encl_ewb(struct sgx_epc_page *epc_page, void *va_slot,
+ struct sgx_backing *backing)
+{
+ struct sgx_pageinfo pginfo;
+ int ret;
+
+ pginfo.addr = 0;
+ pginfo.secs = 0;
+
+ pginfo.contents = (unsigned long)kmap_atomic(backing->contents);
+ pginfo.metadata = (unsigned long)kmap_atomic(backing->pcmd) +
+ backing->pcmd_offset;
+
+ ret = __ewb(&pginfo, sgx_get_epc_virt_addr(epc_page), va_slot);
+
+ kunmap_atomic((void *)(unsigned long)(pginfo.metadata -
+ backing->pcmd_offset));
+ kunmap_atomic((void *)(unsigned long)pginfo.contents);
+
+ return ret;
+}
+
+static void sgx_ipi_cb(void *info)
+{
+}
+
+static const cpumask_t *sgx_encl_ewb_cpumask(struct sgx_encl *encl)
+{
+ cpumask_t *cpumask = &encl->cpumask;
+ struct sgx_encl_mm *encl_mm;
+ int idx;
+
+ /*
+ * Can race with sgx_encl_mm_add(), but ETRACK has already been
+ * executed, which means that the CPUs running in the new mm will enter
+ * into the enclave with a fresh epoch.
+ */
+ cpumask_clear(cpumask);
+
+ idx = srcu_read_lock(&encl->srcu);
+
+ list_for_each_entry_rcu(encl_mm, &encl->mm_list, list) {
+ if (!mmget_not_zero(encl_mm->mm))
+ continue;
+
+ cpumask_or(cpumask, cpumask, mm_cpumask(encl_mm->mm));
+
+ mmput_async(encl_mm->mm);
+ }
+
+ srcu_read_unlock(&encl->srcu, idx);
+
+ return cpumask;
+}
+
+/*
+ * Swap page to the regular memory transformed to the blocked state by using
+ * EBLOCK, which means that it can no loger be referenced (no new TLB entries).
+ *
+ * The first trial just tries to write the page assuming that some other thread
+ * has reset the count for threads inside the enlave by using ETRACK, and
+ * previous thread count has been zeroed out. The second trial calls ETRACK
+ * before EWB. If that fails we kick all the HW threads out, and then do EWB,
+ * which should be guaranteed the succeed.
+ */
+static void sgx_encl_ewb(struct sgx_epc_page *epc_page,
+ struct sgx_backing *backing)
+{
+ struct sgx_encl_page *encl_page = epc_page->owner;
+ struct sgx_encl *encl = encl_page->encl;
+ struct sgx_va_page *va_page;
+ unsigned int va_offset;
+ void *va_slot;
+ int ret;
+
+ encl_page->desc &= ~SGX_ENCL_PAGE_BEING_RECLAIMED;
+
+ va_page = list_first_entry(&encl->va_pages, struct sgx_va_page,
+ list);
+ va_offset = sgx_alloc_va_slot(va_page);
+ va_slot = sgx_get_epc_virt_addr(va_page->epc_page) + va_offset;
+ if (sgx_va_page_full(va_page))
+ list_move_tail(&va_page->list, &encl->va_pages);
+
+ ret = __sgx_encl_ewb(epc_page, va_slot, backing);
+ if (ret == SGX_NOT_TRACKED) {
+ ret = __etrack(sgx_get_epc_virt_addr(encl->secs.epc_page));
+ if (ret) {
+ if (encls_failed(ret))
+ ENCLS_WARN(ret, "ETRACK");
+ }
+
+ ret = __sgx_encl_ewb(epc_page, va_slot, backing);
+ if (ret == SGX_NOT_TRACKED) {
+ /*
+ * Slow path, send IPIs to kick cpus out of the
+ * enclave. Note, it's imperative that the cpu
+ * mask is generated *after* ETRACK, else we'll
+ * miss cpus that entered the enclave between
+ * generating the mask and incrementing epoch.
+ */
+ on_each_cpu_mask(sgx_encl_ewb_cpumask(encl),
+ sgx_ipi_cb, NULL, 1);
+ ret = __sgx_encl_ewb(epc_page, va_slot, backing);
+ }
+ }
+
+ if (ret) {
+ if (encls_failed(ret))
+ ENCLS_WARN(ret, "EWB");
+
+ sgx_free_va_slot(va_page, va_offset);
+ } else {
+ encl_page->desc |= va_offset;
+ encl_page->va_page = va_page;
+ }
+}
+
+static void sgx_reclaimer_write(struct sgx_epc_page *epc_page,
+ struct sgx_backing *backing)
+{
+ struct sgx_encl_page *encl_page = epc_page->owner;
+ struct sgx_encl *encl = encl_page->encl;
+ struct sgx_backing secs_backing;
+ int ret;
+
+ mutex_lock(&encl->lock);
+
+ sgx_encl_ewb(epc_page, backing);
+ encl_page->epc_page = NULL;
+ encl->secs_child_cnt--;
+
+ if (!encl->secs_child_cnt && test_bit(SGX_ENCL_INITIALIZED, &encl->flags)) {
+ ret = sgx_encl_get_backing(encl, PFN_DOWN(encl->size),
+ &secs_backing);
+ if (ret)
+ goto out;
+
+ sgx_encl_ewb(encl->secs.epc_page, &secs_backing);
+
+ sgx_free_epc_page(encl->secs.epc_page);
+ encl->secs.epc_page = NULL;
+
+ sgx_encl_put_backing(&secs_backing, true);
+ }
+
+out:
+ mutex_unlock(&encl->lock);
+}
+
+/*
+ * Take a fixed number of pages from the head of the active page pool and
+ * reclaim them to the enclave's private shmem files. Skip the pages, which have
+ * been accessed since the last scan. Move those pages to the tail of active
+ * page pool so that the pages get scanned in LRU like fashion.
+ *
+ * Batch process a chunk of pages (at the moment 16) in order to degrade amount
+ * of IPI's and ETRACK's potentially required. sgx_encl_ewb() does degrade a bit
+ * among the HW threads with three stage EWB pipeline (EWB, ETRACK + EWB and IPI
+ * + EWB) but not sufficiently. Reclaiming one page at a time would also be
+ * problematic as it would increase the lock contention too much, which would
+ * halt forward progress.
+ */
+static void sgx_reclaim_pages(void)
+{
+ struct sgx_epc_page *chunk[SGX_NR_TO_SCAN];
+ struct sgx_backing backing[SGX_NR_TO_SCAN];
+ struct sgx_epc_section *section;
+ struct sgx_encl_page *encl_page;
+ struct sgx_epc_page *epc_page;
+ pgoff_t page_index;
+ int cnt = 0;
+ int ret;
+ int i;
+
+ spin_lock(&sgx_reclaimer_lock);
+ for (i = 0; i < SGX_NR_TO_SCAN; i++) {
+ if (list_empty(&sgx_active_page_list))
+ break;
+
+ epc_page = list_first_entry(&sgx_active_page_list,
+ struct sgx_epc_page, list);
+ list_del_init(&epc_page->list);
+ encl_page = epc_page->owner;
+
+ if (kref_get_unless_zero(&encl_page->encl->refcount) != 0)
+ chunk[cnt++] = epc_page;
+ else
+ /* The owner is freeing the page. No need to add the
+ * page back to the list of reclaimable pages.
+ */
+ epc_page->flags &= ~SGX_EPC_PAGE_RECLAIMER_TRACKED;
+ }
+ spin_unlock(&sgx_reclaimer_lock);
+
+ for (i = 0; i < cnt; i++) {
+ epc_page = chunk[i];
+ encl_page = epc_page->owner;
+
+ if (!sgx_reclaimer_age(epc_page))
+ goto skip;
+
+ page_index = PFN_DOWN(encl_page->desc - encl_page->encl->base);
+ ret = sgx_encl_get_backing(encl_page->encl, page_index, &backing[i]);
+ if (ret)
+ goto skip;
+
+ mutex_lock(&encl_page->encl->lock);
+ encl_page->desc |= SGX_ENCL_PAGE_BEING_RECLAIMED;
+ mutex_unlock(&encl_page->encl->lock);
+ continue;
+
+skip:
+ spin_lock(&sgx_reclaimer_lock);
+ list_add_tail(&epc_page->list, &sgx_active_page_list);
+ spin_unlock(&sgx_reclaimer_lock);
+
+ kref_put(&encl_page->encl->refcount, sgx_encl_release);
+
+ chunk[i] = NULL;
+ }
+
+ for (i = 0; i < cnt; i++) {
+ epc_page = chunk[i];
+ if (epc_page)
+ sgx_reclaimer_block(epc_page);
+ }
+
+ for (i = 0; i < cnt; i++) {
+ epc_page = chunk[i];
+ if (!epc_page)
+ continue;
+
+ encl_page = epc_page->owner;
+ sgx_reclaimer_write(epc_page, &backing[i]);
+ sgx_encl_put_backing(&backing[i], true);
+
+ kref_put(&encl_page->encl->refcount, sgx_encl_release);
+ epc_page->flags &= ~SGX_EPC_PAGE_RECLAIMER_TRACKED;
+
+ section = &sgx_epc_sections[epc_page->section];
+ spin_lock(&section->lock);
+ list_add_tail(&epc_page->list, &section->page_list);
+ section->free_cnt++;
+ spin_unlock(&section->lock);
+ }
+}
+
+static unsigned long sgx_nr_free_pages(void)
+{
+ unsigned long cnt = 0;
+ int i;
+
+ for (i = 0; i < sgx_nr_epc_sections; i++)
+ cnt += sgx_epc_sections[i].free_cnt;
+
+ return cnt;
+}
+
+static bool sgx_should_reclaim(unsigned long watermark)
+{
+ return sgx_nr_free_pages() < watermark &&
+ !list_empty(&sgx_active_page_list);
+}
+
static int ksgxswapd(void *p)
{
int i;
@@ -71,6 +422,20 @@ static int ksgxswapd(void *p)
WARN(1, "EPC section %d has unsanitized pages.\n", i);
}

+ while (!kthread_should_stop()) {
+ if (try_to_freeze())
+ continue;
+
+ wait_event_freezable(ksgxswapd_waitq,
+ kthread_should_stop() ||
+ sgx_should_reclaim(SGX_NR_HIGH_PAGES));
+
+ if (sgx_should_reclaim(SGX_NR_HIGH_PAGES))
+ sgx_reclaim_pages();
+
+ cond_resched();
+ }
+
return 0;
}

@@ -96,6 +461,7 @@ static struct sgx_epc_page *__sgx_alloc_epc_page_from_section(struct sgx_epc_sec

page = list_first_entry(&section->page_list, struct sgx_epc_page, list);
list_del_init(&page->list);
+ section->free_cnt--;

return page;
}
@@ -129,6 +495,100 @@ struct sgx_epc_page *__sgx_alloc_epc_page(void)
return ERR_PTR(-ENOMEM);
}

+/**
+ * sgx_mark_page_reclaimable() - Mark a page as reclaimable
+ * @page: EPC page
+ *
+ * Mark a page as reclaimable and add it to the active page list. Pages
+ * are automatically removed from the active list when freed.
+ */
+void sgx_mark_page_reclaimable(struct sgx_epc_page *page)
+{
+ spin_lock(&sgx_reclaimer_lock);
+ page->flags |= SGX_EPC_PAGE_RECLAIMER_TRACKED;
+ list_add_tail(&page->list, &sgx_active_page_list);
+ spin_unlock(&sgx_reclaimer_lock);
+}
+
+/**
+ * sgx_unmark_page_reclaimable() - Remove a page from the reclaim list
+ * @page: EPC page
+ *
+ * Clear the reclaimable flag and remove the page from the active page list.
+ *
+ * Return:
+ * 0 on success,
+ * -EBUSY if the page is in the process of being reclaimed
+ */
+int sgx_unmark_page_reclaimable(struct sgx_epc_page *page)
+{
+ spin_lock(&sgx_reclaimer_lock);
+ if (page->flags & SGX_EPC_PAGE_RECLAIMER_TRACKED) {
+ /* The page is being reclaimed. */
+ if (list_empty(&page->list)) {
+ spin_unlock(&sgx_reclaimer_lock);
+ return -EBUSY;
+ }
+
+ list_del(&page->list);
+ page->flags &= ~SGX_EPC_PAGE_RECLAIMER_TRACKED;
+ }
+ spin_unlock(&sgx_reclaimer_lock);
+
+ return 0;
+}
+
+/**
+ * sgx_alloc_epc_page() - Allocate an EPC page
+ * @owner: the owner of the EPC page
+ * @reclaim: reclaim pages if necessary
+ *
+ * Iterate through EPC sections and borrow a free EPC page to the caller. When a
+ * page is no longer needed it must be released with sgx_free_epc_page(). If
+ * @reclaim is set to true, directly reclaim pages when we are out of pages. No
+ * mm's can be locked when @reclaim is set to true.
+ *
+ * Finally, wake up ksgxswapd when the number of pages goes below the watermark
+ * before returning back to the caller.
+ *
+ * Return:
+ * an EPC page,
+ * -errno on error
+ */
+struct sgx_epc_page *sgx_alloc_epc_page(void *owner, bool reclaim)
+{
+ struct sgx_epc_page *entry;
+
+ for ( ; ; ) {
+ entry = __sgx_alloc_epc_page();
+ if (!IS_ERR(entry)) {
+ entry->owner = owner;
+ break;
+ }
+
+ if (list_empty(&sgx_active_page_list))
+ return ERR_PTR(-ENOMEM);
+
+ if (!reclaim) {
+ entry = ERR_PTR(-EBUSY);
+ break;
+ }
+
+ if (signal_pending(current)) {
+ entry = ERR_PTR(-ERESTARTSYS);
+ break;
+ }
+
+ sgx_reclaim_pages();
+ schedule();
+ }
+
+ if (sgx_should_reclaim(SGX_NR_LOW_PAGES))
+ wake_up(&ksgxswapd_waitq);
+
+ return entry;
+}
+
/**
* sgx_free_epc_page() - Free an EPC page
* @page: an EPC page
@@ -140,12 +600,15 @@ void sgx_free_epc_page(struct sgx_epc_page *page)
struct sgx_epc_section *section = &sgx_epc_sections[page->section];
int ret;

+ WARN_ON_ONCE(page->flags & SGX_EPC_PAGE_RECLAIMER_TRACKED);
+
ret = __eremove(sgx_get_epc_virt_addr(page));
if (WARN_ONCE(ret, "EREMOVE returned %d (0x%x)", ret, ret))
return;

spin_lock(&section->lock);
list_add_tail(&page->list, &section->page_list);
+ section->free_cnt++;
spin_unlock(&section->lock);
}

@@ -173,9 +636,12 @@ static bool __init sgx_setup_epc_section(u64 phys_addr, u64 size,

for (i = 0; i < nr_pages; i++) {
section->pages[i].section = index;
+ section->pages[i].flags = 0;
+ section->pages[i].owner = NULL;
list_add_tail(&section->pages[i].list, &section->laundry_list);
}

+ section->free_cnt = nr_pages;
return true;
}

diff --git a/arch/x86/kernel/cpu/sgx/sgx.h b/arch/x86/kernel/cpu/sgx/sgx.h
index 91234f425b89..a188a683ffb6 100644
--- a/arch/x86/kernel/cpu/sgx/sgx.h
+++ b/arch/x86/kernel/cpu/sgx/sgx.h
@@ -15,9 +15,17 @@

#define SGX_MAX_EPC_SECTIONS 8
#define SGX_EEXTEND_BLOCK_SIZE 256
+#define SGX_NR_TO_SCAN 16
+#define SGX_NR_LOW_PAGES 32
+#define SGX_NR_HIGH_PAGES 64
+
+/* Pages, which are being tracked by the page reclaimer. */
+#define SGX_EPC_PAGE_RECLAIMER_TRACKED BIT(0)

struct sgx_epc_page {
unsigned int section;
+ unsigned int flags;
+ struct sgx_encl_page *owner;
struct list_head list;
};

@@ -33,6 +41,7 @@ struct sgx_epc_section {
struct list_head page_list;
struct list_head laundry_list;
struct sgx_epc_page *pages;
+ unsigned long free_cnt;
spinlock_t lock;
};

@@ -61,4 +70,8 @@ static inline void *sgx_get_epc_virt_addr(struct sgx_epc_page *page)
struct sgx_epc_page *__sgx_alloc_epc_page(void);
void sgx_free_epc_page(struct sgx_epc_page *page);

+void sgx_mark_page_reclaimable(struct sgx_epc_page *page);
+int sgx_unmark_page_reclaimable(struct sgx_epc_page *page);
+struct sgx_epc_page *sgx_alloc_epc_page(void *owner, bool reclaim);
+
#endif /* _X86_SGX_H */
--
2.27.0

2020-11-04 15:01:58

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 24/24] x86/sgx: Update MAINTAINERS

Add the maintainer information for the SGX subsystem.

Cc: Thomas Gleixner <[email protected]>
Cc: Borislav Petkov <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
---
MAINTAINERS | 13 +++++++++++++
1 file changed, 13 insertions(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index e706e1473818..f5615111bb2f 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -9145,6 +9145,19 @@ F: Documentation/x86/intel_txt.rst
F: arch/x86/kernel/tboot.c
F: include/linux/tboot.h

+INTEL SGX
+M: Jarkko Sakkinen <[email protected]>
+L: [email protected]
+S: Supported
+Q: https://patchwork.kernel.org/project/intel-sgx/list/
+T: git git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-sgx.git
+F: Documentation/x86/sgx.rst
+F: arch/x86/entry/vdso/vsgx.S
+F: arch/x86/include/uapi/asm/sgx.h
+F: arch/x86/kernel/cpu/sgx/*
+F: tools/testing/selftests/sgx/*
+K: \bSGX_
+
INTERCONNECT API
M: Georgi Djakov <[email protected]>
L: [email protected]
--
2.27.0

2020-11-04 15:01:58

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 23/24] docs: x86/sgx: Document SGX kernel architecture

Document the Intel SGX kernel architecture. The fine-grained architecture
details can be looked up from Intel SDM Volume 3D.

Cc: [email protected]
Acked-by: Randy Dunlap <[email protected]>
Co-developed-by: Sean Christopherson <[email protected]>
Signed-off-by: Sean Christopherson <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
---
Documentation/x86/index.rst | 1 +
Documentation/x86/sgx.rst | 211 ++++++++++++++++++++++++++++++++++++
2 files changed, 212 insertions(+)
create mode 100644 Documentation/x86/sgx.rst

diff --git a/Documentation/x86/index.rst b/Documentation/x86/index.rst
index 9c6ebf355f81..e7eb84484ddc 100644
--- a/Documentation/x86/index.rst
+++ b/Documentation/x86/index.rst
@@ -33,3 +33,4 @@ x86-specific Documentation
i386/index
x86_64/index
sva
+ sgx
diff --git a/Documentation/x86/sgx.rst b/Documentation/x86/sgx.rst
new file mode 100644
index 000000000000..b172b133b3ea
--- /dev/null
+++ b/Documentation/x86/sgx.rst
@@ -0,0 +1,211 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+===============================
+Software Guard eXtensions (SGX)
+===============================
+
+Overview
+========
+
+Software Guard eXtensions (SGX) hardware enables for user space applications
+to set aside private memory regions of code and data:
+
+* Privileged (ring-0) ENCLS functions orchestrate the construction of the.
+ regions.
+* Unprivileged (ring-3) ENCLU functions allow an application to enter and
+ execute inside the regions.
+
+These memory regions are called enclaves. An enclave can be only entered at a
+fixed set of entry points. Each entry point can hold a single hardware thread
+at a time. While the enclave is loaded from a regular binary file by using
+ENCLS functions, only the threads inside the enclave can access its memory. The
+region is denied from outside access by the CPU, and encrypted before it leaves
+from LLC.
+
+The support can be determined by
+
+ ``grep sgx /proc/cpuinfo``
+
+SGX must both be supported in the processor and enabled by the BIOS. If SGX
+appears to be unsupported on a system which has hardware support, ensure
+support is enabled in the BIOS. If a BIOS presents a choice between "Enabled"
+and "Software Enabled" modes for SGX, choose "Enabled".
+
+Enclave Page Cache
+==================
+
+SGX utilizes an *Enclave Page Cache (EPC)* to store pages that are associated
+with an enclave. It is contained in a BIOS-reserved region of physical memory.
+Unlike pages used for regular memory, pages can only be accessed from outside of
+the enclave during enclave construction with special, limited SGX instructions.
+
+Only a CPU executing inside an enclave can directly access enclave memory.
+However, a CPU executing inside an enclave may access normal memory outside the
+enclave.
+
+The kernel manages enclave memory similar to how it treats device memory.
+
+Enclave Page Types
+------------------
+
+**SGX Enclave Control Structure (SECS)**
+ Enclave's address range, attributes and other global data are defined
+ by this structure.
+
+**Regular (REG)**
+ Regular EPC pages contain the code and data of an enclave.
+
+**Thread Control Structure (TCS)**
+ Thread Control Structure pages define the entry points to an enclave and
+ track the execution state of an enclave thread.
+
+**Version Array (VA)**
+ Version Array pages contain 512 slots, each of which can contain a version
+ number for a page evicted from the EPC.
+
+Enclave Page Cache Map
+----------------------
+
+The processor tracks EPC pages in a hardware metadata structure called the
+*Enclave Page Cache Map (EPCM)*. The EPCM contains an entry for each EPC page
+which describes the owning enclave, access rights and page type among the other
+things.
+
+EPCM permissions are separate from the normal page tables. This prevents the
+kernel from, for instance, allowing writes to data which an enclave wishes to
+remain read-only. EPCM permissions may only impose additional restrictions on
+top of normal x86 page permissions.
+
+For all intents and purposes, the SGX architecture allows the processor to
+invalidate all EPCM entries at will. This requires that software be prepared to
+handle an EPCM fault at any time. In practice, this can happen on events like
+power transitions when the ephemeral key that encrypts enclave memory is lost.
+
+Application interface
+=====================
+
+Enclave build functions
+-----------------------
+
+In addition to the traditional compiler and linker build process, SGX has a
+separate enclave “build” process. Enclaves must be built before they can be
+executed (entered). The first step in building an enclave is opening the
+**/dev/sgx_enclave** device. Since enclave memory is protected from direct
+access, special privileged instructions are Then used to copy data into enclave
+pages and establish enclave page permissions.
+
+.. kernel-doc:: arch/x86/kernel/cpu/sgx/ioctl.c
+ :functions: sgx_ioc_enclave_create
+ sgx_ioc_enclave_add_pages
+ sgx_ioc_enclave_init
+ sgx_ioc_enclave_provision
+
+Enclave vDSO
+------------
+
+Entering an enclave can only be done through SGX-specific EENTER and ERESUME
+functions, and is a non-trivial process. Because of the complexity of
+transitioning to and from an enclave, enclaves typically utilize a library to
+handle the actual transitions. This is roughly analogous to how glibc
+implementations are used by most applications to wrap system calls.
+
+Another crucial characteristic of enclaves is that they can generate exceptions
+as part of their normal operation that need to be handled in the enclave or are
+unique to SGX.
+
+Instead of the traditional signal mechanism to handle these exceptions, SGX
+can leverage special exception fixup provided by the vDSO. The kernel-provided
+vDSO function wraps low-level transitions to/from the enclave like EENTER and
+ERESUME. The vDSO function intercepts exceptions that would otherwise generate
+a signal and return the fault information directly to its caller. This avoids
+the need to juggle signal handlers.
+
+.. kernel-doc:: arch/x86/include/uapi/asm/sgx.h
+ :functions: vdso_sgx_enter_enclave_t
+
+ksgxswapd
+=========
+
+SGX support includes a kernel thread called *ksgxwapd*.
+
+EPC sanitization
+----------------
+
+ksgxswapd is started when SGX initializes. Enclave memory is typically ready
+For use when the processor powers on or resets. However, if SGX has been in
+use since the reset, enclave pages may be in an inconsistent state. This might
+occur after a crash and kexec() cycle, for instance. At boot, ksgxswapd
+reinitializes all enclave pages so that they can be allocated and re-used.
+
+The sanitization is done by going through EPC address space and applying the
+EREMOVE function to each physical page. Some enclave pages like SECS pages have
+hardware dependencies on other pages which prevents EREMOVE from functioning.
+Executing two EREMOVE passes removes the dependencies.
+
+Page reclaimer
+--------------
+
+Similar to the core kswapd, ksgxswapd, is responsible for managing the
+overcommitment of enclave memory. If the system runs out of enclave memory,
+*ksgxwapd* “swaps” enclave memory to normal memory.
+
+Launch Control
+==============
+
+SGX provides a launch control mechanism. After all enclave pages have been
+copied, kernel executes EINIT function, which initializes the enclave. Only after
+this the CPU can execute inside the enclave.
+
+ENIT function takes an RSA-3072 signature of the enclave measurement. The function
+checks that the measurement is correct and signature is signed with the key
+hashed to the four **IA32_SGXLEPUBKEYHASH{0, 1, 2, 3}** MSRs representing the
+SHA256 of a public key.
+
+Those MSRs can be configured by the BIOS to be either readable or writable.
+Linux supports only writable configuration in order to give full control to the
+kernel on launch control policy. Before calling EINIT function, the driver sets
+the MSRs to match the enclave's signing key.
+
+Encryption engines
+==================
+
+In order to conceal the enclave data while it is out of the CPU package, the
+memory controller has an encryption engine to transparently encrypt and decrypt
+enclave memory.
+
+In CPUs prior to Ice Lake, the Memory Encryption Engine (MEE) is used to
+encrypt pages leaving the CPU caches. MEE uses a n-ary Merkle tree with root in
+SRAM to maintain integrity of the encrypted data. This provides integrity and
+anti-replay protection but does not scale to large memory sizes because the time
+required to update the Merkle tree grows logarithmically in relation to the
+memory size.
+
+CPUs starting from Icelake use Total Memory Encryption (TME) in the place of
+MEE. TME-based SGX implementations do not have an integrity Merkle tree, which
+means integrity and replay-attacks are not mitigated. B, it includes
+additional changes to prevent cipher text from being returned and SW memory
+aliases from being Created.
+
+DMA to enclave memory is blocked by range registers on both MEE and TME systems
+(SDM section 41.10).
+
+Usage Models
+============
+
+Shared Library
+--------------
+
+Sensitive data and the code that acts on it is partitioned from the application
+into a separate library. The library is then linked as a DSO which can be loaded
+into an enclave. The application can then make individual function calls into
+the enclave through special SGX instructions. A run-time within the enclave is
+configured to marshal function parameters into and out of the enclave and to
+call the correct library function.
+
+Application Container
+---------------------
+
+An application may be loaded into a container enclave which is specially
+configured with a library OS and run-time which permits the application to run.
+The enclave run-time and library OS work together to execute the application
+when a thread enters the enclave.
--
2.27.0

2020-11-04 17:36:13

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 19/24] x86/vdso: Implement a vDSO for Intel SGX enclave call

From: Sean Christopherson <[email protected]>

Enclaves encounter exceptions for lots of reasons: everything from enclave
page faults to NULL pointer dereferences, to system calls that must be
“proxied” to the kernel from outside the enclave.

In addition to the code contained inside an enclave, there is also
supporting code outside the enclave called an “SGX runtime”, which is
virtually always implemented inside a shared library. The runtime helps
build the enclave and handles things like *re*building the enclave if it
got destroyed by something like a suspend/resume cycle.

The rebuilding has traditionally been handled in SIGSEGV handlers,
registered by the library. But, being process-wide, shared state, signal
handling and shared libraries do not mix well.

Introduce a vDSO function call that wraps the enclave entry functions
(EENTER/ERESUME functions of the ENCLU instruciton) and returns information
about any exceptions to the caller in the SGX runtime.

Instead of generating a signal, the kernel places exception information in
RDI, RSI and RDX. The kernel-provided userspace portion of the vDSO handler
will place this information in a user-provided buffer or trigger a
user-provided callback at the time of the exception.

The vDSO function calling convention uses the standard RDI RSI, RDX, RCX,
R8 and R9 registers. This makes it possible to declare the vDSO as a C
prototype, but other than that there is no specific support for SystemV
ABI. Things like storing XSAVE are the responsibility of the enclave and
the runtime.

Suggested-by: Andy Lutomirski <[email protected]>
Acked-by: Jethro Beekman <[email protected]>
Tested-by: Jethro Beekman <[email protected]>
Signed-off-by: Sean Christopherson <[email protected]>
Co-developed-by: Cedric Xing <[email protected]>
Signed-off-by: Cedric Xing <[email protected]>
Co-developed-by: Jarkko Sakkinen <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
---
Changes from v39:
* Relayout out the user handler documentation: return values are described
in sgx_enclave_user_handler_t keneldoc and broad description is given
in struct sgx_enclave_run kerneldoc.
* Rename @leaf as @function, given that we want to speak consistently
about ENCLS and ENCLU functions.
* Reorder user_handler and user_data as the last fields in
sgx_enclave_run, as they are an extension to the basic functionality.

arch/x86/entry/vdso/Makefile | 2 +
arch/x86/entry/vdso/vdso.lds.S | 1 +
arch/x86/entry/vdso/vsgx.S | 151 ++++++++++++++++++++++++++++++++
arch/x86/include/asm/enclu.h | 9 ++
arch/x86/include/uapi/asm/sgx.h | 91 +++++++++++++++++++
5 files changed, 254 insertions(+)
create mode 100644 arch/x86/entry/vdso/vsgx.S
create mode 100644 arch/x86/include/asm/enclu.h

diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
index 2ad757fb3c23..9915fbd34264 100644
--- a/arch/x86/entry/vdso/Makefile
+++ b/arch/x86/entry/vdso/Makefile
@@ -27,6 +27,7 @@ VDSO32-$(CONFIG_IA32_EMULATION) := y
vobjs-y := vdso-note.o vclock_gettime.o vgetcpu.o
vobjs32-y := vdso32/note.o vdso32/system_call.o vdso32/sigreturn.o
vobjs32-y += vdso32/vclock_gettime.o
+vobjs-$(VDSO64-y) += vsgx.o

# files to link into kernel
obj-y += vma.o extable.o
@@ -98,6 +99,7 @@ $(vobjs): KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS_CFLAGS) $(RETPOLINE_CFLAGS
CFLAGS_REMOVE_vclock_gettime.o = -pg
CFLAGS_REMOVE_vdso32/vclock_gettime.o = -pg
CFLAGS_REMOVE_vgetcpu.o = -pg
+CFLAGS_REMOVE_vsgx.o = -pg

#
# X32 processes use x32 vDSO to access 64bit kernel data.
diff --git a/arch/x86/entry/vdso/vdso.lds.S b/arch/x86/entry/vdso/vdso.lds.S
index 36b644e16272..4bf48462fca7 100644
--- a/arch/x86/entry/vdso/vdso.lds.S
+++ b/arch/x86/entry/vdso/vdso.lds.S
@@ -27,6 +27,7 @@ VERSION {
__vdso_time;
clock_getres;
__vdso_clock_getres;
+ __vdso_sgx_enter_enclave;
local: *;
};
}
diff --git a/arch/x86/entry/vdso/vsgx.S b/arch/x86/entry/vdso/vsgx.S
new file mode 100644
index 000000000000..86a0e94f68df
--- /dev/null
+++ b/arch/x86/entry/vdso/vsgx.S
@@ -0,0 +1,151 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+#include <linux/linkage.h>
+#include <asm/export.h>
+#include <asm/errno.h>
+#include <asm/enclu.h>
+
+#include "extable.h"
+
+/* Relative to %rbp. */
+#define SGX_ENCLAVE_OFFSET_OF_RUN 16
+
+/* The offsets relative to struct sgx_enclave_run. */
+#define SGX_ENCLAVE_RUN_TCS 0
+#define SGX_ENCLAVE_RUN_LEAF 8
+#define SGX_ENCLAVE_RUN_EXCEPTION_VECTOR 12
+#define SGX_ENCLAVE_RUN_EXCEPTION_ERROR_CODE 14
+#define SGX_ENCLAVE_RUN_EXCEPTION_ADDR 16
+#define SGX_ENCLAVE_RUN_USER_HANDLER 24
+#define SGX_ENCLAVE_RUN_USER_DATA 32 /* not used */
+#define SGX_ENCLAVE_RUN_RESERVED_START 40
+#define SGX_ENCLAVE_RUN_RESERVED_END 256
+
+.code64
+.section .text, "ax"
+
+SYM_FUNC_START(__vdso_sgx_enter_enclave)
+ /* Prolog */
+ .cfi_startproc
+ push %rbp
+ .cfi_adjust_cfa_offset 8
+ .cfi_rel_offset %rbp, 0
+ mov %rsp, %rbp
+ .cfi_def_cfa_register %rbp
+ push %rbx
+ .cfi_rel_offset %rbx, -8
+
+ mov %ecx, %eax
+.Lenter_enclave:
+ /* EENTER <= function <= ERESUME */
+ cmp $EENTER, %eax
+ jb .Linvalid_input
+ cmp $ERESUME, %eax
+ ja .Linvalid_input
+
+ mov SGX_ENCLAVE_OFFSET_OF_RUN(%rbp), %rcx
+
+ /* Validate that the reserved area contains only zeros. */
+ mov $SGX_ENCLAVE_RUN_RESERVED_START, %rbx
+1:
+ cmpq $0, (%rcx, %rbx)
+ jne .Linvalid_input
+ add $8, %rbx
+ cmpq $SGX_ENCLAVE_RUN_RESERVED_END, %rbx
+ jne 1b
+
+ /* Load TCS and AEP */
+ mov SGX_ENCLAVE_RUN_TCS(%rcx), %rbx
+ lea .Lasync_exit_pointer(%rip), %rcx
+
+ /* Single ENCLU serving as both EENTER and AEP (ERESUME) */
+.Lasync_exit_pointer:
+.Lenclu_eenter_eresume:
+ enclu
+
+ /* EEXIT jumps here unless the enclave is doing something fancy. */
+ mov SGX_ENCLAVE_OFFSET_OF_RUN(%rbp), %rbx
+
+ /* Set exit_reason. */
+ movl $EEXIT, SGX_ENCLAVE_RUN_LEAF(%rbx)
+
+ /* Invoke userspace's exit handler if one was provided. */
+.Lhandle_exit:
+ cmpq $0, SGX_ENCLAVE_RUN_USER_HANDLER(%rbx)
+ jne .Linvoke_userspace_handler
+
+ /* Success, in the sense that ENCLU was attempted. */
+ xor %eax, %eax
+
+.Lout:
+ pop %rbx
+ leave
+ .cfi_def_cfa %rsp, 8
+ ret
+
+ /* The out-of-line code runs with the pre-leave stack frame. */
+ .cfi_def_cfa %rbp, 16
+
+.Linvalid_input:
+ mov $(-EINVAL), %eax
+ jmp .Lout
+
+.Lhandle_exception:
+ mov SGX_ENCLAVE_OFFSET_OF_RUN(%rbp), %rbx
+
+ /* Set the exception info. */
+ mov %eax, (SGX_ENCLAVE_RUN_LEAF)(%rbx)
+ mov %di, (SGX_ENCLAVE_RUN_EXCEPTION_VECTOR)(%rbx)
+ mov %si, (SGX_ENCLAVE_RUN_EXCEPTION_ERROR_CODE)(%rbx)
+ mov %rdx, (SGX_ENCLAVE_RUN_EXCEPTION_ADDR)(%rbx)
+ jmp .Lhandle_exit
+
+.Linvoke_userspace_handler:
+ /* Pass the untrusted RSP (at exit) to the callback via %rcx. */
+ mov %rsp, %rcx
+
+ /* Save struct sgx_enclave_exception %rbx is about to be clobbered. */
+ mov %rbx, %rax
+
+ /* Save the untrusted RSP offset in %rbx (non-volatile register). */
+ mov %rsp, %rbx
+ and $0xf, %rbx
+
+ /*
+ * Align stack per x86_64 ABI. Note, %rsp needs to be 16-byte aligned
+ * _after_ pushing the parameters on the stack, hence the bonus push.
+ */
+ and $-0x10, %rsp
+ push %rax
+
+ /* Push struct sgx_enclave_exception as a param to the callback. */
+ push %rax
+
+ /* Clear RFLAGS.DF per x86_64 ABI */
+ cld
+
+ /*
+ * Load the callback pointer to %rax and lfence for LVI (load value
+ * injection) protection before making the call.
+ */
+ mov SGX_ENCLAVE_RUN_USER_HANDLER(%rax), %rax
+ lfence
+ call *%rax
+
+ /* Undo the post-exit %rsp adjustment. */
+ lea 0x10(%rsp, %rbx), %rsp
+
+ /*
+ * If the return from callback is zero or negative, return immediately,
+ * else re-execute ENCLU with the postive return value interpreted as
+ * the requested ENCLU function.
+ */
+ cmp $0, %eax
+ jle .Lout
+ jmp .Lenter_enclave
+
+ .cfi_endproc
+
+_ASM_VDSO_EXTABLE_HANDLE(.Lenclu_eenter_eresume, .Lhandle_exception)
+
+SYM_FUNC_END(__vdso_sgx_enter_enclave)
diff --git a/arch/x86/include/asm/enclu.h b/arch/x86/include/asm/enclu.h
new file mode 100644
index 000000000000..b1314e41a744
--- /dev/null
+++ b/arch/x86/include/asm/enclu.h
@@ -0,0 +1,9 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_X86_ENCLU_H
+#define _ASM_X86_ENCLU_H
+
+#define EENTER 0x02
+#define ERESUME 0x03
+#define EEXIT 0x04
+
+#endif /* _ASM_X86_ENCLU_H */
diff --git a/arch/x86/include/uapi/asm/sgx.h b/arch/x86/include/uapi/asm/sgx.h
index c32210235bf5..791e45334a4a 100644
--- a/arch/x86/include/uapi/asm/sgx.h
+++ b/arch/x86/include/uapi/asm/sgx.h
@@ -74,4 +74,95 @@ struct sgx_enclave_provision {
__u64 fd;
};

+struct sgx_enclave_run;
+
+/**
+ * typedef sgx_enclave_user_handler_t - Exit handler function accepted by
+ * __vdso_sgx_enter_enclave()
+ * @run: The run instance given by the caller
+ *
+ * The register parameters contain the snapshot of their values at enclave
+ * exit. An invalid ENCLU function number will cause -EINVAL to be returned
+ * to the caller.
+ *
+ * Return:
+ * - <= 0: The given value is returned back to the caller.
+ * - > 0: ENCLU function to invoke, either EENTER or ERESUME.
+ */
+typedef int (*sgx_enclave_user_handler_t)(long rdi, long rsi, long rdx,
+ long rsp, long r8, long r9,
+ struct sgx_enclave_run *run);
+
+/**
+ * struct sgx_enclave_run - the execution context of __vdso_sgx_enter_enclave()
+ * @tcs: TCS used to enter the enclave
+ * @function: The last seen ENCLU function (EENTER, ERESUME or EEXIT)
+ * @exception_vector: The interrupt vector of the exception
+ * @exception_error_code: The exception error code pulled out of the stack
+ * @exception_addr: The address that triggered the exception
+ * @user_handler: User provided callback run on exception
+ * @user_data: Data passed to the user handler
+ * @reserved Reserved for future extensions
+ *
+ * If @user_handler is provided, the handler will be invoked on all return paths
+ * of the normal flow. The user handler may transfer control, e.g. via a
+ * longjmp() call or a C++ exception, without returning to
+ * __vdso_sgx_enter_enclave().
+ */
+struct sgx_enclave_run {
+ __u64 tcs;
+ __u32 function;
+ __u16 exception_vector;
+ __u16 exception_error_code;
+ __u64 exception_addr;
+ __u64 user_handler;
+ __u64 user_data;
+ __u8 reserved[216];
+};
+
+/**
+ * typedef vdso_sgx_enter_enclave_t - Prototype for __vdso_sgx_enter_enclave(),
+ * a vDSO function to enter an SGX enclave.
+ * @rdi: Pass-through value for RDI
+ * @rsi: Pass-through value for RSI
+ * @rdx: Pass-through value for RDX
+ * @function: ENCLU function, must be EENTER or ERESUME
+ * @r8: Pass-through value for R8
+ * @r9: Pass-through value for R9
+ * @run: struct sgx_enclave_run, must be non-NULL
+ *
+ * NOTE: __vdso_sgx_enter_enclave() does not ensure full compliance with the
+ * x86-64 ABI, e.g. doesn't handle XSAVE state. Except for non-volatile
+ * general purpose registers, EFLAGS.DF, and RSP alignment, preserving/setting
+ * state in accordance with the x86-64 ABI is the responsibility of the enclave
+ * and its runtime, i.e. __vdso_sgx_enter_enclave() cannot be called from C
+ * code without careful consideration by both the enclave and its runtime.
+ *
+ * All general purpose registers except RAX, RBX and RCX are passed as-is to the
+ * enclave. RAX, RBX and RCX are consumed by EENTER and ERESUME and are loaded
+ * with @function, asynchronous exit pointer, and @run.tcs respectively.
+ *
+ * RBP and the stack are used to anchor __vdso_sgx_enter_enclave() to the
+ * pre-enclave state, e.g. to retrieve @run.exception and @run.user_handler
+ * after an enclave exit. All other registers are available for use by the
+ * enclave and its runtime, e.g. an enclave can push additional data onto the
+ * stack (and modify RSP) to pass information to the optional user handler (see
+ * below).
+ *
+ * Most exceptions reported on ENCLU, including those that occur within the
+ * enclave, are fixed up and reported synchronously instead of being delivered
+ * via a standard signal. Debug Exceptions (#DB) and Breakpoints (#BP) are
+ * never fixed up and are always delivered via standard signals. On synchrously
+ * reported exceptions, -EFAULT is returned and details about the exception are
+ * recorded in @run.exception, the optional sgx_enclave_exception struct.
+ *
+ * Return:
+ * - 0: ENCLU function was successfully executed.
+ * - -EINVAL: Invalid ENCL number (neither EENTER nor ERESUME).
+ */
+typedef int (*vdso_sgx_enter_enclave_t)(unsigned long rdi, unsigned long rsi,
+ unsigned long rdx, unsigned int function,
+ unsigned long r8, unsigned long r9,
+ struct sgx_enclave_run *run);
+
#endif /* _UAPI_ASM_X86_SGX_H */
--
2.27.0

2020-11-04 18:08:30

by Jarkko Sakkinen

[permalink] [raw]
Subject: [PATCH v40 03/24] x86/sgx: Initialize metadata for Enclave Page Cache (EPC) sections

From: Sean Christopherson <[email protected]>

Although carved out of normal DRAM, enclave memory is marked in the
system memory map as reserved and is not managed by the core mm. There
may be several regions spread across the system. Each contiguous region
is called an Enclave Page Cache (EPC) section. EPC sections are
enumerated via CPUID

Enclave pages can only be accessed when they are mapped as part of an
enclave, by a hardware thread running inside the enclave.

Parse CPUID data, create metadata for EPC pages and populate a simple
EPC page allocator. Although much smaller, ‘struct sgx_epc_page’
metadata is the SGX analog of the core mm ‘struct page’.

Similar to how the core mm’s page->flags encode zone and NUMA
information, embed the EPC section index to the first eight bits of
sgx_epc_page->desc. This allows a quick reverse lookup from EPC page to
EPC section. Existing client hardware supports only a single section,
while upcoming server hardware will support at most eight sections.
Thus, eight bits should be enough for long term needs.

Acked-by: Jethro Beekman <[email protected]>
Reviewed-by: Darren Kenny <[email protected]>
Signed-off-by: Sean Christopherson <[email protected]>
Co-developed-by: Serge Ayoun <[email protected]>
Signed-off-by: Serge Ayoun <[email protected]>
Co-developed-by: Jarkko Sakkinen <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
---
Change from v39:
* Replace CONFIG_INTEL_SGX with CONFIG_X86_SGX.

arch/x86/Kconfig | 17 +++
arch/x86/kernel/cpu/Makefile | 1 +
arch/x86/kernel/cpu/sgx/Makefile | 2 +
arch/x86/kernel/cpu/sgx/main.c | 190 +++++++++++++++++++++++++++++++
arch/x86/kernel/cpu/sgx/sgx.h | 60 ++++++++++
5 files changed, 270 insertions(+)
create mode 100644 arch/x86/kernel/cpu/sgx/Makefile
create mode 100644 arch/x86/kernel/cpu/sgx/main.c
create mode 100644 arch/x86/kernel/cpu/sgx/sgx.h

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index f6946b81f74a..618d1aabccb8 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1930,6 +1930,23 @@ config X86_INTEL_TSX_MODE_AUTO
side channel attacks- equals the tsx=auto command line parameter.
endchoice

+config X86_SGX
+ bool "Software Guard eXtensions (SGX)"
+ depends on X86_64 && CPU_SUP_INTEL
+ depends on CRYPTO=y
+ depends on CRYPTO_SHA256=y
+ select SRCU
+ select MMU_NOTIFIER
+ help
+ Intel(R) Software Guard eXtensions (SGX) is a set of CPU instructions
+ that can be used by applications to set aside private regions of code
+ and data, referred to as enclaves. An enclave's private memory can
+ only be accessed by code running within the enclave. Accesses from
+ outside the enclave, including other enclaves, are disallowed by
+ hardware.
+
+ If unsure, say N.
+
config EFI
bool "EFI runtime service support"
depends on ACPI
diff --git a/arch/x86/kernel/cpu/Makefile b/arch/x86/kernel/cpu/Makefile
index 93792b457b81..637b499450d1 100644
--- a/arch/x86/kernel/cpu/Makefile
+++ b/arch/x86/kernel/cpu/Makefile
@@ -48,6 +48,7 @@ obj-$(CONFIG_X86_MCE) += mce/
obj-$(CONFIG_MTRR) += mtrr/
obj-$(CONFIG_MICROCODE) += microcode/
obj-$(CONFIG_X86_CPU_RESCTRL) += resctrl/
+obj-$(CONFIG_X86_SGX) += sgx/

obj-$(CONFIG_X86_LOCAL_APIC) += perfctr-watchdog.o

diff --git a/arch/x86/kernel/cpu/sgx/Makefile b/arch/x86/kernel/cpu/sgx/Makefile
new file mode 100644
index 000000000000..79510ce01b3b
--- /dev/null
+++ b/arch/x86/kernel/cpu/sgx/Makefile
@@ -0,0 +1,2 @@
+obj-y += \
+ main.o
diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c
new file mode 100644
index 000000000000..956055a0eff6
--- /dev/null
+++ b/arch/x86/kernel/cpu/sgx/main.c
@@ -0,0 +1,190 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright(c) 2016-20 Intel Corporation. */
+
+#include <linux/freezer.h>
+#include <linux/highmem.h>
+#include <linux/kthread.h>
+#include <linux/pagemap.h>
+#include <linux/ratelimit.h>
+#include <linux/sched/mm.h>
+#include <linux/sched/signal.h>
+#include <linux/slab.h>
+#include "encls.h"
+
+struct sgx_epc_section sgx_epc_sections[SGX_MAX_EPC_SECTIONS];
+static int sgx_nr_epc_sections;
+static struct task_struct *ksgxswapd_tsk;
+
+/*
+ * Reset dirty EPC pages to uninitialized state. Laundry can be left with SECS
+ * pages whose child pages blocked EREMOVE.
+ */
+static void sgx_sanitize_section(struct sgx_epc_section *section)
+{
+ struct sgx_epc_page *page;
+ LIST_HEAD(dirty);
+ int ret;
+
+ while (!list_empty(&section->laundry_list)) {
+ if (kthread_should_stop())
+ return;
+
+ spin_lock(&section->lock);
+
+ page = list_first_entry(&section->laundry_list,
+ struct sgx_epc_page, list);
+
+ ret = __eremove(sgx_get_epc_virt_addr(page));
+ if (!ret)
+ list_move(&page->list, &section->page_list);
+ else
+ list_move_tail(&page->list, &dirty);
+
+ spin_unlock(&section->lock);
+
+ cond_resched();
+ }
+
+ list_splice(&dirty, &section->laundry_list);
+}
+
+static int ksgxswapd(void *p)
+{
+ int i;
+
+ set_freezable();
+
+ /*
+ * Sanitize pages in order to recover from kexec(). The 2nd pass is
+ * required for SECS pages, whose child pages blocked EREMOVE.
+ */
+ for (i = 0; i < sgx_nr_epc_sections; i++)
+ sgx_sanitize_section(&sgx_epc_sections[i]);
+
+ for (i = 0; i < sgx_nr_epc_sections; i++) {
+ sgx_sanitize_section(&sgx_epc_sections[i]);
+
+ /* Should never happen. */
+ if (!list_empty(&sgx_epc_sections[i].laundry_list))
+ WARN(1, "EPC section %d has unsanitized pages.\n", i);
+ }
+
+ return 0;
+}
+
+static bool __init sgx_page_reclaimer_init(void)
+{
+ struct task_struct *tsk;
+
+ tsk = kthread_run(ksgxswapd, NULL, "ksgxswapd");
+ if (IS_ERR(tsk))
+ return false;
+
+ ksgxswapd_tsk = tsk;
+
+ return true;
+}
+
+static bool __init sgx_setup_epc_section(u64 phys_addr, u64 size,
+ unsigned long index,
+ struct sgx_epc_section *section)
+{
+ unsigned long nr_pages = size >> PAGE_SHIFT;
+ unsigned long i;
+
+ section->virt_addr = memremap(phys_addr, size, MEMREMAP_WB);
+ if (!section->virt_addr)
+ return false;
+
+ section->pages = vmalloc(nr_pages * sizeof(struct sgx_epc_page));
+ if (!section->pages) {
+ memunmap(section->virt_addr);
+ return false;
+ }
+
+ section->phys_addr = phys_addr;
+ spin_lock_init(&section->lock);
+ INIT_LIST_HEAD(&section->page_list);
+ INIT_LIST_HEAD(&section->laundry_list);
+
+ for (i = 0; i < nr_pages; i++) {
+ section->pages[i].section = index;
+ list_add_tail(&section->pages[i].list, &section->laundry_list);
+ }
+
+ return true;
+}
+
+/**
+ * A section metric is concatenated in a way that @low bits 12-31 define the
+ * bits 12-31 of the metric and @high bits 0-19 define the bits 32-51 of the
+ * metric.
+ */
+static inline u64 __init sgx_calc_section_metric(u64 low, u64 high)
+{
+ return (low & GENMASK_ULL(31, 12)) +
+ ((high & GENMASK_ULL(19, 0)) << 32);
+}
+
+static bool __init sgx_page_cache_init(void)
+{
+ u32 eax, ebx, ecx, edx, type;
+ u64 pa, size;
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(sgx_epc_sections); i++) {
+ cpuid_count(SGX_CPUID, i + SGX_CPUID_EPC, &eax, &ebx, &ecx, &edx);
+
+ type = eax & SGX_CPUID_EPC_MASK;
+ if (type == SGX_CPUID_EPC_INVALID)
+ break;
+
+ if (type != SGX_CPUID_EPC_SECTION) {
+ pr_err_once("Unknown EPC section type: %u\n", type);
+ break;
+ }
+
+ pa = sgx_calc_section_metric(eax, ebx);
+ size = sgx_calc_section_metric(ecx, edx);
+
+ pr_info("EPC section 0x%llx-0x%llx\n", pa, pa + size - 1);
+
+ if (!sgx_setup_epc_section(pa, size, i, &sgx_epc_sections[i])) {
+ pr_err("No free memory for an EPC section\n");
+ break;
+ }
+
+ sgx_nr_epc_sections++;
+ }
+
+ if (!sgx_nr_epc_sections) {
+ pr_err("There are zero EPC sections.\n");
+ return false;
+ }
+
+ return true;
+}
+
+static void __init sgx_init(void)
+{
+ int i;
+
+ if (!boot_cpu_has(X86_FEATURE_SGX))
+ return;
+
+ if (!sgx_page_cache_init())
+ return;
+
+ if (!sgx_page_reclaimer_init())
+ goto err_page_cache;
+
+ return;
+
+err_page_cache:
+ for (i = 0; i < sgx_nr_epc_sections; i++) {
+ vfree(sgx_epc_sections[i].pages);
+ memunmap(sgx_epc_sections[i].virt_addr);
+ }
+}
+
+device_initcall(sgx_init);
diff --git a/arch/x86/kernel/cpu/sgx/sgx.h b/arch/x86/kernel/cpu/sgx/sgx.h
new file mode 100644
index 000000000000..02afa84dd8fd
--- /dev/null
+++ b/arch/x86/kernel/cpu/sgx/sgx.h
@@ -0,0 +1,60 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _X86_SGX_H
+#define _X86_SGX_H
+
+#include <linux/bitops.h>
+#include <linux/err.h>
+#include <linux/io.h>
+#include <linux/rwsem.h>
+#include <linux/types.h>
+#include <asm/asm.h>
+#include "arch.h"
+
+#undef pr_fmt
+#define pr_fmt(fmt) "sgx: " fmt
+
+#define SGX_MAX_EPC_SECTIONS 8
+
+struct sgx_epc_page {
+ unsigned int section;
+ struct list_head list;
+};
+
+/*
+ * The firmware can define multiple chunks of EPC to the different areas of the
+ * physical memory e.g. for memory areas of the each node. This structure is
+ * used to store EPC pages for one EPC section and virtual memory area where
+ * the pages have been mapped.
+ */
+struct sgx_epc_section {
+ unsigned long phys_addr;
+ void *virt_addr;
+ struct list_head page_list;
+ struct list_head laundry_list;
+ struct sgx_epc_page *pages;
+ spinlock_t lock;
+};
+
+extern struct sgx_epc_section sgx_epc_sections[SGX_MAX_EPC_SECTIONS];
+
+static inline unsigned long sgx_get_epc_phys_addr(struct sgx_epc_page *page)
+{
+ struct sgx_epc_section *section = &sgx_epc_sections[page->section];
+ unsigned long index;
+
+ index = ((unsigned long)page - (unsigned long)section->pages) / sizeof(*page);
+
+ return section->phys_addr + index * PAGE_SIZE;
+}
+
+static inline void *sgx_get_epc_virt_addr(struct sgx_epc_page *page)
+{
+ struct sgx_epc_section *section = &sgx_epc_sections[page->section];
+ unsigned long index;
+
+ index = ((unsigned long)page - (unsigned long)section->pages) / sizeof(*page);
+
+ return section->virt_addr + index * PAGE_SIZE;
+}
+
+#endif /* _X86_SGX_H */
--
2.27.0

2020-11-04 19:32:54

by Borislav Petkov

[permalink] [raw]
Subject: Re: [PATCH v40 03/24] x86/sgx: Initialize metadata for Enclave Page Cache (EPC) sections

On Wed, Nov 04, 2020 at 09:09:03PM +0200, Jarkko Sakkinen wrote:
> If you want, I can do a resend of this version same time underlining
> that this the only difference and I do have a framework to check this
> thing in place.

No need - I'll simply reorder them here and see how far I'd get.

Thx.

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

2020-11-04 19:33:01

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH v40 03/24] x86/sgx: Initialize metadata for Enclave Page Cache (EPC) sections

On Wed, Nov 04, 2020 at 07:21:29PM +0100, Borislav Petkov wrote:
> On Wed, Nov 04, 2020 at 04:54:09PM +0200, Jarkko Sakkinen wrote:
> > +static void __init sgx_init(void)
> > +{
> > + int i;
> > +
> > + if (!boot_cpu_has(X86_FEATURE_SGX))
>
> Guys, you need to build-test *every* *single* patch - otherwise we break
> bisectability and that is a no-no:

I've done it quite a few times (every time I've rebased my tree). I did
today too before sending but forgot to redo git format-patch again (was
the very last thing). In my tree the order is:

e987eb0c95dd (HEAD -> master, origin/master, origin/HEAD) x86/sgx: Update MAINTAINERS
90dc0ee37f44 docs: x86/sgx: Document SGX kernel architecture
1c2e9bdab128 x86/sgx: Add ptrace() support for the SGX driver
05ce4345fb5f x86/sgx: Add a page reclaimer
94c1f778fa09 selftests/x86: Add a selftest for SGX
741b631d197b x86/vdso: Implement a vDSO for Intel SGX enclave call
5744b02641ff x86/traps: Attempt to fixup exceptions in vDSO before signaling
e957c7e79dd0 x86/fault: Add helper function to sanitize error code
96cc520b2bc9 x86/vdso: Add support for exception fixup in vDSO functions
4aff9d81b2fe x86/sgx: Add SGX_IOC_ENCLAVE_PROVISION
ea9bc917c469 x86/sgx: Add SGX_IOC_ENCLAVE_INIT
6e61e843291d x86/sgx: Add SGX_IOC_ENCLAVE_ADD_PAGES
4235ce22235e x86/sgx: Add SGX_IOC_ENCLAVE_CREATE
681299401c91 x86/sgx: Add SGX misc driver interface
fbd69fd9acf4 mm: Add 'mprotect' hook to struct vm_operations_struct
93b27a8908aa x86/sgx: Add SGX page allocator functions
5984a2ca130c x86/cpu/intel: Add nosgx kernel parameter
e131efe5ba06 x86/cpu/intel: Detect SGX support
b0bacb54d36c x86/mm: x86/sgx: Signal SIGSEGV with PF_SGX
0c64b4c07298 x86/sgx: Initialize metadata for Enclave Page Cache (EPC) sections
358d17098c4c x86/cpufeatures: x86/msr: Add Intel SGX Launch Control hardware bits
8f7ab60e5458 x86/cpufeatures: x86/msr: Add Intel SGX hardware bits
0fb18ca935cf x86/sgx: Add wrappers for ENCLS functions
3dbc95582baf x86/sgx: Add SGX architectural data structures

I always do this before I send the patch set (or rebase my tree):

for x in {23..0}
do
git checkout master~$x
git clean -f -d -x
make tinyconfig && cat >> .config <<EOF
CONFIG_64BIT=y
CONFIG_CRYPTO=y
CONFIG_CRYPTO_SHA256=y
CONFIG_X86_SGX=y
CONFIG_DEBUG_INFO=y
EOF
yes '' | make oldconfig && make CC="ccache gcc" -j$(nproc) || break
git --no-pager log --oneline -1 >> success.txt
done

The order is the only difference between the patch set and my tree (i.e.
diff's do not conflict between the orderings).

> arch/x86/kernel/cpu/sgx/main.c: In function ‘sgx_init’:
> arch/x86/kernel/cpu/sgx/main.c:172:20: error: ‘X86_FEATURE_SGX’ undeclared (first use in this function); did you mean ‘X86_FEATURE_SMX’?
> 172 | if (!boot_cpu_has(X86_FEATURE_SGX))
> | ^~~~~~~~~~~~~~~
> ./arch/x86/include/asm/cpufeature.h:118:24: note: in definition of macro ‘cpu_has’
> 118 | (__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 : \
> | ^~~
> arch/x86/kernel/cpu/sgx/main.c:172:7: note: in expansion of macro ‘boot_cpu_has’
> 172 | if (!boot_cpu_has(X86_FEATURE_SGX))
> | ^~~~~~~~~~~~
> arch/x86/kernel/cpu/sgx/main.c:172:20: note: each undeclared identifier is reported only once for each function it appears in
> 172 | if (!boot_cpu_has(X86_FEATURE_SGX))
> | ^~~~~~~~~~~~~~~
> ./arch/x86/include/asm/cpufeature.h:118:24: note: in definition of macro ‘cpu_has’
> 118 | (__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 : \
> | ^~~
> arch/x86/kernel/cpu/sgx/main.c:172:7: note: in expansion of macro ‘boot_cpu_has’
> 172 | if (!boot_cpu_has(X86_FEATURE_SGX))
> | ^~~~~~~~~~~~
> make[4]: *** [scripts/Makefile.build:283: arch/x86/kernel/cpu/sgx/main.o] Error 1
> make[3]: *** [scripts/Makefile.build:500: arch/x86/kernel/cpu/sgx] Error 2
> make[2]: *** [scripts/Makefile.build:500: arch/x86/kernel/cpu] Error 2
> make[2]: *** Waiting for unfinished jobs....
> make[1]: *** [scripts/Makefile.build:500: arch/x86/kernel] Error 2
> make[1]: *** Waiting for unfinished jobs....
> make: *** [Makefile:1799: arch/x86] Error 2
> make: *** Waiting for unfinished jobs....
>
> --
> Regards/Gruss,
> Boris.
>
> https://people.kernel.org/tglx/notes-about-netiquette

/Jarkko

2020-11-04 20:35:50

by Borislav Petkov

[permalink] [raw]
Subject: Re: [PATCH v40 03/24] x86/sgx: Initialize metadata for Enclave Page Cache (EPC) sections

On Wed, Nov 04, 2020 at 04:54:09PM +0200, Jarkko Sakkinen wrote:
> +static void __init sgx_init(void)
> +{
> + int i;
> +
> + if (!boot_cpu_has(X86_FEATURE_SGX))

Guys, you need to build-test *every* *single* patch - otherwise we break
bisectability and that is a no-no:

arch/x86/kernel/cpu/sgx/main.c: In function ‘sgx_init’:
arch/x86/kernel/cpu/sgx/main.c:172:20: error: ‘X86_FEATURE_SGX’ undeclared (first use in this function); did you mean ‘X86_FEATURE_SMX’?
172 | if (!boot_cpu_has(X86_FEATURE_SGX))
| ^~~~~~~~~~~~~~~
./arch/x86/include/asm/cpufeature.h:118:24: note: in definition of macro ‘cpu_has’
118 | (__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 : \
| ^~~
arch/x86/kernel/cpu/sgx/main.c:172:7: note: in expansion of macro ‘boot_cpu_has’
172 | if (!boot_cpu_has(X86_FEATURE_SGX))
| ^~~~~~~~~~~~
arch/x86/kernel/cpu/sgx/main.c:172:20: note: each undeclared identifier is reported only once for each function it appears in
172 | if (!boot_cpu_has(X86_FEATURE_SGX))
| ^~~~~~~~~~~~~~~
./arch/x86/include/asm/cpufeature.h:118:24: note: in definition of macro ‘cpu_has’
118 | (__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 : \
| ^~~
arch/x86/kernel/cpu/sgx/main.c:172:7: note: in expansion of macro ‘boot_cpu_has’
172 | if (!boot_cpu_has(X86_FEATURE_SGX))
| ^~~~~~~~~~~~
make[4]: *** [scripts/Makefile.build:283: arch/x86/kernel/cpu/sgx/main.o] Error 1
make[3]: *** [scripts/Makefile.build:500: arch/x86/kernel/cpu/sgx] Error 2
make[2]: *** [scripts/Makefile.build:500: arch/x86/kernel/cpu] Error 2
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [scripts/Makefile.build:500: arch/x86/kernel] Error 2
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:1799: arch/x86] Error 2
make: *** Waiting for unfinished jobs....

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

2020-11-05 00:51:45

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH v40 03/24] x86/sgx: Initialize metadata for Enclave Page Cache (EPC) sections

On Wed, Nov 04, 2020 at 09:04:52PM +0200, Jarkko Sakkinen wrote:
> On Wed, Nov 04, 2020 at 07:21:29PM +0100, Borislav Petkov wrote:
> > On Wed, Nov 04, 2020 at 04:54:09PM +0200, Jarkko Sakkinen wrote:
> > > +static void __init sgx_init(void)
> > > +{
> > > + int i;
> > > +
> > > + if (!boot_cpu_has(X86_FEATURE_SGX))
> >
> > Guys, you need to build-test *every* *single* patch - otherwise we break
> > bisectability and that is a no-no:
>
> I've done it quite a few times (every time I've rebased my tree). I did
> today too before sending but forgot to redo git format-patch again (was
> the very last thing). In my tree the order is:

If you want, I can do a resend of this version same time underlining
that this the only difference and I do have a framework to check this
thing in place.

> e987eb0c95dd (HEAD -> master, origin/master, origin/HEAD) x86/sgx: Update MAINTAINERS
> 90dc0ee37f44 docs: x86/sgx: Document SGX kernel architecture
> 1c2e9bdab128 x86/sgx: Add ptrace() support for the SGX driver
> 05ce4345fb5f x86/sgx: Add a page reclaimer
> 94c1f778fa09 selftests/x86: Add a selftest for SGX
> 741b631d197b x86/vdso: Implement a vDSO for Intel SGX enclave call
> 5744b02641ff x86/traps: Attempt to fixup exceptions in vDSO before signaling
> e957c7e79dd0 x86/fault: Add helper function to sanitize error code
> 96cc520b2bc9 x86/vdso: Add support for exception fixup in vDSO functions
> 4aff9d81b2fe x86/sgx: Add SGX_IOC_ENCLAVE_PROVISION
> ea9bc917c469 x86/sgx: Add SGX_IOC_ENCLAVE_INIT
> 6e61e843291d x86/sgx: Add SGX_IOC_ENCLAVE_ADD_PAGES
> 4235ce22235e x86/sgx: Add SGX_IOC_ENCLAVE_CREATE
> 681299401c91 x86/sgx: Add SGX misc driver interface
> fbd69fd9acf4 mm: Add 'mprotect' hook to struct vm_operations_struct
> 93b27a8908aa x86/sgx: Add SGX page allocator functions
> 5984a2ca130c x86/cpu/intel: Add nosgx kernel parameter
> e131efe5ba06 x86/cpu/intel: Detect SGX support
> b0bacb54d36c x86/mm: x86/sgx: Signal SIGSEGV with PF_SGX
> 0c64b4c07298 x86/sgx: Initialize metadata for Enclave Page Cache (EPC) sections
> 358d17098c4c x86/cpufeatures: x86/msr: Add Intel SGX Launch Control hardware bits
> 8f7ab60e5458 x86/cpufeatures: x86/msr: Add Intel SGX hardware bits
> 0fb18ca935cf x86/sgx: Add wrappers for ENCLS functions
> 3dbc95582baf x86/sgx: Add SGX architectural data structures
>
> I always do this before I send the patch set (or rebase my tree):
>
> for x in {23..0}
> do
> git checkout master~$x
> git clean -f -d -x
> make tinyconfig && cat >> .config <<EOF
> CONFIG_64BIT=y
> CONFIG_CRYPTO=y
> CONFIG_CRYPTO_SHA256=y
> CONFIG_X86_SGX=y
> CONFIG_DEBUG_INFO=y
> EOF
> yes '' | make oldconfig && make CC="ccache gcc" -j$(nproc) || break
> git --no-pager log --oneline -1 >> success.txt
> done
>
> The order is the only difference between the patch set and my tree (i.e.
> diff's do not conflict between the orderings).

/Jarkko

2020-11-05 04:28:02

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH v40 11/24] x86/sgx: Add SGX misc driver interface

Noticed couple of minor glitches.

On Wed, Nov 04, 2020 at 04:54:17PM +0200, Jarkko Sakkinen wrote:
> +int sgx_encl_may_map(struct sgx_encl *encl, unsigned long start,
> + unsigned long end, unsigned long vm_flags)
> +{
> + unsigned long vm_prot_bits = vm_flags & (VM_READ | VM_WRITE | VM_EXEC);
> + struct sgx_encl_page *page;
> + unsigned long count = 0;
> + int ret = 0;
> +
> + XA_STATE(xas, &encl->page_array, PFN_DOWN(start));
> +
> + /*
> + * Disallow READ_IMPLIES_EXEC tasks as their VMA permissions might
> + * conflict with the enclave page permissions.
> + */
> + if (current->personality & READ_IMPLIES_EXEC)
> + return -EACCES;
> +
> + mutex_lock(&encl->lock);
> + xas_lock(&xas);
> + xas_for_each(&xas, page, PFN_DOWN(end - 1)) {
> + if (!page)
> + break;

A redundant check, can be removed.

> +
> + if (~page->vm_max_prot_bits & vm_prot_bits) {
> + ret = -EACCES;
> + break;
> + }
> +
> + /* Reschedule on every XA_CHECK_SCHED iteration. */
> + if (!(++count % XA_CHECK_SCHED)) {
> + xas_pause(&xas);
> + xas_unlock(&xas);
> + mutex_unlock(&encl->lock);
> +
> + cond_resched();
> +
> + mutex_lock(&encl->lock);
> + xas_lock(&xas);
> + }
> + }
> + xas_unlock(&xas);
> + mutex_unlock(&encl->lock);
> +
> + return ret;
> +}
> +
> +static int sgx_vma_mprotect(struct vm_area_struct *vma,
> + struct vm_area_struct **pprev, unsigned long start,
> + unsigned long end, unsigned long newflags)
> +{
> + int ret;
> +
> + ret = sgx_encl_may_map(vma->vm_private_data, start, end, newflags);
> + if (ret)
> + return ret;
> +
> + return mprotect_fixup(vma, pprev, start, end, newflags);
> +}
> +
> +const struct vm_operations_struct sgx_vm_ops = {
> + .fault = sgx_vma_fault,
> + .mprotect = sgx_vma_mprotect,
> +};
> +
> +/**
> + * sgx_encl_find - find an enclave
> + * @mm: mm struct of the current process
> + * @addr: address in the ELRANGE
> + * @vma: the resulting VMA
> + *
> + * Find an enclave identified by the given address. Give back a VMA that is
> + * part of the enclave and located in that address. The VMA is given back if it
> + * is a proper enclave VMA even if an &sgx_encl instance does not exist yet
> + * (enclave creation has not been performed).
> + *
> + * Return:
> + * 0 on success,
> + * -EINVAL if an enclave was not found,
> + * -ENOENT if the enclave has not been created yet
> + */
> +int sgx_encl_find(struct mm_struct *mm, unsigned long addr,
> + struct vm_area_struct **vma)
> +{
> + struct vm_area_struct *result;
> + struct sgx_encl *encl;
> +
> + result = find_vma(mm, addr);
> + if (!result || result->vm_ops != &sgx_vm_ops || addr < result->vm_start)
> + return -EINVAL;
> +
> + encl = result->vm_private_data;
> + *vma = result;
> +
> + return encl ? 0 : -ENOENT;
> +}

Since v20 there has been 1:1 assocition between enclaves and files.
In other words, this can never return -ENOENT.

With this reduction the function turns into:

int sgx_encl_find(struct mm_struct *mm, unsigned long addr,
struct vm_area_struct **vma)
{
struct vm_area_struct *result;

result = find_vma(mm, addr);
if (!result || result->vm_ops != &sgx_vm_ops || addr < result->vm_start)
return -EINVAL;

*vma = result;

return 0;
}

There are only two call sites:

1. sgx_encl_test_and_clear_young()
2. sgx_reclaimer_block()

I.e. would not be a big trouble to tune the signature a bit:

struct vm_area_struct *sgx_encl_find_vma(struct mm_struct *mm, unsigned long addr)
{
struct vm_area_struct *result;

result = find_vma(mm, addr);
if (!result || result->vm_ops != &sgx_vm_ops || addr < result->vm_start)
return NULL;

return result;
}

There is a function called sgx_encl_find_mm(), which is *unrelated* to
this function and has only one call sites. Its flow is very linear. In
order to avoid confusion, I'd open code that into sgx_encl_mm_add().

/Jarkko

2020-11-05 06:33:17

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH v40 11/24] x86/sgx: Add SGX misc driver interface

On Thu, Nov 05, 2020 at 03:10:54AM +0200, Jarkko Sakkinen wrote:
> Noticed couple of minor glitches.
>
> On Wed, Nov 04, 2020 at 04:54:17PM +0200, Jarkko Sakkinen wrote:
> > +int sgx_encl_may_map(struct sgx_encl *encl, unsigned long start,
> > + unsigned long end, unsigned long vm_flags)
> > +{
> > + unsigned long vm_prot_bits = vm_flags & (VM_READ | VM_WRITE | VM_EXEC);
> > + struct sgx_encl_page *page;
> > + unsigned long count = 0;
> > + int ret = 0;
> > +
> > + XA_STATE(xas, &encl->page_array, PFN_DOWN(start));
> > +
> > + /*
> > + * Disallow READ_IMPLIES_EXEC tasks as their VMA permissions might
> > + * conflict with the enclave page permissions.
> > + */
> > + if (current->personality & READ_IMPLIES_EXEC)
> > + return -EACCES;
> > +
> > + mutex_lock(&encl->lock);
> > + xas_lock(&xas);
> > + xas_for_each(&xas, page, PFN_DOWN(end - 1)) {
> > + if (!page)
> > + break;
>
> A redundant check, can be removed.
>
> > +
> > + if (~page->vm_max_prot_bits & vm_prot_bits) {
> > + ret = -EACCES;
> > + break;
> > + }
> > +
> > + /* Reschedule on every XA_CHECK_SCHED iteration. */
> > + if (!(++count % XA_CHECK_SCHED)) {
> > + xas_pause(&xas);
> > + xas_unlock(&xas);
> > + mutex_unlock(&encl->lock);
> > +
> > + cond_resched();
> > +
> > + mutex_lock(&encl->lock);
> > + xas_lock(&xas);
> > + }
> > + }
> > + xas_unlock(&xas);
> > + mutex_unlock(&encl->lock);
> > +
> > + return ret;
> > +}
> > +
> > +static int sgx_vma_mprotect(struct vm_area_struct *vma,
> > + struct vm_area_struct **pprev, unsigned long start,
> > + unsigned long end, unsigned long newflags)
> > +{
> > + int ret;
> > +
> > + ret = sgx_encl_may_map(vma->vm_private_data, start, end, newflags);
> > + if (ret)
> > + return ret;
> > +
> > + return mprotect_fixup(vma, pprev, start, end, newflags);
> > +}
> > +
> > +const struct vm_operations_struct sgx_vm_ops = {
> > + .fault = sgx_vma_fault,
> > + .mprotect = sgx_vma_mprotect,
> > +};
> > +
> > +/**
> > + * sgx_encl_find - find an enclave
> > + * @mm: mm struct of the current process
> > + * @addr: address in the ELRANGE
> > + * @vma: the resulting VMA
> > + *
> > + * Find an enclave identified by the given address. Give back a VMA that is
> > + * part of the enclave and located in that address. The VMA is given back if it
> > + * is a proper enclave VMA even if an &sgx_encl instance does not exist yet
> > + * (enclave creation has not been performed).
> > + *
> > + * Return:
> > + * 0 on success,
> > + * -EINVAL if an enclave was not found,
> > + * -ENOENT if the enclave has not been created yet
> > + */
> > +int sgx_encl_find(struct mm_struct *mm, unsigned long addr,
> > + struct vm_area_struct **vma)
> > +{
> > + struct vm_area_struct *result;
> > + struct sgx_encl *encl;
> > +
> > + result = find_vma(mm, addr);
> > + if (!result || result->vm_ops != &sgx_vm_ops || addr < result->vm_start)
> > + return -EINVAL;
> > +
> > + encl = result->vm_private_data;
> > + *vma = result;
> > +
> > + return encl ? 0 : -ENOENT;
> > +}
>
> Since v20 there has been 1:1 assocition between enclaves and files.
> In other words, this can never return -ENOENT.
>
> With this reduction the function turns into:
>
> int sgx_encl_find(struct mm_struct *mm, unsigned long addr,
> struct vm_area_struct **vma)
> {
> struct vm_area_struct *result;
>
> result = find_vma(mm, addr);
> if (!result || result->vm_ops != &sgx_vm_ops || addr < result->vm_start)
> return -EINVAL;
>
> *vma = result;
>
> return 0;
> }
>
> There are only two call sites:
>
> 1. sgx_encl_test_and_clear_young()
> 2. sgx_reclaimer_block()
>
> I.e. would not be a big trouble to tune the signature a bit:
>
> struct vm_area_struct *sgx_encl_find_vma(struct mm_struct *mm, unsigned long addr)
> {
> struct vm_area_struct *result;
>
> result = find_vma(mm, addr);
> if (!result || result->vm_ops != &sgx_vm_ops || addr < result->vm_start)
> return NULL;
>
> return result;
> }

Further, I'd declare this as an inline function given how trivial it
turn into.

> There is a function called sgx_encl_find_mm(), which is *unrelated* to
> this function and has only one call sites. Its flow is very linear. In
> order to avoid confusion, I'd open code that into sgx_encl_mm_add().
>
> /Jarkko

/Jarkko

2020-11-05 15:12:53

by Borislav Petkov

[permalink] [raw]
Subject: Re: [PATCH v40 09/24] x86/sgx: Add SGX page allocator functions

On Wed, Nov 04, 2020 at 04:54:15PM +0200, Jarkko Sakkinen wrote:
> The previous patch initialized a simple SGX page allocator. Add functions
> for runtime allocation and free.
>
> This allocator and its algorithms are as simple as it gets. They do a
> linear search across all EPC sections and find the first free page. They
> are not NUMA aware and only hand out individual pages. The SGX hardware
> does not support large pages, so something more complicated like a buddy
> allocator is unwarranted.
>
> The free function (sgx_free_epc_page()) implicitly calls ENCLS[EREMOVE],
> which returns the page to the uninitialized state. This ensures that the
> page is ready for use at the next allocation.
>
> Acked-by: Jethro Beekman <[email protected]>
> Reviewed-by: Darren Kenny <[email protected]>
> Co-developed-by: Sean Christopherson <[email protected]>
> Signed-off-by: Sean Christopherson <[email protected]>
> Signed-off-by: Jarkko Sakkinen <[email protected]>
> ---
> arch/x86/kernel/cpu/sgx/main.c | 62 ++++++++++++++++++++++++++++++++++
> arch/x86/kernel/cpu/sgx/sgx.h | 3 ++
> 2 files changed, 65 insertions(+)
>
> diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c
> index 956055a0eff6..b9ac438a13a4 100644
> --- a/arch/x86/kernel/cpu/sgx/main.c
> +++ b/arch/x86/kernel/cpu/sgx/main.c
> @@ -85,6 +85,68 @@ static bool __init sgx_page_reclaimer_init(void)
> return true;
> }
>
> +static struct sgx_epc_page *__sgx_alloc_epc_page_from_section(struct sgx_epc_section *section)
> +{
> + struct sgx_epc_page *page;
> +
> + if (list_empty(&section->page_list))
> + return NULL;
> +
> + page = list_first_entry(&section->page_list, struct sgx_epc_page, list);
> + list_del_init(&page->list);
> +
> + return page;
> +}
> +
> +/**
> + * __sgx_alloc_epc_page() - Allocate an EPC page
> + *
> + * Iterate through EPC sections and borrow a free EPC page to the caller. When a
> + * page is no longer needed it must be released with sgx_free_epc_page().
> + *
> + * Return:
> + * an EPC page,
> + * -errno on error
> + */
> +struct sgx_epc_page *__sgx_alloc_epc_page(void)
> +{
> + struct sgx_epc_section *section;
> + struct sgx_epc_page *page;
> + int i;
> +
> + for (i = 0; i < sgx_nr_epc_sections; i++) {
> + section = &sgx_epc_sections[i];
> + spin_lock(&section->lock);
> + page = __sgx_alloc_epc_page_from_section(section);
> + spin_unlock(&section->lock);

Something for a future cleanup: you can put that logic into
__sgx_alloc_epc_page_from_section() and simplify this one call site.

But not now - you can do that later or if v41 needs to be sent out...

Thx.

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

2020-11-05 16:07:09

by Borislav Petkov

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On Wed, Nov 04, 2020 at 04:54:16PM +0200, Jarkko Sakkinen wrote:
> From: Sean Christopherson <[email protected]>
>
> Background
> ==========
>
> 1. SGX enclave pages are populated with data by copying from normal memory
> via ioctl() (SGX_IOC_ENCLAVE_ADD_PAGES), which will be added later in
> this series.
> 2. It is desirable to be able to restrict those normal memory data sources.
> For instance, to ensure that the source data is executable before
> copying data to an executable enclave page.
> 3. Enclave page permissions are dynamic (just like normal permissions) and
> can be adjusted at runtime with mprotect().
>
> This creates a problem because the original data source may have long since
> vanished at the time when enclave page permissions are established (mmap()
> or mprotect()).
>
> The solution (elsewhere in this series) is to force enclaves creators to
> declare their paging permission *intent* up front to the ioctl(). This
> intent can me immediately compared to the source data’s mapping and
> rejected if necessary.
>
> The “intent” is also stashed off for later comparison with enclave
> PTEs. This ensures that any future mmap()/mprotect() operations
> performed by the enclave creator or done on behalf of the enclave
> can be compared with the earlier declared permissions.
>
> Problem
> =======
>
> There is an existing mmap() hook which allows SGX to perform this
> permission comparison at mmap() time. However, there is no corresponding
> ->mprotect() hook.
>
> Solution
> ========
>
> Add a vm_ops->mprotect() hook so that mprotect() operations which are
> inconsistent with any page's stashed intent can be rejected by the driver.
>
> Cc: [email protected]
> Cc: Andrew Morton <[email protected]>
> Cc: Matthew Wilcox <[email protected]>
> Acked-by: Jethro Beekman <[email protected]>
> Reviewed-by: Darren Kenny <[email protected]>
> Signed-off-by: Sean Christopherson <[email protected]>
> Co-developed-by: Jarkko Sakkinen <[email protected]>
> Signed-off-by: Jarkko Sakkinen <[email protected]>
> ---
> include/linux/mm.h | 3 +++
> mm/mprotect.c | 5 ++++-
> 2 files changed, 7 insertions(+), 1 deletion(-)

This needs an ACK from an mm person.

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

2020-11-05 16:10:54

by Borislav Petkov

[permalink] [raw]
Subject: Re: [PATCH v40 11/24] x86/sgx: Add SGX misc driver interface

On Thu, Nov 05, 2020 at 03:16:15AM +0200, Jarkko Sakkinen wrote:
> Further, I'd declare this as an inline function given how trivial it
> turn into.
>
...

So are you sending a new version of only this patch as a reply to this
subthread?

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

2020-11-05 17:35:18

by Dave Hansen

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On 11/5/20 8:04 AM, Borislav Petkov wrote:
...
>> Add a vm_ops->mprotect() hook so that mprotect() operations which are
>> inconsistent with any page's stashed intent can be rejected by the driver.
>>
>> Cc: [email protected]
>> Cc: Andrew Morton <[email protected]>
>> Cc: Matthew Wilcox <[email protected]>
>> Acked-by: Jethro Beekman <[email protected]>
>> Reviewed-by: Darren Kenny <[email protected]>
>> Signed-off-by: Sean Christopherson <[email protected]>
>> Co-developed-by: Jarkko Sakkinen <[email protected]>
>> Signed-off-by: Jarkko Sakkinen <[email protected]>
>> ---
>> include/linux/mm.h | 3 +++
>> mm/mprotect.c | 5 ++++-
>> 2 files changed, 7 insertions(+), 1 deletion(-)
> This needs an ACK from an mm person.

For what it's worth:

Acked-by: Dave Hansen <[email protected]>

The top 5 git-blamees in terms of mprotect.c at the moment are:

45 Andi Kleen
50 Peter Xu
81 Dave Hansen
90 Mel Gorman
209 Linus Torvalds

2020-11-05 18:01:01

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH v40 11/24] x86/sgx: Add SGX misc driver interface

On Thu, Nov 05, 2020 at 05:05:59PM +0100, Borislav Petkov wrote:
> On Thu, Nov 05, 2020 at 03:16:15AM +0200, Jarkko Sakkinen wrote:
> > Further, I'd declare this as an inline function given how trivial it
> > turn into.
> >
> ...
>
> So are you sending a new version of only this patch as a reply to this
> subthread?

Just remarked those, so that I will not forget either, e.g. even in the
case the patch was pulled as it is, I would eventually refine these
parts.

I'll rather send a full patch set if required.

> --
> Regards/Gruss,
> Boris.
>
> https://people.kernel.org/tglx/notes-about-netiquette

/Jarkko

2020-11-05 18:15:19

by Borislav Petkov

[permalink] [raw]
Subject: Re: [PATCH v40 11/24] x86/sgx: Add SGX misc driver interface

On Thu, Nov 05, 2020 at 07:57:45PM +0200, Jarkko Sakkinen wrote:
> I'll rather send a full patch set if required.

Why if the changes all belong to this patch and why should I take a
patch which clearly needs improving?

Just send the fixed version of this and I can take it now.

Thx.

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

2020-11-06 10:08:23

by Mel Gorman

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On Wed, Nov 04, 2020 at 04:54:16PM +0200, Jarkko Sakkinen wrote:
> From: Sean Christopherson <[email protected]>
>
> Background
> ==========
>
> 1. SGX enclave pages are populated with data by copying from normal memory
> via ioctl() (SGX_IOC_ENCLAVE_ADD_PAGES), which will be added later in
> this series.
> 2. It is desirable to be able to restrict those normal memory data sources.
> For instance, to ensure that the source data is executable before
> copying data to an executable enclave page.
> 3. Enclave page permissions are dynamic (just like normal permissions) and
> can be adjusted at runtime with mprotect().
>
> This creates a problem because the original data source may have long since
> vanished at the time when enclave page permissions are established (mmap()
> or mprotect()).
>
> The solution (elsewhere in this series) is to force enclaves creators to
> declare their paging permission *intent* up front to the ioctl(). This
> intent can me immediately compared to the source data???s mapping and
> rejected if necessary.
>
> The ???intent??? is also stashed off for later comparison with enclave
> PTEs. This ensures that any future mmap()/mprotect() operations
> performed by the enclave creator or done on behalf of the enclave
> can be compared with the earlier declared permissions.
>
> Problem
> =======
>
> There is an existing mmap() hook which allows SGX to perform this
> permission comparison at mmap() time. However, there is no corresponding
> ->mprotect() hook.
>
> Solution
> ========
>
> Add a vm_ops->mprotect() hook so that mprotect() operations which are
> inconsistent with any page's stashed intent can be rejected by the driver.
>

I have not read the series so this is superficial only. That said...

> Cc: [email protected]
> Cc: Andrew Morton <[email protected]>
> Cc: Matthew Wilcox <[email protected]>
> Acked-by: Jethro Beekman <[email protected]>
> Reviewed-by: Darren Kenny <[email protected]>
> Signed-off-by: Sean Christopherson <[email protected]>
> Co-developed-by: Jarkko Sakkinen <[email protected]>
> Signed-off-by: Jarkko Sakkinen <[email protected]>
> ---
> include/linux/mm.h | 3 +++
> mm/mprotect.c | 5 ++++-
> 2 files changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/include/linux/mm.h b/include/linux/mm.h
> index ef360fe70aaf..eb38eabc5039 100644
> --- a/include/linux/mm.h
> +++ b/include/linux/mm.h
> @@ -559,6 +559,9 @@ struct vm_operations_struct {
> void (*close)(struct vm_area_struct * area);
> int (*split)(struct vm_area_struct * area, unsigned long addr);
> int (*mremap)(struct vm_area_struct * area);
> + int (*mprotect)(struct vm_area_struct *vma,
> + struct vm_area_struct **pprev, unsigned long start,
> + unsigned long end, unsigned long newflags);

The first user of this uses the following information

ret = sgx_encl_may_map(vma->vm_private_data, start, end, newflags);

It only needs start, end and newflags. The pprev is passed in so the
hook can call mprotect_fixup() which is redundant as the caller knows it
should do that. I don't think an arbitrary driver should be responsible
for poking too much into the mm internals to do the fixup because we do
not know what other users of this hook might require in the future.

Hence, I would suggest that the hook receive the minimum possible
information to do the permissions check for the first in-tree user. If
it returns without failure then mm/mprotect.c would always do the fixup.

> vm_fault_t (*fault)(struct vm_fault *vmf);
> vm_fault_t (*huge_fault)(struct vm_fault *vmf,
> enum page_entry_size pe_size);
> diff --git a/mm/mprotect.c b/mm/mprotect.c
> index 56c02beb6041..1fd4fa71ce16 100644
> --- a/mm/mprotect.c
> +++ b/mm/mprotect.c
> @@ -616,7 +616,10 @@ static int do_mprotect_pkey(unsigned long start, size_t len,
> tmp = vma->vm_end;
> if (tmp > end)
> tmp = end;
> - error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
> + if (vma->vm_ops && vma->vm_ops->mprotect)
> + error = vma->vm_ops->mprotect(vma, &prev, nstart, tmp, newflags);
> + else
> + error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);

That would then become

if (vma->vm_ops && vma->vm_ops->mprotect)
error = vma->vm_ops->mprotect(vma, &prev, nstart, tmp, newflags);
if (!error)
error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);

and mprotect_fixup would be removed from the driver.

While vm_operations_struct has borderline zero documentation, a hook for
one in-kernel user should have a comment explaining what the semantics
of the hook is -- what is it responsible for (permission check), what
can it change (nothing), etc. Maybe something like

/*
* Called by mprotect in the event driver-specific permission
* checks need to be made before the mprotect is finalised.
* No modifications should be done to the VMA, returns 0
* if the mprotect is permitted.
*/
int (*mprotect)(struct vm_area_struct *vma,
unsigned long start, unsigned long end,
unsigned long newflags);

If a future driver *does* need to poke deeper into the VM for mprotect
then at least they'll have to explain why that's a good idea.

--
Mel Gorman
SUSE Labs

2020-11-06 16:11:43

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH v40 11/24] x86/sgx: Add SGX misc driver interface

On Thu, Nov 05, 2020 at 07:10:47PM +0100, Borislav Petkov wrote:
> On Thu, Nov 05, 2020 at 07:57:45PM +0200, Jarkko Sakkinen wrote:
> > I'll rather send a full patch set if required.
>
> Why if the changes all belong to this patch and why should I take a
> patch which clearly needs improving?
>
> Just send the fixed version of this and I can take it now.
>
> Thx.

Here's an update patch. I kept the name as sgx_encl_find() so and output
argument instead of return value, so that the change is localized. I
think this is good enough, i.e. the semantically obsolete stuff has been
wiped off.

> --
> Regards/Gruss,
> Boris.
>
> https://people.kernel.org/tglx/notes-about-netiquette

/Jarkko


Attachments:
(No filename) (724.00 B)
v41-0001-x86-sgx-Add-SGX-misc-driver-interface.patch (13.35 kB)
Download all attachments

2020-11-06 16:55:18

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On Fri, Nov 06, 2020 at 10:04:09AM +0000, Mel Gorman wrote:
> On Wed, Nov 04, 2020 at 04:54:16PM +0200, Jarkko Sakkinen wrote:
> > From: Sean Christopherson <[email protected]>
> >
> > Background
> > ==========
> >
> > 1. SGX enclave pages are populated with data by copying from normal memory
> > via ioctl() (SGX_IOC_ENCLAVE_ADD_PAGES), which will be added later in
> > this series.
> > 2. It is desirable to be able to restrict those normal memory data sources.
> > For instance, to ensure that the source data is executable before
> > copying data to an executable enclave page.
> > 3. Enclave page permissions are dynamic (just like normal permissions) and
> > can be adjusted at runtime with mprotect().
> >
> > This creates a problem because the original data source may have long since
> > vanished at the time when enclave page permissions are established (mmap()
> > or mprotect()).
> >
> > The solution (elsewhere in this series) is to force enclaves creators to
> > declare their paging permission *intent* up front to the ioctl(). This
> > intent can me immediately compared to the source data???s mapping and
> > rejected if necessary.
> >
> > The ???intent??? is also stashed off for later comparison with enclave
> > PTEs. This ensures that any future mmap()/mprotect() operations
> > performed by the enclave creator or done on behalf of the enclave
> > can be compared with the earlier declared permissions.
> >
> > Problem
> > =======
> >
> > There is an existing mmap() hook which allows SGX to perform this
> > permission comparison at mmap() time. However, there is no corresponding
> > ->mprotect() hook.
> >
> > Solution
> > ========
> >
> > Add a vm_ops->mprotect() hook so that mprotect() operations which are
> > inconsistent with any page's stashed intent can be rejected by the driver.
> >
>
> I have not read the series so this is superficial only. That said...
>
> > Cc: [email protected]
> > Cc: Andrew Morton <[email protected]>
> > Cc: Matthew Wilcox <[email protected]>
> > Acked-by: Jethro Beekman <[email protected]>
> > Reviewed-by: Darren Kenny <[email protected]>
> > Signed-off-by: Sean Christopherson <[email protected]>
> > Co-developed-by: Jarkko Sakkinen <[email protected]>
> > Signed-off-by: Jarkko Sakkinen <[email protected]>
> > ---
> > include/linux/mm.h | 3 +++
> > mm/mprotect.c | 5 ++++-
> > 2 files changed, 7 insertions(+), 1 deletion(-)
> >
> > diff --git a/include/linux/mm.h b/include/linux/mm.h
> > index ef360fe70aaf..eb38eabc5039 100644
> > --- a/include/linux/mm.h
> > +++ b/include/linux/mm.h
> > @@ -559,6 +559,9 @@ struct vm_operations_struct {
> > void (*close)(struct vm_area_struct * area);
> > int (*split)(struct vm_area_struct * area, unsigned long addr);
> > int (*mremap)(struct vm_area_struct * area);
> > + int (*mprotect)(struct vm_area_struct *vma,
> > + struct vm_area_struct **pprev, unsigned long start,
> > + unsigned long end, unsigned long newflags);
>
> The first user of this uses the following information
>
> ret = sgx_encl_may_map(vma->vm_private_data, start, end, newflags);
>
> It only needs start, end and newflags. The pprev is passed in so the
> hook can call mprotect_fixup() which is redundant as the caller knows it
> should do that. I don't think an arbitrary driver should be responsible
> for poking too much into the mm internals to do the fixup because we do
> not know what other users of this hook might require in the future.
>
> Hence, I would suggest that the hook receive the minimum possible
> information to do the permissions check for the first in-tree user. If
> it returns without failure then mm/mprotect.c would always do the fixup.
>
> > vm_fault_t (*fault)(struct vm_fault *vmf);
> > vm_fault_t (*huge_fault)(struct vm_fault *vmf,
> > enum page_entry_size pe_size);
> > diff --git a/mm/mprotect.c b/mm/mprotect.c
> > index 56c02beb6041..1fd4fa71ce16 100644
> > --- a/mm/mprotect.c
> > +++ b/mm/mprotect.c
> > @@ -616,7 +616,10 @@ static int do_mprotect_pkey(unsigned long start, size_t len,
> > tmp = vma->vm_end;
> > if (tmp > end)
> > tmp = end;
> > - error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
> > + if (vma->vm_ops && vma->vm_ops->mprotect)
> > + error = vma->vm_ops->mprotect(vma, &prev, nstart, tmp, newflags);
> > + else
> > + error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
>
> That would then become
>
> if (vma->vm_ops && vma->vm_ops->mprotect)
> error = vma->vm_ops->mprotect(vma, &prev, nstart, tmp, newflags);
> if (!error)
> error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
>
> and mprotect_fixup would be removed from the driver.
>
> While vm_operations_struct has borderline zero documentation, a hook for
> one in-kernel user should have a comment explaining what the semantics
> of the hook is -- what is it responsible for (permission check), what
> can it change (nothing), etc. Maybe something like
>
> /*
> * Called by mprotect in the event driver-specific permission
> * checks need to be made before the mprotect is finalised.
> * No modifications should be done to the VMA, returns 0
> * if the mprotect is permitted.
> */
> int (*mprotect)(struct vm_area_struct *vma,
> unsigned long start, unsigned long end,
> unsigned long newflags);
>
> If a future driver *does* need to poke deeper into the VM for mprotect
> then at least they'll have to explain why that's a good idea.

Both comments make sense to me. I'll refine this patch on Monday and
also "x86/sgx: Add SGX misc driver interface", which uses this callback.

Thanks a lot for valuable feedback!

> --
> Mel Gorman
> SUSE Labs

/Jarkko

2020-11-06 17:12:47

by Borislav Petkov

[permalink] [raw]
Subject: Re: [PATCH v40 11/24] x86/sgx: Add SGX misc driver interface

On Fri, Nov 06, 2020 at 06:07:42PM +0200, Jarkko Sakkinen wrote:
> On Thu, Nov 05, 2020 at 07:10:47PM +0100, Borislav Petkov wrote:
> > On Thu, Nov 05, 2020 at 07:57:45PM +0200, Jarkko Sakkinen wrote:
> > > I'll rather send a full patch set if required.
> >
> > Why if the changes all belong to this patch and why should I take a
> > patch which clearly needs improving?
> >
> > Just send the fixed version of this and I can take it now.
> >
> > Thx.
>
> Here's an update patch. I kept the name as sgx_encl_find() so and output
> argument instead of return value, so that the change is localized. I
> think this is good enough, i.e. the semantically obsolete stuff has been
> wiped off.

Thanks.

> Tested-by: Jethro Beekman <[email protected]>
> Tested-by: Haitao Huang <[email protected]>
> Tested-by: Chunyang Hui <[email protected]>
> Tested-by: Jordan Hand <[email protected]>
> Tested-by: Nathaniel McCallum <[email protected]>
> Tested-by: Seth Moore <[email protected]>
> Tested-by: Darren Kenny <[email protected]>

Btw, you do know that when you change the patch, those tested-by's don't
hold true anymore, right?

The Reviewed-by's too, actually.

I'll zap them.

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

2020-11-06 17:46:47

by Dr. Greg

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On Wed, Nov 04, 2020 at 04:54:16PM +0200, Jarkko Sakkinen wrote:

Good morning, I hope the week has gone well for everyone.

> From: Sean Christopherson <[email protected]>
>
> Background
> ==========
>
> 1. SGX enclave pages are populated with data by copying from normal memory
> via ioctl() (SGX_IOC_ENCLAVE_ADD_PAGES), which will be added later in
> this series.
> 2. It is desirable to be able to restrict those normal memory data sources.
> For instance, to ensure that the source data is executable before
> copying data to an executable enclave page.
> 3. Enclave page permissions are dynamic (just like normal permissions) and
> can be adjusted at runtime with mprotect().

Only relevant on SGX2 hardware, see discussion below.

> This creates a problem because the original data source may have
> long since vanished at the time when enclave page permissions are
> established (mmap() or mprotect()).
>
> The solution (elsewhere in this series) is to force enclaves

I don't believe that enclaves should be plural in this context.

> creators to declare their paging permission *intent* up front to the
> ioctl(). This intent can me immediately compared to the source

The 'me' should be 'be' in the above line.

> data???s mapping and rejected if necessary.
>
> The ???intent??? is also stashed off for later comparison with
> enclave PTEs. This ensures that any future mmap()/mprotect()
> operations performed by the enclave creator or done on behalf of the
> enclave can be compared with the earlier declared permissions.

Just some further clarifications that should, arguably, be included in
the kernel documentation given their security implications.

The 900 pound primate in the room, that no one is acknowledging, is
that this technology was designed to not allow the operating system to
have any control over what it is doing. In the mindset of kernel
developers, the operating system is the absolute authority on
security, so we find ourselves in a situation where the kernel needs
to try and work around this fact so any solutions will be imperfect at
best.

As I've noted before, this is actually a primary objective of enclave
authors, since one of the desires for 'Confidential Computing' is to
hide things like proprietary algorithms from the platform owners. I
think the driver needs to acknowledge this fact and equip platform
owners with the simplest and most effective security solutions that
are available.

The only reason that mprotect protections are needed in this driver
are to close a security loophole on SGX2 hardware, ie. hardware that
supports the ENCLU[EMODPE] instruction. This instruction allows an
enclave to modify page permissions that are encoded in the Enclave
Page Cache Metadata (EPCM) at initialization time. In all likelihood,
this is going to be the only relevant hardware that this driver runs
on.

On SGX2 hardware, enclave based code can conspire with its untrusted
runtime to allow executable regions to have write permissions. This
would allow the enclave to load and execute whatever code that it
pleases and that the operating system would have no visibility into
whatsoever.

The non-SGX2 platforms don't need mprotect protections since even if
they were to modify at the OS level their page permissions, any
attempts to access a page with modified permissions would be trapped
by the EPCM protections that are unmodifiable after the enclave has
been initialized.

In light of this, given the decision by the driver authors to not
fully equip the driver with EDMM support, the mprotect protection
requirements are straight forward and minimalistic. All that is
needed is a binary valued variable, set on the command-line, that
either allows or denies anonymous code execution by an enclave,
ie. access to page protection changes after initialization.

The enclave page mapping callback is elegant but has little use if the
objective of all this is to allow the driver to enforce SGX1 semantics
on a platform that has SGX2 instruction support. Save the elegant
solution until a reasoned arguement can be made as to what anyone
would actually be able to do with the per page permissions checks,
even on an EDMM capable driver.

I could go into detail on that issue as well but I hesitate to be an
insufferable bore.

I hope all of this is helpful.

Have a good weekend.

Dr. Greg

As always,
Dr. Greg Wettstein, Ph.D, Worker Autonomously self-defensive
Enjellic Systems Development, LLC IOT platforms and edge devices.
4206 N. 19th Ave.
Fargo, ND 58102
PH: 701-281-1686 EMAIL: [email protected]
------------------------------------------------------------------------------
"In the future, company names will be a 32-character hex string."
-- Bruce Schneier

2020-11-06 17:57:53

by Dave Hansen

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On 11/6/20 9:43 AM, Dr. Greg wrote:
> In light of this, given the decision by the driver authors to not
> fully equip the driver with EDMM support, the mprotect protection
> requirements are straight forward and minimalistic. All that is
> needed is a binary valued variable, set on the command-line, that
> either allows or denies anonymous code execution by an enclave,
> ie. access to page protection changes after initialization.

To that, I say NAK. We need more flexibility than a boot-time-fixed,
system-wide switch.

2020-11-06 20:39:33

by Borislav Petkov

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On Fri, Nov 06, 2020 at 06:51:07PM +0200, Jarkko Sakkinen wrote:
> Both comments make sense to me. I'll refine this patch on Monday and

And while you're at it, I'd suggest you refine the whole patchset and
send a full v41 instead:

- please audit all your Reviewed-by, Acked-by tags as to for what
versions of the patches they were given. If you've changed those patches
in the meantime, then all those tags are invalid and need to go.

- work in all the change requests

- fix the order of the patches so that each one builds

so that they can be taken cleanly into tip.

Thx.

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

2020-11-06 21:15:23

by Matthew Wilcox

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On Fri, Nov 06, 2020 at 11:43:59AM -0600, Dr. Greg wrote:
> The 900 pound primate in the room, that no one is acknowledging, is
> that this technology was designed to not allow the operating system to
> have any control over what it is doing. In the mindset of kernel
> developers, the operating system is the absolute authority on
> security, so we find ourselves in a situation where the kernel needs
> to try and work around this fact so any solutions will be imperfect at
> best.
>
> As I've noted before, this is actually a primary objective of enclave
> authors, since one of the desires for 'Confidential Computing' is to
> hide things like proprietary algorithms from the platform owners. I
> think the driver needs to acknowledge this fact and equip platform
> owners with the simplest and most effective security solutions that
> are available.

Or we need to not merge "technology" that subverts the owner of
the hardware. Remember: root kit authors are inventive buggers.

2020-11-06 21:28:23

by Dave Hansen

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On 11/6/20 1:13 PM, Matthew Wilcox wrote:
> On Fri, Nov 06, 2020 at 11:43:59AM -0600, Dr. Greg wrote:
>> The 900 pound primate in the room, that no one is acknowledging, is
>> that this technology was designed to not allow the operating system to
>> have any control over what it is doing. In the mindset of kernel
>> developers, the operating system is the absolute authority on
>> security, so we find ourselves in a situation where the kernel needs
>> to try and work around this fact so any solutions will be imperfect at
>> best.
>>
>> As I've noted before, this is actually a primary objective of enclave
>> authors, since one of the desires for 'Confidential Computing' is to
>> hide things like proprietary algorithms from the platform owners. I
>> think the driver needs to acknowledge this fact and equip platform
>> owners with the simplest and most effective security solutions that
>> are available.
> Or we need to not merge "technology" that subverts the owner of
> the hardware. Remember: root kit authors are inventive buggers.

Machine owners have lots of ways to yield their own control of the
hardware. One is:

wget http://what-could-go-wrong.com -O foo.sh; sudo foo.sh

Another is to enable SGX in the BIOS. You're giving up some level of
control and yielding it to the hardware. If you don't trust the
hardware (aka. Intel), I'd stay far, far away from that BIOS option.

This mprotect() hook is trying to have the kernel enforce some rules
that yield *less* to enclave authors. Once a rootkit is in play, the
kernel isn't going to be providing meaningful protection and I'd expect
that this hook is rather useless.

2020-11-06 22:04:10

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH v40 11/24] x86/sgx: Add SGX misc driver interface

On Fri, Nov 06, 2020 at 06:09:20PM +0100, Borislav Petkov wrote:
> On Fri, Nov 06, 2020 at 06:07:42PM +0200, Jarkko Sakkinen wrote:
> > On Thu, Nov 05, 2020 at 07:10:47PM +0100, Borislav Petkov wrote:
> > > On Thu, Nov 05, 2020 at 07:57:45PM +0200, Jarkko Sakkinen wrote:
> > > > I'll rather send a full patch set if required.
> > >
> > > Why if the changes all belong to this patch and why should I take a
> > > patch which clearly needs improving?
> > >
> > > Just send the fixed version of this and I can take it now.
> > >
> > > Thx.
> >
> > Here's an update patch. I kept the name as sgx_encl_find() so and output
> > argument instead of return value, so that the change is localized. I
> > think this is good enough, i.e. the semantically obsolete stuff has been
> > wiped off.
>
> Thanks.
>
> > Tested-by: Jethro Beekman <[email protected]>
> > Tested-by: Haitao Huang <[email protected]>
> > Tested-by: Chunyang Hui <[email protected]>
> > Tested-by: Jordan Hand <[email protected]>
> > Tested-by: Nathaniel McCallum <[email protected]>
> > Tested-by: Seth Moore <[email protected]>
> > Tested-by: Darren Kenny <[email protected]>
>
> Btw, you do know that when you change the patch, those tested-by's don't
> hold true anymore, right?
>
> The Reviewed-by's too, actually.
>
> I'll zap them.

Yes, I know that. That was something that I should have done for this
version. I was too busy turning every rock to make everything as clean
as possible, sorry about that. I'll also update my tree accordingly.

> --
> Regards/Gruss,
> Boris.
>
> https://people.kernel.org/tglx/notes-about-netiquette

/Jarkko

2020-11-06 22:08:35

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On Fri, Nov 06, 2020 at 09:37:25PM +0100, Borislav Petkov wrote:
> On Fri, Nov 06, 2020 at 06:51:07PM +0200, Jarkko Sakkinen wrote:
> > Both comments make sense to me. I'll refine this patch on Monday and
>
> And while you're at it, I'd suggest you refine the whole patchset and
> send a full v41 instead:
>
> - please audit all your Reviewed-by, Acked-by tags as to for what
> versions of the patches they were given. If you've changed those patches
> in the meantime, then all those tags are invalid and need to go.
>
> - work in all the change requests
>
> - fix the order of the patches so that each one builds
>
> so that they can be taken cleanly into tip.
>
> Thx.

OK, everything else is clear except change requests part I want to
check.

There has been a change request to update callback that made perfect
sense to me. Is there something else that I might have missed? Just
checking.

> --
> Regards/Gruss,
> Boris.
>
> https://people.kernel.org/tglx/notes-about-netiquette

/Jarkko

2020-11-06 22:34:01

by Borislav Petkov

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On Sat, Nov 07, 2020 at 12:04:02AM +0200, Jarkko Sakkinen wrote:
> There has been a change request to update callback that made perfect
> sense to me. Is there something else that I might have missed? Just
> checking.

With "change requests" I mean the usual going through the replies to a
patchset and working in the changes people requested. Nothing special -
just the usual working in review feedback, that's it.

Thx.

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

2020-11-07 15:11:58

by Dr. Greg

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On Fri, Nov 06, 2020 at 09:54:19AM -0800, Dave Hansen wrote:

Good morning, I hope the weekend is going well for everyone, beautiful
weather out here in West-Cental Minnesota.

> On 11/6/20 9:43 AM, Dr. Greg wrote:
> > In light of this, given the decision by the driver authors to not
> > fully equip the driver with EDMM support, the mprotect protection
> > requirements are straight forward and minimalistic. All that is
> > needed is a binary valued variable, set on the command-line, that
> > either allows or denies anonymous code execution by an enclave,
> > ie. access to page protection changes after initialization.

> To that, I say NAK. We need more flexibility than a boot-time-fixed,
> system-wide switch.

To be clear, I wasn't referring to a global yes/no option in the code
that implements the mprotect callout method in the
vm_operations_struct. I was referring to the implementation of the
hook in the SGX driver code.

In all of these discussions there hasn't been a refutation of my point
that the only reason this hook is needed is to stop the potential for
anonymous code execution on SGX2 capable hardware. So we will assume,
that while unspoken, this is the rationale for the hook.

If you are NAK'ing a global enable/disable in the driver code, I think
there needs to be a discussion of why the driver, in its current
state, needs anything other then a yes/no decision on mprotect after
enclave initialization is complete.

At this point in time the driver has no intention of supporting EDMM,
so the simple belt-and-suspenders approach is to deny mprotect on
enclave virtual memory after initialization. Absent mprotect, the
hardware is perfectly capable of enforcing page permissions that are
only consistent with the initial mapping of the enclave.

If and when EDMM is implemented there might be a rationale for per
page mprotect interrogation. I won't waste people's time here but I
believe a cogent arguement can be made that there is little utility,
even under EDMM, of making per page permission decisions rather then a
'yes/no' decision by the platform owner as to whether or not they want
to allow anonymous code execution.

Hopefully all of this is a useful clarification.

Have a good weekend.

Dr. Greg

As always,
Dr. Greg Wettstein, Ph.D, Worker Autonomously self-defensive
Enjellic Systems Development, LLC IOT platforms and edge devices.
4206 N. 19th Ave.
Fargo, ND 58102
PH: 701-281-1686 EMAIL: [email protected]
------------------------------------------------------------------------------
"If you ever teach a yodeling class, probably the hardest thing is to
keep the students from just trying to yodel right off. You see, we build
to that."
-- Jack Handey
Deep Thoughts

2020-11-07 15:30:14

by Dr. Greg

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On Fri, Nov 06, 2020 at 09:13:11PM +0000, Matthew Wilcox wrote:
> On Fri, Nov 06, 2020 at 11:43:59AM -0600, Dr. Greg wrote:
> > The 900 pound primate in the room, that no one is acknowledging, is
> > that this technology was designed to not allow the operating system to
> > have any control over what it is doing. In the mindset of kernel
> > developers, the operating system is the absolute authority on
> > security, so we find ourselves in a situation where the kernel needs
> > to try and work around this fact so any solutions will be imperfect at
> > best.
> >
> > As I've noted before, this is actually a primary objective of enclave
> > authors, since one of the desires for 'Confidential Computing' is to
> > hide things like proprietary algorithms from the platform owners. I
> > think the driver needs to acknowledge this fact and equip platform
> > owners with the simplest and most effective security solutions that
> > are available.

> Or we need to not merge "technology" that subverts the owner of the
> hardware. Remember: root kit authors are inventive buggers.

That will be an interesting philosophical argument for Linux moving
forward. I've often stated that there is going to be a natural
political tension between the objectives of open-source and advances
in platform security. By definition, advancing the latter will result
in technology that contrains what can be done with a platform.

It may have made more sense for the SGX driver to be mainline when the
technology was going to be ubiquitous. Given the decision by Intel to
monetize the platform, by limiting its implementation to high end
server platforms, the case could be made that it is a driver best
supported by the distributions or cloud providers.

I'm neither for or against inclusion, I'm simply advocating that we
make informed decisions on the driver implementation that benefits the
user community. FWIW, based on knowledge that has come from building
application stacks on top of the technology for a half decade now.

Have a good weekend.

Dr. Greg

As always,
Dr. Greg Wettstein, Ph.D, Worker Autonomously self-defensive
Enjellic Systems Development, LLC IOT platforms and edge devices.
4206 N. 19th Ave.
Fargo, ND 58102
PH: 701-281-1686 EMAIL: [email protected]
------------------------------------------------------------------------------
"Atilla The Hun's Maxim: If you're going to rape, pillage and burn, be sure
to do things in that order."
-- P.J. Plauger
Programming On Purpose

2020-11-07 19:18:46

by Dave Hansen

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On 11/7/20 7:09 AM, Dr. Greg wrote:
> In all of these discussions there hasn't been a refutation of my point
> that the only reason this hook is needed is to stop the potential for
> anonymous code execution on SGX2 capable hardware. So we will assume,
> that while unspoken, this is the rationale for the hook.

Unspoken? See from the cover letter:

> 3. Enclave page permissions are dynamic (just like normal permissions) and
> can be adjusted at runtime with mprotect().

I explicitly chose not to name the instructions, nor the exact version
of the SGX ISA that introduces them. They're supported in the series,
and that's all that matters.

If you want to advocate for something different to be done, patches are
accepted.

2020-11-08 18:28:39

by Jethro Beekman

[permalink] [raw]
Subject: Re: [PATCH v40 19/24] x86/vdso: Implement a vDSO for Intel SGX enclave call

On 2020-11-04 15:54, Jarkko Sakkinen wrote:
> From: Sean Christopherson <[email protected]>
>
> Enclaves encounter exceptions for lots of reasons: everything from enclave
> page faults to NULL pointer dereferences, to system calls that must be
> “proxied” to the kernel from outside the enclave.
>
> In addition to the code contained inside an enclave, there is also
> supporting code outside the enclave called an “SGX runtime”, which is
> virtually always implemented inside a shared library. The runtime helps
> build the enclave and handles things like *re*building the enclave if it
> got destroyed by something like a suspend/resume cycle.
>
> The rebuilding has traditionally been handled in SIGSEGV handlers,
> registered by the library. But, being process-wide, shared state, signal
> handling and shared libraries do not mix well.
>
> Introduce a vDSO function call that wraps the enclave entry functions
> (EENTER/ERESUME functions of the ENCLU instruciton) and returns information
> about any exceptions to the caller in the SGX runtime.
>
> Instead of generating a signal, the kernel places exception information in
> RDI, RSI and RDX. The kernel-provided userspace portion of the vDSO handler
> will place this information in a user-provided buffer or trigger a
> user-provided callback at the time of the exception.
>
> The vDSO function calling convention uses the standard RDI RSI, RDX, RCX,
> R8 and R9 registers. This makes it possible to declare the vDSO as a C
> prototype, but other than that there is no specific support for SystemV
> ABI. Things like storing XSAVE are the responsibility of the enclave and
> the runtime.
>
> Suggested-by: Andy Lutomirski <[email protected]>
> Acked-by: Jethro Beekman <[email protected]>
> Tested-by: Jethro Beekman <[email protected]>
> Signed-off-by: Sean Christopherson <[email protected]>
> Co-developed-by: Cedric Xing <[email protected]>
> Signed-off-by: Cedric Xing <[email protected]>
> Co-developed-by: Jarkko Sakkinen <[email protected]>
> Signed-off-by: Jarkko Sakkinen <[email protected]>
> ---
> Changes from v39:
> * Relayout out the user handler documentation: return values are described
> in sgx_enclave_user_handler_t keneldoc and broad description is given
> in struct sgx_enclave_run kerneldoc.
> * Rename @leaf as @function, given that we want to speak consistently
> about ENCLS and ENCLU functions.
> * Reorder user_handler and user_data as the last fields in
> sgx_enclave_run, as they are an extension to the basic functionality.
>
> arch/x86/entry/vdso/Makefile | 2 +
> arch/x86/entry/vdso/vdso.lds.S | 1 +
> arch/x86/entry/vdso/vsgx.S | 151 ++++++++++++++++++++++++++++++++
> arch/x86/include/asm/enclu.h | 9 ++
> arch/x86/include/uapi/asm/sgx.h | 91 +++++++++++++++++++
> 5 files changed, 254 insertions(+)
> create mode 100644 arch/x86/entry/vdso/vsgx.S
> create mode 100644 arch/x86/include/asm/enclu.h
>
> diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
> index 2ad757fb3c23..9915fbd34264 100644
> --- a/arch/x86/entry/vdso/Makefile
> +++ b/arch/x86/entry/vdso/Makefile
> @@ -27,6 +27,7 @@ VDSO32-$(CONFIG_IA32_EMULATION) := y
> vobjs-y := vdso-note.o vclock_gettime.o vgetcpu.o
> vobjs32-y := vdso32/note.o vdso32/system_call.o vdso32/sigreturn.o
> vobjs32-y += vdso32/vclock_gettime.o
> +vobjs-$(VDSO64-y) += vsgx.o
>
> # files to link into kernel
> obj-y += vma.o extable.o
> @@ -98,6 +99,7 @@ $(vobjs): KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS_CFLAGS) $(RETPOLINE_CFLAGS
> CFLAGS_REMOVE_vclock_gettime.o = -pg
> CFLAGS_REMOVE_vdso32/vclock_gettime.o = -pg
> CFLAGS_REMOVE_vgetcpu.o = -pg
> +CFLAGS_REMOVE_vsgx.o = -pg
>
> #
> # X32 processes use x32 vDSO to access 64bit kernel data.
> diff --git a/arch/x86/entry/vdso/vdso.lds.S b/arch/x86/entry/vdso/vdso.lds.S
> index 36b644e16272..4bf48462fca7 100644
> --- a/arch/x86/entry/vdso/vdso.lds.S
> +++ b/arch/x86/entry/vdso/vdso.lds.S
> @@ -27,6 +27,7 @@ VERSION {
> __vdso_time;
> clock_getres;
> __vdso_clock_getres;
> + __vdso_sgx_enter_enclave;
> local: *;
> };
> }
> diff --git a/arch/x86/entry/vdso/vsgx.S b/arch/x86/entry/vdso/vsgx.S
> new file mode 100644
> index 000000000000..86a0e94f68df
> --- /dev/null
> +++ b/arch/x86/entry/vdso/vsgx.S
> @@ -0,0 +1,151 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +
> +#include <linux/linkage.h>
> +#include <asm/export.h>
> +#include <asm/errno.h>
> +#include <asm/enclu.h>
> +
> +#include "extable.h"
> +
> +/* Relative to %rbp. */
> +#define SGX_ENCLAVE_OFFSET_OF_RUN 16
> +
> +/* The offsets relative to struct sgx_enclave_run. */
> +#define SGX_ENCLAVE_RUN_TCS 0
> +#define SGX_ENCLAVE_RUN_LEAF 8
> +#define SGX_ENCLAVE_RUN_EXCEPTION_VECTOR 12
> +#define SGX_ENCLAVE_RUN_EXCEPTION_ERROR_CODE 14
> +#define SGX_ENCLAVE_RUN_EXCEPTION_ADDR 16
> +#define SGX_ENCLAVE_RUN_USER_HANDLER 24
> +#define SGX_ENCLAVE_RUN_USER_DATA 32 /* not used */
> +#define SGX_ENCLAVE_RUN_RESERVED_START 40
> +#define SGX_ENCLAVE_RUN_RESERVED_END 256
> +
> +.code64
> +.section .text, "ax"
> +
> +SYM_FUNC_START(__vdso_sgx_enter_enclave)
> + /* Prolog */
> + .cfi_startproc
> + push %rbp
> + .cfi_adjust_cfa_offset 8
> + .cfi_rel_offset %rbp, 0
> + mov %rsp, %rbp
> + .cfi_def_cfa_register %rbp
> + push %rbx
> + .cfi_rel_offset %rbx, -8
> +
> + mov %ecx, %eax
> +.Lenter_enclave:
> + /* EENTER <= function <= ERESUME */
> + cmp $EENTER, %eax
> + jb .Linvalid_input
> + cmp $ERESUME, %eax
> + ja .Linvalid_input
> +
> + mov SGX_ENCLAVE_OFFSET_OF_RUN(%rbp), %rcx
> +
> + /* Validate that the reserved area contains only zeros. */
> + mov $SGX_ENCLAVE_RUN_RESERVED_START, %rbx
> +1:
> + cmpq $0, (%rcx, %rbx)
> + jne .Linvalid_input
> + add $8, %rbx
> + cmpq $SGX_ENCLAVE_RUN_RESERVED_END, %rbx
> + jne 1b
> +
> + /* Load TCS and AEP */
> + mov SGX_ENCLAVE_RUN_TCS(%rcx), %rbx
> + lea .Lasync_exit_pointer(%rip), %rcx
> +
> + /* Single ENCLU serving as both EENTER and AEP (ERESUME) */
> +.Lasync_exit_pointer:
> +.Lenclu_eenter_eresume:
> + enclu
> +
> + /* EEXIT jumps here unless the enclave is doing something fancy. */
> + mov SGX_ENCLAVE_OFFSET_OF_RUN(%rbp), %rbx
> +
> + /* Set exit_reason. */
> + movl $EEXIT, SGX_ENCLAVE_RUN_LEAF(%rbx)
> +
> + /* Invoke userspace's exit handler if one was provided. */
> +.Lhandle_exit:
> + cmpq $0, SGX_ENCLAVE_RUN_USER_HANDLER(%rbx)
> + jne .Linvoke_userspace_handler
> +
> + /* Success, in the sense that ENCLU was attempted. */
> + xor %eax, %eax
> +
> +.Lout:
> + pop %rbx
> + leave
> + .cfi_def_cfa %rsp, 8
> + ret
> +
> + /* The out-of-line code runs with the pre-leave stack frame. */
> + .cfi_def_cfa %rbp, 16
> +
> +.Linvalid_input:
> + mov $(-EINVAL), %eax
> + jmp .Lout
> +
> +.Lhandle_exception:
> + mov SGX_ENCLAVE_OFFSET_OF_RUN(%rbp), %rbx
> +
> + /* Set the exception info. */
> + mov %eax, (SGX_ENCLAVE_RUN_LEAF)(%rbx)
> + mov %di, (SGX_ENCLAVE_RUN_EXCEPTION_VECTOR)(%rbx)
> + mov %si, (SGX_ENCLAVE_RUN_EXCEPTION_ERROR_CODE)(%rbx)
> + mov %rdx, (SGX_ENCLAVE_RUN_EXCEPTION_ADDR)(%rbx)
> + jmp .Lhandle_exit
> +
> +.Linvoke_userspace_handler:
> + /* Pass the untrusted RSP (at exit) to the callback via %rcx. */
> + mov %rsp, %rcx
> +
> + /* Save struct sgx_enclave_exception %rbx is about to be clobbered. */
> + mov %rbx, %rax
> +
> + /* Save the untrusted RSP offset in %rbx (non-volatile register). */
> + mov %rsp, %rbx
> + and $0xf, %rbx
> +
> + /*
> + * Align stack per x86_64 ABI. Note, %rsp needs to be 16-byte aligned
> + * _after_ pushing the parameters on the stack, hence the bonus push.
> + */
> + and $-0x10, %rsp
> + push %rax
> +
> + /* Push struct sgx_enclave_exception as a param to the callback. */
> + push %rax
> +
> + /* Clear RFLAGS.DF per x86_64 ABI */
> + cld
> +
> + /*
> + * Load the callback pointer to %rax and lfence for LVI (load value
> + * injection) protection before making the call.
> + */
> + mov SGX_ENCLAVE_RUN_USER_HANDLER(%rax), %rax
> + lfence
> + call *%rax
> +
> + /* Undo the post-exit %rsp adjustment. */
> + lea 0x10(%rsp, %rbx), %rsp
> +
> + /*
> + * If the return from callback is zero or negative, return immediately,
> + * else re-execute ENCLU with the postive return value interpreted as
> + * the requested ENCLU function.
> + */
> + cmp $0, %eax
> + jle .Lout
> + jmp .Lenter_enclave
> +
> + .cfi_endproc
> +
> +_ASM_VDSO_EXTABLE_HANDLE(.Lenclu_eenter_eresume, .Lhandle_exception)
> +
> +SYM_FUNC_END(__vdso_sgx_enter_enclave)
> diff --git a/arch/x86/include/asm/enclu.h b/arch/x86/include/asm/enclu.h
> new file mode 100644
> index 000000000000..b1314e41a744
> --- /dev/null
> +++ b/arch/x86/include/asm/enclu.h
> @@ -0,0 +1,9 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +#ifndef _ASM_X86_ENCLU_H
> +#define _ASM_X86_ENCLU_H
> +
> +#define EENTER 0x02
> +#define ERESUME 0x03
> +#define EEXIT 0x04
> +
> +#endif /* _ASM_X86_ENCLU_H */
> diff --git a/arch/x86/include/uapi/asm/sgx.h b/arch/x86/include/uapi/asm/sgx.h
> index c32210235bf5..791e45334a4a 100644
> --- a/arch/x86/include/uapi/asm/sgx.h
> +++ b/arch/x86/include/uapi/asm/sgx.h
> @@ -74,4 +74,95 @@ struct sgx_enclave_provision {
> __u64 fd;
> };
>
> +struct sgx_enclave_run;
> +
> +/**
> + * typedef sgx_enclave_user_handler_t - Exit handler function accepted by
> + * __vdso_sgx_enter_enclave()
> + * @run: The run instance given by the caller
> + *
> + * The register parameters contain the snapshot of their values at enclave
> + * exit. An invalid ENCLU function number will cause -EINVAL to be returned
> + * to the caller.
> + *
> + * Return:
> + * - <= 0: The given value is returned back to the caller.
> + * - > 0: ENCLU function to invoke, either EENTER or ERESUME.
> + */
> +typedef int (*sgx_enclave_user_handler_t)(long rdi, long rsi, long rdx,
> + long rsp, long r8, long r9,
> + struct sgx_enclave_run *run);
> +
> +/**
> + * struct sgx_enclave_run - the execution context of __vdso_sgx_enter_enclave()
> + * @tcs: TCS used to enter the enclave
> + * @function: The last seen ENCLU function (EENTER, ERESUME or EEXIT)
> + * @exception_vector: The interrupt vector of the exception
> + * @exception_error_code: The exception error code pulled out of the stack
> + * @exception_addr: The address that triggered the exception
> + * @user_handler: User provided callback run on exception
> + * @user_data: Data passed to the user handler
> + * @reserved Reserved for future extensions
> + *
> + * If @user_handler is provided, the handler will be invoked on all return paths
> + * of the normal flow. The user handler may transfer control, e.g. via a
> + * longjmp() call or a C++ exception, without returning to
> + * __vdso_sgx_enter_enclave().
> + */
> +struct sgx_enclave_run {
> + __u64 tcs;
> + __u32 function;
> + __u16 exception_vector;
> + __u16 exception_error_code;
> + __u64 exception_addr;
> + __u64 user_handler;
> + __u64 user_data;
> + __u8 reserved[216];
> +};
> +
> +/**
> + * typedef vdso_sgx_enter_enclave_t - Prototype for __vdso_sgx_enter_enclave(),
> + * a vDSO function to enter an SGX enclave.
> + * @rdi: Pass-through value for RDI
> + * @rsi: Pass-through value for RSI
> + * @rdx: Pass-through value for RDX
> + * @function: ENCLU function, must be EENTER or ERESUME
> + * @r8: Pass-through value for R8
> + * @r9: Pass-through value for R9
> + * @run: struct sgx_enclave_run, must be non-NULL
> + *
> + * NOTE: __vdso_sgx_enter_enclave() does not ensure full compliance with the
> + * x86-64 ABI, e.g. doesn't handle XSAVE state. Except for non-volatile
> + * general purpose registers, EFLAGS.DF, and RSP alignment, preserving/setting
> + * state in accordance with the x86-64 ABI is the responsibility of the enclave
> + * and its runtime, i.e. __vdso_sgx_enter_enclave() cannot be called from C
> + * code without careful consideration by both the enclave and its runtime.
> + *
> + * All general purpose registers except RAX, RBX and RCX are passed as-is to the
> + * enclave. RAX, RBX and RCX are consumed by EENTER and ERESUME and are loaded
> + * with @function, asynchronous exit pointer, and @run.tcs respectively.
> + *
> + * RBP and the stack are used to anchor __vdso_sgx_enter_enclave() to the
> + * pre-enclave state, e.g. to retrieve @run.exception and @run.user_handler
> + * after an enclave exit. All other registers are available for use by the
> + * enclave and its runtime, e.g. an enclave can push additional data onto the
> + * stack (and modify RSP) to pass information to the optional user handler (see
> + * below).
> + *
> + * Most exceptions reported on ENCLU, including those that occur within the
> + * enclave, are fixed up and reported synchronously instead of being delivered
> + * via a standard signal. Debug Exceptions (#DB) and Breakpoints (#BP) are
> + * never fixed up and are always delivered via standard signals. On synchrously
> + * reported exceptions, -EFAULT is returned and details about the exception are
> + * recorded in @run.exception, the optional sgx_enclave_exception struct.
> + *
> + * Return:
> + * - 0: ENCLU function was successfully executed.
> + * - -EINVAL: Invalid ENCL number (neither EENTER nor ERESUME).

EINVAL also happens if sgx_enclave_run.reserved is non-zero.

--
Jethro Beekman | Fortanix


Attachments:
smime.p7s (4.38 kB)
S/MIME Cryptographic Signature

2020-11-08 20:13:07

by Jethro Beekman

[permalink] [raw]
Subject: Re: [PATCH v40 19/24] x86/vdso: Implement a vDSO for Intel SGX enclave call

On 2020-11-04 15:54, Jarkko Sakkinen wrote:
> From: Sean Christopherson <[email protected]>
>
> Enclaves encounter exceptions for lots of reasons: everything from enclave
> page faults to NULL pointer dereferences, to system calls that must be
> “proxied” to the kernel from outside the enclave.
>
> In addition to the code contained inside an enclave, there is also
> supporting code outside the enclave called an “SGX runtime”, which is
> virtually always implemented inside a shared library. The runtime helps
> build the enclave and handles things like *re*building the enclave if it
> got destroyed by something like a suspend/resume cycle.
>
> The rebuilding has traditionally been handled in SIGSEGV handlers,
> registered by the library. But, being process-wide, shared state, signal
> handling and shared libraries do not mix well.
>
> Introduce a vDSO function call that wraps the enclave entry functions
> (EENTER/ERESUME functions of the ENCLU instruciton) and returns information
> about any exceptions to the caller in the SGX runtime.
>
> Instead of generating a signal, the kernel places exception information in
> RDI, RSI and RDX. The kernel-provided userspace portion of the vDSO handler
> will place this information in a user-provided buffer or trigger a
> user-provided callback at the time of the exception.
>
> The vDSO function calling convention uses the standard RDI RSI, RDX, RCX,
> R8 and R9 registers. This makes it possible to declare the vDSO as a C
> prototype, but other than that there is no specific support for SystemV
> ABI. Things like storing XSAVE are the responsibility of the enclave and
> the runtime.
>
> Suggested-by: Andy Lutomirski <[email protected]>
> Acked-by: Jethro Beekman <[email protected]>
> Tested-by: Jethro Beekman <[email protected]>
> Signed-off-by: Sean Christopherson <[email protected]>
> Co-developed-by: Cedric Xing <[email protected]>
> Signed-off-by: Cedric Xing <[email protected]>
> Co-developed-by: Jarkko Sakkinen <[email protected]>
> Signed-off-by: Jarkko Sakkinen <[email protected]>
> ---
> Changes from v39:
> * Relayout out the user handler documentation: return values are described
> in sgx_enclave_user_handler_t keneldoc and broad description is given
> in struct sgx_enclave_run kerneldoc.
> * Rename @leaf as @function, given that we want to speak consistently
> about ENCLS and ENCLU functions.
> * Reorder user_handler and user_data as the last fields in
> sgx_enclave_run, as they are an extension to the basic functionality.
>
> arch/x86/entry/vdso/Makefile | 2 +
> arch/x86/entry/vdso/vdso.lds.S | 1 +
> arch/x86/entry/vdso/vsgx.S | 151 ++++++++++++++++++++++++++++++++
> arch/x86/include/asm/enclu.h | 9 ++
> arch/x86/include/uapi/asm/sgx.h | 91 +++++++++++++++++++
> 5 files changed, 254 insertions(+)
> create mode 100644 arch/x86/entry/vdso/vsgx.S
> create mode 100644 arch/x86/include/asm/enclu.h
>
> diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
> index 2ad757fb3c23..9915fbd34264 100644
> --- a/arch/x86/entry/vdso/Makefile
> +++ b/arch/x86/entry/vdso/Makefile
> @@ -27,6 +27,7 @@ VDSO32-$(CONFIG_IA32_EMULATION) := y
> vobjs-y := vdso-note.o vclock_gettime.o vgetcpu.o
> vobjs32-y := vdso32/note.o vdso32/system_call.o vdso32/sigreturn.o
> vobjs32-y += vdso32/vclock_gettime.o
> +vobjs-$(VDSO64-y) += vsgx.o
>
> # files to link into kernel
> obj-y += vma.o extable.o
> @@ -98,6 +99,7 @@ $(vobjs): KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS_CFLAGS) $(RETPOLINE_CFLAGS
> CFLAGS_REMOVE_vclock_gettime.o = -pg
> CFLAGS_REMOVE_vdso32/vclock_gettime.o = -pg
> CFLAGS_REMOVE_vgetcpu.o = -pg
> +CFLAGS_REMOVE_vsgx.o = -pg
>
> #
> # X32 processes use x32 vDSO to access 64bit kernel data.
> diff --git a/arch/x86/entry/vdso/vdso.lds.S b/arch/x86/entry/vdso/vdso.lds.S
> index 36b644e16272..4bf48462fca7 100644
> --- a/arch/x86/entry/vdso/vdso.lds.S
> +++ b/arch/x86/entry/vdso/vdso.lds.S
> @@ -27,6 +27,7 @@ VERSION {
> __vdso_time;
> clock_getres;
> __vdso_clock_getres;
> + __vdso_sgx_enter_enclave;
> local: *;
> };
> }
> diff --git a/arch/x86/entry/vdso/vsgx.S b/arch/x86/entry/vdso/vsgx.S
> new file mode 100644
> index 000000000000..86a0e94f68df
> --- /dev/null
> +++ b/arch/x86/entry/vdso/vsgx.S
> @@ -0,0 +1,151 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +
> +#include <linux/linkage.h>
> +#include <asm/export.h>
> +#include <asm/errno.h>
> +#include <asm/enclu.h>
> +
> +#include "extable.h"
> +
> +/* Relative to %rbp. */
> +#define SGX_ENCLAVE_OFFSET_OF_RUN 16
> +
> +/* The offsets relative to struct sgx_enclave_run. */
> +#define SGX_ENCLAVE_RUN_TCS 0
> +#define SGX_ENCLAVE_RUN_LEAF 8
> +#define SGX_ENCLAVE_RUN_EXCEPTION_VECTOR 12
> +#define SGX_ENCLAVE_RUN_EXCEPTION_ERROR_CODE 14
> +#define SGX_ENCLAVE_RUN_EXCEPTION_ADDR 16
> +#define SGX_ENCLAVE_RUN_USER_HANDLER 24
> +#define SGX_ENCLAVE_RUN_USER_DATA 32 /* not used */
> +#define SGX_ENCLAVE_RUN_RESERVED_START 40
> +#define SGX_ENCLAVE_RUN_RESERVED_END 256
> +
> +.code64
> +.section .text, "ax"
> +
> +SYM_FUNC_START(__vdso_sgx_enter_enclave)
> + /* Prolog */
> + .cfi_startproc
> + push %rbp
> + .cfi_adjust_cfa_offset 8
> + .cfi_rel_offset %rbp, 0
> + mov %rsp, %rbp
> + .cfi_def_cfa_register %rbp
> + push %rbx
> + .cfi_rel_offset %rbx, -8
> +
> + mov %ecx, %eax
> +.Lenter_enclave:
> + /* EENTER <= function <= ERESUME */
> + cmp $EENTER, %eax
> + jb .Linvalid_input
> + cmp $ERESUME, %eax
> + ja .Linvalid_input
> +
> + mov SGX_ENCLAVE_OFFSET_OF_RUN(%rbp), %rcx
> +
> + /* Validate that the reserved area contains only zeros. */
> + mov $SGX_ENCLAVE_RUN_RESERVED_START, %rbx
> +1:
> + cmpq $0, (%rcx, %rbx)
> + jne .Linvalid_input
> + add $8, %rbx
> + cmpq $SGX_ENCLAVE_RUN_RESERVED_END, %rbx
> + jne 1b
> +
> + /* Load TCS and AEP */
> + mov SGX_ENCLAVE_RUN_TCS(%rcx), %rbx
> + lea .Lasync_exit_pointer(%rip), %rcx
> +
> + /* Single ENCLU serving as both EENTER and AEP (ERESUME) */
> +.Lasync_exit_pointer:
> +.Lenclu_eenter_eresume:
> + enclu
> +
> + /* EEXIT jumps here unless the enclave is doing something fancy. */
> + mov SGX_ENCLAVE_OFFSET_OF_RUN(%rbp), %rbx
> +
> + /* Set exit_reason. */
> + movl $EEXIT, SGX_ENCLAVE_RUN_LEAF(%rbx)
> +
> + /* Invoke userspace's exit handler if one was provided. */
> +.Lhandle_exit:
> + cmpq $0, SGX_ENCLAVE_RUN_USER_HANDLER(%rbx)
> + jne .Linvoke_userspace_handler
> +
> + /* Success, in the sense that ENCLU was attempted. */
> + xor %eax, %eax
> +
> +.Lout:
> + pop %rbx
> + leave
> + .cfi_def_cfa %rsp, 8
> + ret
> +
> + /* The out-of-line code runs with the pre-leave stack frame. */
> + .cfi_def_cfa %rbp, 16
> +
> +.Linvalid_input:
> + mov $(-EINVAL), %eax
> + jmp .Lout
> +
> +.Lhandle_exception:
> + mov SGX_ENCLAVE_OFFSET_OF_RUN(%rbp), %rbx
> +
> + /* Set the exception info. */
> + mov %eax, (SGX_ENCLAVE_RUN_LEAF)(%rbx)
> + mov %di, (SGX_ENCLAVE_RUN_EXCEPTION_VECTOR)(%rbx)
> + mov %si, (SGX_ENCLAVE_RUN_EXCEPTION_ERROR_CODE)(%rbx)
> + mov %rdx, (SGX_ENCLAVE_RUN_EXCEPTION_ADDR)(%rbx)
> + jmp .Lhandle_exit
> +
> +.Linvoke_userspace_handler:
> + /* Pass the untrusted RSP (at exit) to the callback via %rcx. */
> + mov %rsp, %rcx
> +
> + /* Save struct sgx_enclave_exception %rbx is about to be clobbered. */
> + mov %rbx, %rax
> +
> + /* Save the untrusted RSP offset in %rbx (non-volatile register). */
> + mov %rsp, %rbx
> + and $0xf, %rbx
> +
> + /*
> + * Align stack per x86_64 ABI. Note, %rsp needs to be 16-byte aligned
> + * _after_ pushing the parameters on the stack, hence the bonus push.
> + */
> + and $-0x10, %rsp
> + push %rax
> +
> + /* Push struct sgx_enclave_exception as a param to the callback. */
> + push %rax
> +
> + /* Clear RFLAGS.DF per x86_64 ABI */
> + cld
> +
> + /*
> + * Load the callback pointer to %rax and lfence for LVI (load value
> + * injection) protection before making the call.
> + */
> + mov SGX_ENCLAVE_RUN_USER_HANDLER(%rax), %rax
> + lfence
> + call *%rax
> +
> + /* Undo the post-exit %rsp adjustment. */
> + lea 0x10(%rsp, %rbx), %rsp
> +
> + /*
> + * If the return from callback is zero or negative, return immediately,
> + * else re-execute ENCLU with the postive return value interpreted as
> + * the requested ENCLU function.
> + */
> + cmp $0, %eax
> + jle .Lout
> + jmp .Lenter_enclave
> +
> + .cfi_endproc
> +
> +_ASM_VDSO_EXTABLE_HANDLE(.Lenclu_eenter_eresume, .Lhandle_exception)
> +
> +SYM_FUNC_END(__vdso_sgx_enter_enclave)
> diff --git a/arch/x86/include/asm/enclu.h b/arch/x86/include/asm/enclu.h
> new file mode 100644
> index 000000000000..b1314e41a744
> --- /dev/null
> +++ b/arch/x86/include/asm/enclu.h
> @@ -0,0 +1,9 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +#ifndef _ASM_X86_ENCLU_H
> +#define _ASM_X86_ENCLU_H
> +
> +#define EENTER 0x02
> +#define ERESUME 0x03
> +#define EEXIT 0x04
> +
> +#endif /* _ASM_X86_ENCLU_H */
> diff --git a/arch/x86/include/uapi/asm/sgx.h b/arch/x86/include/uapi/asm/sgx.h
> index c32210235bf5..791e45334a4a 100644
> --- a/arch/x86/include/uapi/asm/sgx.h
> +++ b/arch/x86/include/uapi/asm/sgx.h
> @@ -74,4 +74,95 @@ struct sgx_enclave_provision {
> __u64 fd;
> };
>
> +struct sgx_enclave_run;
> +
> +/**
> + * typedef sgx_enclave_user_handler_t - Exit handler function accepted by
> + * __vdso_sgx_enter_enclave()
> + * @run: The run instance given by the caller
> + *
> + * The register parameters contain the snapshot of their values at enclave
> + * exit. An invalid ENCLU function number will cause -EINVAL to be returned
> + * to the caller.
> + *
> + * Return:
> + * - <= 0: The given value is returned back to the caller.
> + * - > 0: ENCLU function to invoke, either EENTER or ERESUME.
> + */
> +typedef int (*sgx_enclave_user_handler_t)(long rdi, long rsi, long rdx,
> + long rsp, long r8, long r9,
> + struct sgx_enclave_run *run);
> +
> +/**
> + * struct sgx_enclave_run - the execution context of __vdso_sgx_enter_enclave()
> + * @tcs: TCS used to enter the enclave
> + * @function: The last seen ENCLU function (EENTER, ERESUME or EEXIT)
> + * @exception_vector: The interrupt vector of the exception
> + * @exception_error_code: The exception error code pulled out of the stack
> + * @exception_addr: The address that triggered the exception
> + * @user_handler: User provided callback run on exception
> + * @user_data: Data passed to the user handler
> + * @reserved Reserved for future extensions
> + *
> + * If @user_handler is provided, the handler will be invoked on all return paths
> + * of the normal flow. The user handler may transfer control, e.g. via a
> + * longjmp() call or a C++ exception, without returning to
> + * __vdso_sgx_enter_enclave().
> + */
> +struct sgx_enclave_run {
> + __u64 tcs;
> + __u32 function;
> + __u16 exception_vector;
> + __u16 exception_error_code;
> + __u64 exception_addr;
> + __u64 user_handler;
> + __u64 user_data;
> + __u8 reserved[216];
> +};
> +
> +/**
> + * typedef vdso_sgx_enter_enclave_t - Prototype for __vdso_sgx_enter_enclave(),
> + * a vDSO function to enter an SGX enclave.
> + * @rdi: Pass-through value for RDI
> + * @rsi: Pass-through value for RSI
> + * @rdx: Pass-through value for RDX
> + * @function: ENCLU function, must be EENTER or ERESUME
> + * @r8: Pass-through value for R8
> + * @r9: Pass-through value for R9
> + * @run: struct sgx_enclave_run, must be non-NULL
> + *
> + * NOTE: __vdso_sgx_enter_enclave() does not ensure full compliance with the
> + * x86-64 ABI, e.g. doesn't handle XSAVE state. Except for non-volatile
> + * general purpose registers, EFLAGS.DF, and RSP alignment, preserving/setting
> + * state in accordance with the x86-64 ABI is the responsibility of the enclave
> + * and its runtime, i.e. __vdso_sgx_enter_enclave() cannot be called from C
> + * code without careful consideration by both the enclave and its runtime.
> + *
> + * All general purpose registers except RAX, RBX and RCX are passed as-is to the
> + * enclave. RAX, RBX and RCX are consumed by EENTER and ERESUME and are loaded
> + * with @function, asynchronous exit pointer, and @run.tcs respectively.
> + *
> + * RBP and the stack are used to anchor __vdso_sgx_enter_enclave() to the
> + * pre-enclave state, e.g. to retrieve @run.exception and @run.user_handler
> + * after an enclave exit. All other registers are available for use by the
> + * enclave and its runtime, e.g. an enclave can push additional data onto the
> + * stack (and modify RSP) to pass information to the optional user handler (see
> + * below).
> + *
> + * Most exceptions reported on ENCLU, including those that occur within the
> + * enclave, are fixed up and reported synchronously instead of being delivered
> + * via a standard signal. Debug Exceptions (#DB) and Breakpoints (#BP) are
> + * never fixed up and are always delivered via standard signals. On synchrously
> + * reported exceptions, -EFAULT is returned

This part about EFAULT is also bogus.

--
Jethro Beekman | Fortanix


Attachments:
smime.p7s (4.38 kB)
S/MIME Cryptographic Signature

2020-11-08 20:23:26

by Jethro Beekman

[permalink] [raw]
Subject: Re: [PATCH v40 19/24] x86/vdso: Implement a vDSO for Intel SGX enclave call

On 2020-11-04 15:54, Jarkko Sakkinen wrote:
> From: Sean Christopherson <[email protected]>
>
> Enclaves encounter exceptions for lots of reasons: everything from enclave
> page faults to NULL pointer dereferences, to system calls that must be
> “proxied” to the kernel from outside the enclave.
>
> In addition to the code contained inside an enclave, there is also
> supporting code outside the enclave called an “SGX runtime”, which is
> virtually always implemented inside a shared library. The runtime helps
> build the enclave and handles things like *re*building the enclave if it
> got destroyed by something like a suspend/resume cycle.
>
> The rebuilding has traditionally been handled in SIGSEGV handlers,
> registered by the library. But, being process-wide, shared state, signal
> handling and shared libraries do not mix well.
>
> Introduce a vDSO function call that wraps the enclave entry functions
> (EENTER/ERESUME functions of the ENCLU instruciton) and returns information
> about any exceptions to the caller in the SGX runtime.
>
> Instead of generating a signal, the kernel places exception information in
> RDI, RSI and RDX. The kernel-provided userspace portion of the vDSO handler
> will place this information in a user-provided buffer or trigger a
> user-provided callback at the time of the exception.
>
> The vDSO function calling convention uses the standard RDI RSI, RDX, RCX,
> R8 and R9 registers. This makes it possible to declare the vDSO as a C
> prototype, but other than that there is no specific support for SystemV
> ABI. Things like storing XSAVE are the responsibility of the enclave and
> the runtime.

I suppose this may be covered under "no specific support for SystemV ABI" but with sgx_enclave_run.user_handler=NULL, R12~R15 *will* get clobbered when __vdso_sgx_enter_enclave returns from an SGX AEX. IMO this makes the whole "try to be like System V ABI" rather useless, but I suppose it doesn't matter too much.

--
Jethro Beekman | Fortanix


Attachments:
smime.p7s (4.38 kB)
S/MIME Cryptographic Signature

2020-11-08 20:27:54

by Dave Hansen

[permalink] [raw]
Subject: Re: [PATCH v40 19/24] x86/vdso: Implement a vDSO for Intel SGX enclave call

On 11/8/20 12:08 PM, Jethro Beekman wrote:
>> + * Most exceptions reported on ENCLU, including those that occur within the
>> + * enclave, are fixed up and reported synchronously instead of being delivered
>> + * via a standard signal. Debug Exceptions (#DB) and Breakpoints (#BP) are
>> + * never fixed up and are always delivered via standard signals. On synchrously

Jarrko, do you see the synchronously typo? ^


>> + * reported exceptions, -EFAULT is returned
> This part about EFAULT is also bogus.

Do you have any suggestions to improve it? What should it say instead?

2020-11-08 20:32:08

by Dave Hansen

[permalink] [raw]
Subject: Re: [PATCH v40 19/24] x86/vdso: Implement a vDSO for Intel SGX enclave call

On 11/8/20 12:20 PM, Jethro Beekman wrote:
>> The vDSO function calling convention uses the standard RDI RSI, RDX, RCX,
>> R8 and R9 registers. This makes it possible to declare the vDSO as a C
>> prototype, but other than that there is no specific support for SystemV
>> ABI. Things like storing XSAVE are the responsibility of the enclave and
>> the runtime.
> I suppose this may be covered under "no specific support for SystemV
> ABI" but with sgx_enclave_run.user_handler=NULL, R12~R15 *will* get
> clobbered when __vdso_sgx_enter_enclave returns from an SGX AEX. IMO
> this makes the whole "try to be like System V ABI" rather useless,
> but I suppose it doesn't matter too much.

What?

It *says*: "there is no specific support for SystemV ABI." That's the
point. It's a tiny *PART* of the ABI, used to "make it possible to
declare the vDSO as a C prototype".

That's far from useless.

2020-11-08 20:52:29

by Jethro Beekman

[permalink] [raw]
Subject: Re: [PATCH v40 00/24] Intel SGX foundations

On 2020-11-04 15:54, Jarkko Sakkinen wrote:
*snip*

> Jarkko Sakkinen (14):
> x86/sgx: Add SGX architectural data structures
> x86/sgx: Add wrappers for ENCLS functions
> x86/cpu/intel: Add nosgx kernel parameter
> x86/sgx: Add SGX page allocator functions
> x86/sgx: Add SGX misc driver interface
> x86/sgx: Add SGX_IOC_ENCLAVE_CREATE
> x86/sgx: Add SGX_IOC_ENCLAVE_ADD_PAGES
> x86/sgx: Add SGX_IOC_ENCLAVE_INIT
> x86/sgx: Add SGX_IOC_ENCLAVE_PROVISION
> selftests/x86: Add a selftest for SGX
> x86/sgx: Add a page reclaimer
> x86/sgx: Add ptrace() support for the SGX driver
> docs: x86/sgx: Document SGX kernel architecture
> x86/sgx: Update MAINTAINERS
>
> Sean Christopherson (10):
> x86/sgx: Initialize metadata for Enclave Page Cache (EPC) sections
> x86/cpufeatures: x86/msr: Add Intel SGX hardware bits
> x86/cpufeatures: x86/msr: Add Intel SGX Launch Control hardware bits
> x86/mm: x86/sgx: Signal SIGSEGV with PF_SGX
> x86/cpu/intel: Detect SGX support
> mm: Add 'mprotect' hook to struct vm_operations_struct
> x86/vdso: Add support for exception fixup in vDSO functions
> x86/fault: Add helper function to sanitize error code
> x86/traps: Attempt to fixup exceptions in vDSO before signaling
> x86/vdso: Implement a vDSO for Intel SGX enclave call

I tested Jarkko's public git master branch at the time of writing (patch number, commit):

01 3dbc955 Acked-By: Jethro Beekman <[email protected]>
02 0fb18ca Acked-By: Jethro Beekman <[email protected]>
03 8f7ab60 Acked-By: Jethro Beekman <[email protected]>
04 358d170 Acked-By: Jethro Beekman <[email protected]>
05 0c64b4c Acked-By: Jethro Beekman <[email protected]>
06 b0bacb5 Acked-By: Jethro Beekman <[email protected]>
07 e131efe Acked-By: Jethro Beekman <[email protected]>
08 5984a2c Acked-By: Jethro Beekman <[email protected]>
09 93b27a8 Acked-By: Jethro Beekman <[email protected]>
10 8ec6c36 Acked-By: Jethro Beekman <[email protected]>
11 1e67355 Tested-By: Jethro Beekman <[email protected]>
12 9f48d02 Tested-By: Jethro Beekman <[email protected]>
13 53f7984 Tested-By: Jethro Beekman <[email protected]>
14 5ab939b Tested-By: Jethro Beekman <[email protected]>
15 6caa47ae Acked-By: Jethro Beekman <[email protected]>
16 3106551 Acked-By: Jethro Beekman <[email protected]>
17 7193709 Acked-By: Jethro Beekman <[email protected]>
18 9c7d634 Acked-By: Jethro Beekman <[email protected]>
19 cad6a3d Tested-By: Jethro Beekman <[email protected]>
20 0dadc6b Acked-By: Jethro Beekman <[email protected]>
21 e396b6f Acked-By: Jethro Beekman <[email protected]>
22 bfcbc47 Tested-By: Jethro Beekman <[email protected]>
23 7a0da40 Acked-By: Jethro Beekman <[email protected]>
24 a644dc1 Acked-By: Jethro Beekman <[email protected]>

--
Jethro Beekman | Fortanix


Attachments:
smime.p7s (4.38 kB)
S/MIME Cryptographic Signature

2020-11-09 20:04:08

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH v40 21/24] x86/sgx: Add a page reclaimer

On Sun, Nov 08, 2020 at 11:56:30AM +0800, Hillf Danton wrote:
> On Wed, 4 Nov 2020 16:54:27 Jarkko Sakkinen wrote:
> [...]
> > +/**
> > + * sgx_alloc_epc_page() - Allocate an EPC page
> > + * @owner: the owner of the EPC page
> > + * @reclaim: reclaim pages if necessary
> > + *
> > + * Iterate through EPC sections and borrow a free EPC page to the caller. When a
> > + * page is no longer needed it must be released with sgx_free_epc_page(). If
> > + * @reclaim is set to true, directly reclaim pages when we are out of pages. No
> > + * mm's can be locked when @reclaim is set to true.
> > + *
> > + * Finally, wake up ksgxswapd when the number of pages goes below the watermark
> > + * before returning back to the caller.
> > + *
> > + * Return:
> > + * an EPC page,
> > + * -errno on error
> > + */
> > +struct sgx_epc_page *sgx_alloc_epc_page(void *owner, bool reclaim)
> > +{
> > + struct sgx_epc_page *entry;
>
> Nit: s/entry/epc_page/
> > +
> > + for ( ; ; ) {
> > + entry = __sgx_alloc_epc_page();
> > + if (!IS_ERR(entry)) {
> > + entry->owner = owner;
> > + break;
> > + }
> > +
> > + if (list_empty(&sgx_active_page_list))
> > + return ERR_PTR(-ENOMEM);
> > +
> > + if (!reclaim) {
> > + entry = ERR_PTR(-EBUSY);
> > + break;
> > + }
> > +
> > + if (signal_pending(current)) {
> > + entry = ERR_PTR(-ERESTARTSYS);
> > + break;
> > + }
> > +
> > + sgx_reclaim_pages();
> i
> This is the direct reclaim mode with ksgxswapd that works in
> the background ignored in the entire for loop. But we can go
> with it in parallel, see below, if it tries as hard as it can
> to maitain the watermark in which allocators may have no
> interest.

I think this policy should be left at is and once the code in mainline
further refined. Consider it as a baseline/initial version for
reclaiming code.

> > + schedule();
>
> To cut allocator's latency use cond_resched();

Thanks, I'll change this.

> > + }
> > +
> > + if (sgx_should_reclaim(SGX_NR_LOW_PAGES))
> > + wake_up(&ksgxswapd_waitq);
>
> Nit: s/ksgxswapd/sgxd/ as it seems to have nothing to do with swap,
> given sgx itself is clear and good enough.

Yeah, it also handling kexec() situation, i.e. has multitude of
functions.

> > +
> > + return entry;
> > +}
>
> struct sgx_epc_page *sgx_alloc_epc_page(void *owner, bool reclaim)
> {
> struct sgx_epc_page *epc_page;
>
> for (;;) {
> epc_page = __sgx_alloc_epc_page();
>
> if (!IS_ERR(epc_page)) {
> epc_page->owner = owner;
> return epc_page;
> }
>
> if (signal_pending(current))
> return ERR_PTR(-ERESTARTSYS);
>
> if (list_empty(&sgx_active_page_list) || !reclaim)
> return ERR_PTR(-ENOMEM);
>
> wake_up(&ksgxswapd_waitq);
> cond_resched();
> }
> return ERR_PTR(-ENOMEM);
> }

/Jarkko

2020-11-12 21:00:54

by Dr. Greg

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On Sat, Nov 07, 2020 at 11:16:25AM -0800, Dave Hansen wrote:

Good afternoon, I hope the week is going well for everyone.

> On 11/7/20 7:09 AM, Dr. Greg wrote:
> > In all of these discussions there hasn't been a refutation of my point
> > that the only reason this hook is needed is to stop the potential for
> > anonymous code execution on SGX2 capable hardware. So we will assume,
> > that while unspoken, this is the rationale for the hook.

> Unspoken? See from the cover letter:

The complexity of the issues involved and the almost complete lack of
understanding of the technology in the Linux user community would
suggest that everyone would benefit from a more detailed explanation
of the issues at hand.

> > 3. Enclave page permissions are dynamic (just like normal permissions) and
> > can be adjusted at runtime with mprotect().

> I explicitly chose not to name the instructions, nor the exact
> version of the SGX ISA that introduces them. They're supported in
> the series, and that's all that matters.

When it comes to security issues and risk assessment it always seems
that more information is better, but of course opinions vary, wildly
it would seem in the case of this technology.

I've been told countless times in my career: "What happens if you get
hit by a bus". I've tried to address those issues by generating
copious amounts of documentation on everything I do. Having the
relevant issues with respect to the security considerations and
implications of this technology clearly documented would seem to
address the 'hit by a bus' issue for other developers that may need to
look at and understand the code down the road.

> If you want to advocate for something different to be done, patches
> are accepted.

I'm including a patch below that addresses the mprotect vulnerability
as simplistically as I believe it can be addressed and provides some
background information on the issues at hand. I will let people more
wise then I am decide whether or not the world at large is worse off
for having the information available.

I tested this with our runtime, which is of a significantly different
design then Intel's. After testing multiple adversarial approaches to
changing page permissions, I'm left struggling to understand what the
page walking code accomplishes, even in the case of mmap.

The ultimate decision with respect to allowed page permissions is
cryptographically encoded in the enclave measurement. The enclave
won't initialize if changes are made to the desired EPCM permissions.
If an attempt is made to use mmap to alter those permissions at the OS
level they will be inhibited by the EPCM permission verifications.

If one reads the EDMM papers by the Intel engineering team that
designed the technology, they were very concerned about an enclave
having to agree to any virtual memory changes, hence the need for
ENCLU[EACCEPT] and ENCLU[EACCEPTCOPY]. In that respect the behavior
of ENCLU[EMODPE] is somewhat interesting in that it gives untrusted
userspace the ability to thwart the intentions of enclave code.

They may not, however, have had any other choice given that SGX was
designed as a virtual memory play in order to make it an 'easy'
add-on.

Given all of this, it seems to be the case that the only thing needed
to block anonymous code execution is to block mprotect on an
initialized enclave, which the attached patch does. If and when the
driver supports EDMM there is, I believe, a very open question as to
what type of introspection capability the kernel should have.

More on that in a subsequent post/patch.

Have a good evening.

Dr. Greg

Cut here. -----------------------------------------------------------------
From 68cba86b0cb3c5917e8c42d83edd5220e2890bb1 Mon Sep 17 00:00:00 2001
From: "Dr. Greg" <[email protected]>
Date: Thu, 12 Nov 2020 04:48:57 -0600
Subject: [PATCH] Unconditionally block mprotect of enclave memory.

In SGX there are two levels of memory protection, the classic
page table mechanism and SGX hardware based page protections
that are codified in the Enclave Page Cache Metadata. A
successful memory access requires that both mechanisms agree
that the access is permitted.

In the initial implementation of SGX (SGX1), the page permissions
are immutable after the enclave is initialized. Even if classic
page protections are modified via mprotect, any attempt to access
enclave memory with alternative permissions will be blocked.

One of the architectural changes implemented in the second
generation of SGX (SGX2) is the ability for page access
permissions to be dynamically manipulated after the enclave is
initialized. This requires coordination between trusted code
running in the enclave and untrusted code using mprotect and
special ring-0 instructions.

One of the security threats associated with SGX2 hardware is that
enclave based code can conspire with its untrusted runtime to make
executable enclave memory writable. This provides the opportunity for
completely anonymous code execution that the operating system has no
visibility into.

All that is needed to, simply, close this vulnerability is to
eliminate the ability to call mprotect against the virtual memory
range of an enclave after it is initialized. Any mprotect changes
made prior to initialization that are inconsistent with the
permissions codified in the enclave will cause initialization and/or
access to fail.

Tested-by: Dr. Greg <[email protected]>
Signed-off-by: Dr. Greg <[email protected]>
---
arch/x86/kernel/cpu/sgx/encl.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c
index 139f8c398685..c613482ebb56 100644
--- a/arch/x86/kernel/cpu/sgx/encl.c
+++ b/arch/x86/kernel/cpu/sgx/encl.c
@@ -270,11 +270,10 @@ static int sgx_vma_mprotect(struct vm_area_struct *vma,
struct vm_area_struct **pprev, unsigned long start,
unsigned long end, unsigned long newflags)
{
- int ret;
+ struct sgx_encl *encl = vma->vm_private_data;

- ret = sgx_encl_may_map(vma->vm_private_data, start, end, newflags);
- if (ret)
- return ret;
+ if ( test_bit(SGX_ENCL_INITIALIZED, &encl->flags) )
+ return -EACCES;

return mprotect_fixup(vma, pprev, start, end, newflags);
}
--
2.19.2


And here (demonstrating my age). ------------------------------------------

As always,
Dr. Greg Wettstein, Ph.D, Worker Autonomously self-defensive
Enjellic Systems Development, LLC IOT platforms and edge devices.
4206 N. 19th Ave.
Fargo, ND 58102
PH: 701-281-1686 EMAIL: [email protected]
------------------------------------------------------------------------------
"Umm.. the developers behind Flame were able to hijack Windows update,
gain access to a Microsoft code signing and website signing key while
staying undetected in the wild for at least 2+ years.

But System Restore 2.0 is going to stop them? Your average piece of
malware can survive a system restore..."
-- Slashdot

2020-11-12 21:33:15

by Dave Hansen

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On 11/12/20 12:58 PM, Dr. Greg wrote:
> @@ -270,11 +270,10 @@ static int sgx_vma_mprotect(struct vm_area_struct *vma,
> struct vm_area_struct **pprev, unsigned long start,
> unsigned long end, unsigned long newflags)
> {
> - int ret;
> + struct sgx_encl *encl = vma->vm_private_data;
>
> - ret = sgx_encl_may_map(vma->vm_private_data, start, end, newflags);
> - if (ret)
> - return ret;
> + if ( test_bit(SGX_ENCL_INITIALIZED, &encl->flags) )
> + return -EACCES;
>
> return mprotect_fixup(vma, pprev, start, end, newflags);
> }

This rules out mprotect() on running enclaves. Does that break any
expectations from enclave authors, or take away capabilities that folks
need?

2020-11-12 22:43:04

by Andy Lutomirski

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On Thu, Nov 12, 2020 at 1:31 PM Dave Hansen <[email protected]> wrote:
>
> On 11/12/20 12:58 PM, Dr. Greg wrote:
> > @@ -270,11 +270,10 @@ static int sgx_vma_mprotect(struct vm_area_struct *vma,
> > struct vm_area_struct **pprev, unsigned long start,
> > unsigned long end, unsigned long newflags)
> > {
> > - int ret;
> > + struct sgx_encl *encl = vma->vm_private_data;
> >
> > - ret = sgx_encl_may_map(vma->vm_private_data, start, end, newflags);
> > - if (ret)
> > - return ret;
> > + if ( test_bit(SGX_ENCL_INITIALIZED, &encl->flags) )
> > + return -EACCES;
> >
> > return mprotect_fixup(vma, pprev, start, end, newflags);
> > }
>
> This rules out mprotect() on running enclaves. Does that break any
> expectations from enclave authors, or take away capabilities that folks
> need?

It certainly prevents any scheme in which an enclave coordinates with
the outside world to do W-and-then-X JIT inside. I'm also not
convinced it has any real effect at all unless there's some magic I
missed to prevent someone from using mmap(2) to effectively change
permissions.

Everyone, IMO this SGX1 - vs - SGX2 - vs - EDMM discussion is entirely
missing the point and is a waste of everyone's time. Let's pretend
we're building a system that has nothing to do with SGX and requires
no special hardware support at all. It works like this:

A user program opens /dev/xyz and gets back an fd that represents 16
MB of memory. The user program copies some data from disk (or network
or whatever) into fd (using write(2) or ioctl(2) or mmap(2) and
memcpy) and then mmaps some of the fd as R and some as RW and some as
RX, and then the user program jumps into the RX mapping.

If we replace /dev/xyz with /dev/zero, then this simply does not work
under a reasonably strict W^X policy -- a lot of people think it's
quite reasonable for an OS to prevent a user program from obtaining an
X mapping containing anything other than a mapping from a file on
disk. To solve this, we can do one of at least three things:

a) You can't use /dev/xyz unless you have permission to create WX
memory or to at least create W memory and then change it to X.

b) You can do whatever you want with /dev/xyz, and LSM policies are
blatantly violated as a result.

c) The /dev/xyz API is clever and tracks, page-by-page, whether the
user intends to ever write and/or execute that page, and behaves
accordingly.

This patchset takes the approach (c). The actual clever policy isn't
here yet, and we don't really know whether it will ever appear, but
the API is set up to enable such a policy to be written. This appears
to be a win for everyone, since the code is pretty clean and the API
is straightforward.


Now, back to SGX. There are only two things that are remotely
SGX-specific here. First, SGX requires this unusual memory model in
which there is an executable mapping of (part of) a device node. [0]
Second, early SGX hardware had this oddity that the kernel could set a
per-backing-page (as opposed to per-PTE) bit to permanently disable X
on a given /dev/sgx page. Building a security model around that would
have been a hack, and it DOES NOT WORK on new hardware. So can we
please stop discussing it? None of the actual interesting parts of
this have much to do with SGX per se and have nothing whatsoever to do
with EDMM or any other Intel buzzword.

Heck, if anyone actually cared to do so, something with essentially
the same semantics could probably be built using SEV hardware instead
of SGX, and it would have exactly the same issue if we wanted it to
work for tasks that didn't have access to /dev/kvm.


[0] SGX doesn't *really* require this. We could set things up so that
you do mmap(..., MAP_ANONYMOUS, fd, ...) and then somehow introduce
that mapping to SGX. I think the result would be too disgusting to
seriously consider.

2020-11-15 19:05:43

by Dr. Greg

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On Thu, Nov 12, 2020 at 01:31:19PM -0800, Dave Hansen wrote:

Good afternoon to everyone.

> On 11/12/20 12:58 PM, Dr. Greg wrote:
> > @@ -270,11 +270,10 @@ static int sgx_vma_mprotect(struct vm_area_struct *vma,
> > struct vm_area_struct **pprev, unsigned long start,
> > unsigned long end, unsigned long newflags)
> > {
> > - int ret;
> > + struct sgx_encl *encl = vma->vm_private_data;
> >
> > - ret = sgx_encl_may_map(vma->vm_private_data, start, end, newflags);
> > - if (ret)
> > - return ret;
> > + if ( test_bit(SGX_ENCL_INITIALIZED, &encl->flags) )
> > + return -EACCES;
> >
> > return mprotect_fixup(vma, pprev, start, end, newflags);
> > }

> This rules out mprotect() on running enclaves. Does that break any
> expectations from enclave authors, or take away capabilities that
> folks need?

As I mentioned an hour or so ago when I posted our updated patch, Sean
and Jarkko have specifically indicated that there is no intention to
support Enclave Dynamic Memory Management (EDMM) at this stage of the
driver. I believe the intent is to open that can of worms after the
driver is mainlined.

Since the stated intent of the driver is to only implement SGX1
semantics there is no need to allow page permission changes of any
type after the enclave is initialized. If mmap/mprotect are taken off
the table for an initialized enclave, there is no need to walk the
enclave page permissions since the hardware itself will enforce those
intents.

Runtime support is critical to implementing EDMM. It seems premature
to place code into the kernel until there is agreement from the
runtime developers as to how page permission intent should be
communicated into the kernel. Current EDMM implementations simply
allocate a sparse aperture which can be further extended, for example,
to increase heap space or the number of Task Control Structures.

As I've stated previously, there is an open question at this point as
to how useful a mainline driver will be without EDMM support, unless
the distributions or cloud providers are going to patch it in on top
of the mainline driver. Those players have been copied on all of
these e-mails so I would assume they could/would pipe up with comments
on what type of security architecture should be implemented.

As I've stated before, I believe in the final analysis that the only
relevant question is yes or no with respect to dynamic enclaves.

Have a good remainder of the weekend.

Dr. Greg

As always,
Greg Wettstein, Ph.D, Worker Autonomously self-defensive
Enjellic Systems Development, LLC IOT platforms and edge devices.
4206 N. 19th Ave.
Fargo, ND 58102
PH: 701-281-1686 EMAIL: [email protected]
------------------------------------------------------------------------------
"If you think nobody cares if you're alive, try missing a couple of car
payments."
-- Earl Wilson

2020-11-16 18:04:23

by Dr. Greg

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On Thu, Nov 12, 2020 at 02:41:00PM -0800, Andy Lutomirski wrote:

Good morning, I hope the week is starting well for everyone.

> On Thu, Nov 12, 2020 at 1:31 PM Dave Hansen <[email protected]> wrote:
> >
> > On 11/12/20 12:58 PM, Dr. Greg wrote:
> > > @@ -270,11 +270,10 @@ static int sgx_vma_mprotect(struct vm_area_struct *vma,
> > > struct vm_area_struct **pprev, unsigned long start,
> > > unsigned long end, unsigned long newflags)
> > > {
> > > - int ret;
> > > + struct sgx_encl *encl = vma->vm_private_data;
> > >
> > > - ret = sgx_encl_may_map(vma->vm_private_data, start, end, newflags);
> > > - if (ret)
> > > - return ret;
> > > + if ( test_bit(SGX_ENCL_INITIALIZED, &encl->flags) )
> > > + return -EACCES;
> > >
> > > return mprotect_fixup(vma, pprev, start, end, newflags);
> > > }
> >
> > This rules out mprotect() on running enclaves. Does that break any
> > expectations from enclave authors, or take away capabilities that folks
> > need?

> It certainly prevents any scheme in which an enclave coordinates
> with the outside world to do W-and-then-X JIT inside. I'm also not
> convinced it has any real effect at all unless there's some magic I
> missed to prevent someone from using mmap(2) to effectively change
> permissions.

The patch that I posted yesterday addresses the security issue for
both mmap and mprotect by trapping the permission change request at
the level of the sgx_encl_may_map() function.

With respect to the W-and-then-X JIT issue, the stated purpose of the
driver is to implement basic SGX functionality, which is SGX1
semantics, it has been stated formally for a year by the developers
themselves that they are not entertaining a driver that addresses any
of the issues associated with non-static memory permissions.

As I've noted previously, the hardware itself is capable of enforcing
that after initialization, if mmap/mprotect is blocked on hardware
that supports SGX2 instructions.

> Everyone, IMO this SGX1 - vs - SGX2 - vs - EDMM discussion is
> entirely missing the point and is a waste of everyone's time. Let's
> pretend we're building a system that has nothing to do with SGX and
> requires no special hardware support at all. It works like this:

I don't doubt there is a potential bigger vision here, quite frankly
it is probably an open question whether or not SGX is going to be a
part of this future, for a variety of reasons. I also do not doubt
that you have the skills to define that vision.

Right now, however, the issue is not about pretending but rather one
of getting a driver into the kernel that provides a framework for
building whatever future SGX may have. Given GKH's comments on LWN
last week in response to the RAPL vulnerability, I'm not sure if it is
a politically done deal that the driver will go in.

SGX has specific hardware characteristics that impact the driver, I
don't see how fitting it into a generic trusted execution model
advances the agenda immediately at hand. Particularly given the fact
that I'm not even sure people understand the questions that need to be
answered about such a generic model.

> A user program opens /dev/xyz and gets back an fd that represents 16
> MB of memory. The user program copies some data from disk (or
> network or whatever) into fd (using write(2) or ioctl(2) or mmap(2)
> and memcpy) and then mmaps some of the fd as R and some as RW and
> some as RX, and then the user program jumps into the RX mapping.

This is basically the SGX model in the new driver. The important
defining characteristic of the driver, that we can't wave away, is
that the hardware requires a specific set of initial page permissions
to be implemented in order for initialization of the memory range
(enclave) to succeed.

This is inherent to the way SGX hardware was designed to work. The
only difference between SGX1 and SGX2 is that the latter offers a
small number of additional instructions that allow the page
permissions to be dynamically manipulated after initialization is
complete.

From a security perspective, the issue at hand is that the executable
material is not going to come in through the fd, it is going to be
loaded by the enclave over the network. This isn't fear mongering, it
is the stated intent of what people want to do with the technology as
a integral part of confidential computing.

I've had the opportunity to brief DOD and other entities concerned
with intelligence issues, about these type of potential capabilities.
It isn't hard to envision scenarios of where having potentially
sensitive code and data only ever handled and executed by a trusted
entity, in an environment that is inherently ephemeral with respect to
its persistence, is an important design characteristic. Thermite has
also been known to play a role in some of these designs prior to the
greater elegance of trusted execution environments.

Ultimately, if you believe the Confidential Computing Consortium, it
is also what people want for their sensitive cloud workloads. Absent
the thermite of course.

> If we replace /dev/xyz with /dev/zero, then this simply does not work
> under a reasonably strict W^X policy -- a lot of people think it's
> quite reasonable for an OS to prevent a user program from obtaining an
> X mapping containing anything other than a mapping from a file on
> disk. To solve this, we can do one of at least three things:
>
> a) You can't use /dev/xyz unless you have permission to create WX
> memory or to at least create W memory and then change it to X.
>
> b) You can do whatever you want with /dev/xyz, and LSM policies are
> blatantly violated as a result.

I think the important issue at hand is that classic LSM policies
simply are not relevant with respect to how this technology was
designed to operate, and perhaps more importantly, how people want to
use it.

That is why I have consistently stated that I think the only relevant
knob is a binary decision as to whether or not a platform owner wants
to entertain completely anonymous code execution.

> c) The /dev/xyz API is clever and tracks, page-by-page, whether the
> user intends to ever write and/or execute that page, and behaves
> accordingly.
>
> This patchset takes the approach (c). The actual clever policy
> isn't here yet, and we don't really know whether it will ever
> appear, but the API is set up to enable such a policy to be written.
> This appears to be a win for everyone, since the code is pretty
> clean and the API is straightforward.

I believe I have been clear in stating that I have never doubted the
cleverness of the approach or its potential utility for the future.

The issue at hand is that it simply isn't relevant at this stage of
the driver. Getting this new vision right is something that would
benefit from a lot of conversations between runtime and kernel
developers. Arguably, the case can be made that it should have a
second type of implementation to ensure that the approach is generic,
extensible and most importantly secure.

The 'cleverness' of the policy needs to be evaluated in the context of
what does it mean with respect to the risk arbitration decisions that
we are trying to support. The open question comes down to, in
essence, asking ourselves whether or not we believe that it makes
sense to say that 15 pages of RWX memory is a security threat but 5
are not.

> Now, back to SGX. There are only two things that are remotely
> SGX-specific here. First, SGX requires this unusual memory model in
> which there is an executable mapping of (part of) a device node. [0]
> Second, early SGX hardware had this oddity that the kernel could set
> a per-backing-page (as opposed to per-PTE) bit to permanently
> disable X on a given /dev/sgx page. Building a security model
> around that would have been a hack, and it DOES NOT WORK on new
> hardware. So can we please stop discussing it? None of the actual
> interesting parts of this have much to do with SGX per se and have
> nothing whatsoever to do with EDMM or any other Intel buzzword.

Just a clarification for everyone sitting in their recliners eating
popcorn and following along at home.

As I've stated before, I don't argue the potential utility of some new
model, SGX however, has hardware characteristics that cannot be waved
away in this discussion. The technology was designed to have a
cryptographic measurement that controls whether or not the memory
image is suitable for execution. The description of that image is
defined by the enclave author when the enclave is signed.

This is why the current EDMM implementation requires that a maximum
aperture range be defined for dynamic memory regions. Since the
linear address of each page address in the enclave is encoded into the
measurement, enclave initialization will fail unless the loaded memory
image is consistent with the wishes of the enclave signer. Having 40
pages of potential heap memory when the author called for 39 would be
considered an initialization defect that would be enforced by the
hardware.

The desired page permissions are also encoded into the enclave
measurement. Since the current implementation takes the maximum
scoped permissions from the security information encoded in the
enclave, it would require that the enclave encode for RWX permissions
if the intent was to dynmically load executable or JIT code after the
enclave was initialized. If I understand your above analysis
correctly, this would be problematic for current security
models/practices.

Obviously an API could be proposed that allowed this permissable
memory map to be defined independently from the enclave. This notion,
based on my read of the security risk considerations that went into
the design of SGX, would be problematic, since it would allow an
untrusted party to modify the characteristics that were desired by the
enclave author for the executable image.

> Heck, if anyone actually cared to do so, something with essentially
> the same semantics could probably be built using SEV hardware
> instead of SGX, and it would have exactly the same issue if we
> wanted it to work for tasks that didn't have access to /dev/kvm.

As I noted above, perhaps whatever this driver may become in the
future would benefit from the community creating something like this
as a second reference to build an API on top of.

> [0] SGX doesn't *really* require this. We could set things up so that
> you do mmap(..., MAP_ANONYMOUS, fd, ...) and then somehow introduce
> that mapping to SGX. I think the result would be too disgusting to
> seriously consider.

Let me be clear, I certainly would not advocate doing anything too
disgusting to consider.

Hopefully our proposal for simplifying the security model for the
driver, while still allowing the framework for a still unspecified
future pathway, doesn't fit this description.

Best wishes for a productive week to everyone.

Dr. Greg

As always,
Dr. Greg Wettstein, Ph.D, Worker Autonomously self-defensive
Enjellic Systems Development, LLC IOT platforms and edge devices.
4206 N. 19th Ave.
Fargo, ND 58102
PH: 701-281-1686 EMAIL: [email protected]
------------------------------------------------------------------------------
"Boy, it must not take much to make a phone work. Looking at
everthing else here it must be the same way with the INTERNET."
-- Francis 'Fritz' Wettstein

2020-11-19 01:43:58

by Haitao Huang

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On Mon, 16 Nov 2020 12:00:23 -0600, Dr. Greg <[email protected]> wrote:

> On Thu, Nov 12, 2020 at 02:41:00PM -0800, Andy Lutomirski wrote:
>
> Good morning, I hope the week is starting well for everyone.
>
>> On Thu, Nov 12, 2020 at 1:31 PM Dave Hansen <[email protected]>
>> wrote:
>> >
>> > On 11/12/20 12:58 PM, Dr. Greg wrote:
>> > > @@ -270,11 +270,10 @@ static int sgx_vma_mprotect(struct
>> vm_area_struct *vma,
>> > > struct vm_area_struct **pprev, unsigned
>> long start,
>> > > unsigned long end, unsigned long newflags)
>> > > {
>> > > - int ret;
>> > > + struct sgx_encl *encl = vma->vm_private_data;
>> > >
>> > > - ret = sgx_encl_may_map(vma->vm_private_data, start, end,
>> newflags);
>> > > - if (ret)
>> > > - return ret;
>> > > + if ( test_bit(SGX_ENCL_INITIALIZED, &encl->flags) )
>> > > + return -EACCES;
>> > >
>> > > return mprotect_fixup(vma, pprev, start, end, newflags);
>> > > }
>> >
>> > This rules out mprotect() on running enclaves. Does that break any
>> > expectations from enclave authors, or take away capabilities that
>> folks
>> > need?
>
>> It certainly prevents any scheme in which an enclave coordinates
>> with the outside world to do W-and-then-X JIT inside. I'm also not
>> convinced it has any real effect at all unless there's some magic I
>> missed to prevent someone from using mmap(2) to effectively change
>> permissions.
>
> The patch that I posted yesterday addresses the security issue for
> both mmap and mprotect by trapping the permission change request at
> the level of the sgx_encl_may_map() function.
>
> With respect to the W-and-then-X JIT issue, the stated purpose of the
> driver is to implement basic SGX functionality, which is SGX1
> semantics, it has been stated formally for a year by the developers
> themselves that they are not entertaining a driver that addresses any
> of the issues associated with non-static memory permissions.
>

The JIT issue is applicable even to SGX1 platforms. We can do EADD with
EPCM.RWX in sec_info and with PTE.RW, EINIT, then mprotect to set PTE.RX
when JIT is done.

Haitao

2020-11-20 17:35:41

by Dr. Greg

[permalink] [raw]
Subject: Re: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct

On Wed, Nov 18, 2020 at 07:39:50PM -0600, Haitao Huang wrote:

Good morning, I hope the week is ending well for everyone.

> On Mon, 16 Nov 2020 12:00:23 -0600, Dr. Greg <[email protected]> wrote:
>
> >On Thu, Nov 12, 2020 at 02:41:00PM -0800, Andy Lutomirski wrote:
> >>It certainly prevents any scheme in which an enclave coordinates
> >>with the outside world to do W-and-then-X JIT inside. I'm also not
> >>convinced it has any real effect at all unless there's some magic I
> >>missed to prevent someone from using mmap(2) to effectively change
> >>permissions.
> >
> >The patch that I posted yesterday addresses the security issue for
> >both mmap and mprotect by trapping the permission change request at
> >the level of the sgx_encl_may_map() function.
> >
> >With respect to the W-and-then-X JIT issue, the stated purpose of the
> >driver is to implement basic SGX functionality, which is SGX1
> >semantics, it has been stated formally for a year by the developers
> >themselves that they are not entertaining a driver that addresses any
> >of the issues associated with non-static memory permissions.

> The JIT issue is applicable even to SGX1 platforms. We can do EADD
> with EPCM.RWX in sec_info and with PTE.RW, EINIT, then mprotect to
> set PTE.RX when JIT is done.

Correct, which further underscores the point that I am trying make, it
is unclear what the current mmap/mprotect protection architecture is
accomplishing, since it only enforces EPCM permissions. The hardware
is perfectly capable of doing so without assistance from the operating
system, in fact, the very reason it was designed was to provide
protections in the face of an adversarial operating system.

For precisely one year, as of next week, we have engaged in a
re-design of this driver, driven by the concern that the previous
driver allowed execution of code that bypassed the LSM. So I'm
assuming the community has concerns about the possibility of anonymous
code execution. If this is the case, the mmap/mprotect protection
code in the driver should be implementing some type of control over
the execution of anonymous memory, which our patch implements, very
simply and very understandably.

The other straight forward alternative is a knob that tells the driver
to disallow the addition of any page that attempts to set EPCM.XW
permissions.

As always, corrections gladly accepted if our analysis of the driver
or how the hardware itself works is incorrect.

> Haitao

Have a good weekend.

Dr. Greg

As always,
Dr. Greg Wettstein, Ph.D, Worker Autonomously self-defensive
Enjellic Systems Development, LLC IOT platforms and edge devices.
4206 N. 19th Ave.
Fargo, ND 58102
PH: 701-281-1686 EMAIL: [email protected]
------------------------------------------------------------------------------
"My second remark is that our intellectual powers are rather geared to
master static relations and that our powers to visualize processes
evolving in time are relatively poorly developed."
-- Edsger W. Dijkstra

2020-11-21 15:17:48

by Dr. Greg

[permalink] [raw]
Subject: Re: [PATCH v40 00/24] Intel SGX foundations

On Wed, Nov 04, 2020 at 04:54:06PM +0200, Jarkko Sakkinen wrote:

Good morning, I hope the weekend is going well for everyone.

> Important Kernel Touch Points
> =============================
>
> This implementation is picky and will decline to work on hardware which
> is locked to Intel's root of trust.

Given that this driver is no longer locked to the Intel trust root, by
virtue of being restricted to run only on platforms which support
Flexible Launch Control, there is no longer any legitimate technical
reason to not expose all of the functionality of the hardware.

The patch that I am including below implements signature based policy
controls for enclave initialization. It does so in a manner that is
completely transparent to the default behavior of the driver, which is
to initialize any enclave passed to it with the exception of enclaves
that set the PROVISION_KEY attribute bit.

Secondary to the discussions that have been ongoing regarding the
restriction of mmap/mprotect, this patch has been extended to
implement signature based controls on dynamic enclaves. The default
behavior of the driver under this patch is to reject mmap/mprotect on
initialized enclaves, unless the platform owner has elected to allow
the enclave signer the option to implement 'dynamic' enclaves,
ie. enclaves that are allowed to modify their page permissions after
initialization.

There have been a number of 'GOOGLE-ites' copied on all of these
discussions. The notion of signature based policy controls should be
uncontroversial since it allows platform owners to implement a
'Zero-Trust' security model, a notion that has been widely advocated
by GOOGLE and others in the industry.

The strongest platform security guarantees for trusted execution
environments, that offer strong confidentiality guarantees on both
code and data, are ultimately only reputational. This patch enables
SGX platform owners to avail themselves of that option while not
restricting, in any way, what platform owners can do with their
hardware.

This patch is also available from the following location, given the
vagaries of e-mail based patch transmission:

ftp://ftp.enjellic.com/pub/sgx/kernel/SFLC-v41.patch

Have a good remainder of the weekend.

Dr. Greg

---------------------------------------------------------------------------
Implement signature based policy controls.

This patch implements the ability for the platform owner to
implement signature based enclave control policies. It does so
in a manner that is completely transparent to the normal behavior
of the driver, which is to initialize any enclave that is
presented to it with the exception of enclaves that have the
PROVISION_KEY attribute set.

If a launch enclave control policy is not implemented, any attempt
to pass a launch token into the driver will cause enclave
initialization to fail.

Signature based policy control is based on the identity modulus
signature of the enclave signer which is the SHA256 hash of the
modulus of the enclave signing key.

The following policy functionality is implemented.

1.) Control over which keys are allowed to sign enclaves.

2.) Control over which keys are allowed to implement launch
enclaves.

3.) Control over which keys are allowed to sign enclaves that
have access to the PROVISION_KEY attribute.

4.) Control over which enclaves are allowed to have their page
permissions modified after enclave initialization.

For each policy type a plurality of key signatures are
allowed.

Cryptographic initialization policy is accessed through the
following four pseudo-files that are implemented by this patch:

/sys/kernel/security/sgx/signing_keys

/sys/kernel/security/sgx/launch_keys

/sys/kernel/security/sgx/provisioning_keys

/sys/kernel/security/sgx/dynamic_keys

Policy keys are registered with the driver by writing the identity
modulus signature to these files in simple hexadecimal format, ie:

0000000000000000000000000000000000000000000000000000000000000000

The current list of policy keys can be displayed by reading the
contents of the pseudo-files.

In addition to a key signature, the following keywords are
accepted as valid entries for a policy file:

clear

lock

The 'clear' keyword causes all existing entries in a policy list
to be deleted.

The 'lock' keyword causes any further modifications or access to
a policy list to be denied.

All of the policy code is implemented in a single file, policy.c,
with minimal impact to the driver at large. Since the calculation
of the identity modulus signature needed to program a launch control
register is effectively a policy decision, the code to compute the
signature was moved from the ioctl.c file to the policy.c file.

Tested-by: Dr. Greg <[email protected]>
Signed-off-by: Dr. Greg <[email protected]>
---
arch/x86/Kconfig | 1 +
arch/x86/include/uapi/asm/sgx.h | 1 +
arch/x86/kernel/cpu/sgx/Makefile | 3 +-
arch/x86/kernel/cpu/sgx/driver.c | 8 +
arch/x86/kernel/cpu/sgx/driver.h | 2 +
arch/x86/kernel/cpu/sgx/encl.c | 47 +--
arch/x86/kernel/cpu/sgx/encl.h | 3 +
arch/x86/kernel/cpu/sgx/ioctl.c | 129 +++----
arch/x86/kernel/cpu/sgx/policy.c | 569 +++++++++++++++++++++++++++++++
9 files changed, 664 insertions(+), 99 deletions(-)
create mode 100644 arch/x86/kernel/cpu/sgx/policy.c

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 618d1aabccb8..575936aa4d91 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1937,6 +1937,7 @@ config X86_SGX
depends on CRYPTO_SHA256=y
select SRCU
select MMU_NOTIFIER
+ select SECURITYFS
help
Intel(R) Software Guard eXtensions (SGX) is a set of CPU instructions
that can be used by applications to set aside private regions of code
diff --git a/arch/x86/include/uapi/asm/sgx.h b/arch/x86/include/uapi/asm/sgx.h
index 791e45334a4a..48316ffe00b3 100644
--- a/arch/x86/include/uapi/asm/sgx.h
+++ b/arch/x86/include/uapi/asm/sgx.h
@@ -63,6 +63,7 @@ struct sgx_enclave_add_pages {
*/
struct sgx_enclave_init {
__u64 sigstruct;
+ __u64 token;
};

/**
diff --git a/arch/x86/kernel/cpu/sgx/Makefile b/arch/x86/kernel/cpu/sgx/Makefile
index 91d3dc784a29..4576a491eb3f 100644
--- a/arch/x86/kernel/cpu/sgx/Makefile
+++ b/arch/x86/kernel/cpu/sgx/Makefile
@@ -2,4 +2,5 @@ obj-y += \
driver.o \
encl.o \
ioctl.o \
- main.o
+ main.o \
+ policy.o
diff --git a/arch/x86/kernel/cpu/sgx/driver.c b/arch/x86/kernel/cpu/sgx/driver.c
index f2eac41bb4ff..35ff0ca362dd 100644
--- a/arch/x86/kernel/cpu/sgx/driver.c
+++ b/arch/x86/kernel/cpu/sgx/driver.c
@@ -190,5 +190,13 @@ int __init sgx_drv_init(void)
return ret;
}

+ ret = sgx_policy_fs_init();
+ if (ret) {
+ pr_err("SGX policy fs creation failed with %d.\n", ret);
+ misc_deregister(&sgx_dev_provision);
+ misc_deregister(&sgx_dev_enclave);
+ return ret;
+ }
+
return 0;
}
diff --git a/arch/x86/kernel/cpu/sgx/driver.h b/arch/x86/kernel/cpu/sgx/driver.h
index 4eddb4d571ef..6c0fac29e6ff 100644
--- a/arch/x86/kernel/cpu/sgx/driver.h
+++ b/arch/x86/kernel/cpu/sgx/driver.h
@@ -26,4 +26,6 @@ long sgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg);

int sgx_drv_init(void);

+int sgx_policy_fs_init(void);
+u64 *sgx_policy_get_signer(u64 *signature);
#endif /* __ARCH_X86_SGX_DRIVER_H__ */
diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c
index 5551c7d36483..2731edc296b8 100644
--- a/arch/x86/kernel/cpu/sgx/encl.c
+++ b/arch/x86/kernel/cpu/sgx/encl.c
@@ -212,27 +212,22 @@ static void sgx_vma_open(struct vm_area_struct *vma)
* @end: upper bound of the address range, exclusive
* @vm_flags: VMA flags
*
- * Iterate through the enclave pages contained within [@start, @end) to verify
- * that the permissions requested by a subset of {VM_READ, VM_WRITE, VM_EXEC}
- * does not contain any permissions that are not contained in the build time
- * permissions of any of the enclave pages within the given address range.
+ * This function provides a method for determining whether or not mmap
+ * or mprotect can be invoked on the virtual memory address range of
+ * an enclave. Page permission manipulations are only allowed on
+ * enclaves that have their dynamic flag set.
*
- * An enclave creator must declare the strongest permissions that will be
- * needed for each enclave page This ensures that mappings have the identical
- * or weaker permissions that the earlier declared permissions.
+ * The function signature is left intact since future versions of the
+ * driver may implement verifications that the requested permission
+ * changes are consistent with the desire of the enclave author.
*
* Return: 0 on success, -EACCES otherwise
*/
int sgx_encl_may_map(struct sgx_encl *encl, unsigned long start,
unsigned long end, unsigned long vm_flags)
{
- unsigned long vm_prot_bits = vm_flags & (VM_READ | VM_WRITE | VM_EXEC);
- struct sgx_encl_page *page;
- unsigned long count = 0;
int ret = 0;

- XA_STATE(xas, &encl->page_array, PFN_DOWN(start));
-
/*
* Disallow READ_IMPLIES_EXEC tasks as their VMA permissions might
* conflict with the enclave page permissions.
@@ -240,31 +235,9 @@ int sgx_encl_may_map(struct sgx_encl *encl, unsigned long start,
if (current->personality & READ_IMPLIES_EXEC)
return -EACCES;

- mutex_lock(&encl->lock);
- xas_lock(&xas);
- xas_for_each(&xas, page, PFN_DOWN(end - 1)) {
- if (!page)
- break;
-
- if (~page->vm_max_prot_bits & vm_prot_bits) {
- ret = -EACCES;
- break;
- }
-
- /* Reschedule on every XA_CHECK_SCHED iteration. */
- if (!(++count % XA_CHECK_SCHED)) {
- xas_pause(&xas);
- xas_unlock(&xas);
- mutex_unlock(&encl->lock);
-
- cond_resched();
-
- mutex_lock(&encl->lock);
- xas_lock(&xas);
- }
- }
- xas_unlock(&xas);
- mutex_unlock(&encl->lock);
+ /* Disallow mapping on initialized enclave. */
+ if (test_bit(SGX_ENCL_INITIALIZED, &encl->flags) && !encl->dynamic)
+ ret = -EACCES;

return ret;
}
diff --git a/arch/x86/kernel/cpu/sgx/encl.h b/arch/x86/kernel/cpu/sgx/encl.h
index 244e1d93fce2..cc4392929652 100644
--- a/arch/x86/kernel/cpu/sgx/encl.h
+++ b/arch/x86/kernel/cpu/sgx/encl.h
@@ -51,6 +51,7 @@ struct sgx_encl {
unsigned long base;
unsigned long size;
unsigned long flags;
+ unsigned int dynamic;
unsigned int page_cnt;
unsigned int secs_child_cnt;
struct mutex lock;
@@ -104,4 +105,6 @@ unsigned int sgx_alloc_va_slot(struct sgx_va_page *va_page);
void sgx_free_va_slot(struct sgx_va_page *va_page, unsigned int offset);
bool sgx_va_page_full(struct sgx_va_page *va_page);

+int sgx_policy_get_params(struct sgx_encl *encl, void *modulus, u64 *signer,
+ int *signcnt);
#endif /* _X86_ENCL_H */
diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c
index 6d37117ac8a0..4c92f4e1d507 100644
--- a/arch/x86/kernel/cpu/sgx/ioctl.c
+++ b/arch/x86/kernel/cpu/sgx/ioctl.c
@@ -466,70 +466,14 @@ static long sgx_ioc_enclave_add_pages(struct sgx_encl *encl, void __user *arg)
return ret;
}

-static int __sgx_get_key_hash(struct crypto_shash *tfm, const void *modulus,
- void *hash)
+static int sgx_encl_try_init(struct sgx_encl *encl,
+ struct sgx_sigstruct *sigstruct, void *token,
+ u64 *signer)
{
- SHASH_DESC_ON_STACK(shash, tfm);
-
- shash->tfm = tfm;
-
- return crypto_shash_digest(shash, modulus, SGX_MODULUS_SIZE, hash);
-}
-
-static int sgx_get_key_hash(const void *modulus, void *hash)
-{
- struct crypto_shash *tfm;
- int ret;
-
- tfm = crypto_alloc_shash("sha256", 0, CRYPTO_ALG_ASYNC);
- if (IS_ERR(tfm))
- return PTR_ERR(tfm);
-
- ret = __sgx_get_key_hash(tfm, modulus, hash);
-
- crypto_free_shash(tfm);
- return ret;
-}
-
-static int sgx_encl_init(struct sgx_encl *encl, struct sgx_sigstruct *sigstruct,
- void *token)
-{
- u64 mrsigner[4];
int i, j, k;
void *addr;
int ret;

- /*
- * Deny initializing enclaves with attributes (namely provisioning)
- * that have not been explicitly allowed.
- */
- if (encl->attributes & ~encl->attributes_mask)
- return -EACCES;
-
- /*
- * Attributes should not be enforced *only* against what's available on
- * platform (done in sgx_encl_create) but checked and enforced against
- * the mask for enforcement in sigstruct. For example an enclave could
- * opt to sign with AVX bit in xfrm, but still be loadable on a platform
- * without it if the sigstruct->body.attributes_mask does not turn that
- * bit on.
- */
- if (sigstruct->body.attributes & sigstruct->body.attributes_mask &
- sgx_attributes_reserved_mask)
- return -EINVAL;
-
- if (sigstruct->body.miscselect & sigstruct->body.misc_mask &
- sgx_misc_reserved_mask)
- return -EINVAL;
-
- if (sigstruct->body.xfrm & sigstruct->body.xfrm_mask &
- sgx_xfrm_reserved_mask)
- return -EINVAL;
-
- ret = sgx_get_key_hash(sigstruct->modulus, mrsigner);
- if (ret)
- return ret;
-
mutex_lock(&encl->lock);

/*
@@ -545,7 +489,7 @@ static int sgx_encl_init(struct sgx_encl *encl, struct sgx_sigstruct *sigstruct,
preempt_disable();

for (k = 0; k < 4; k++)
- wrmsrl(MSR_IA32_SGXLEPUBKEYHASH0 + k, mrsigner[k]);
+ wrmsrl(MSR_IA32_SGXLEPUBKEYHASH0 + k, signer[k]);

ret = __einit(sigstruct, token, addr);

@@ -585,6 +529,60 @@ static int sgx_encl_init(struct sgx_encl *encl, struct sgx_sigstruct *sigstruct,
return ret;
}

+static int sgx_encl_init(struct sgx_encl *encl, struct sgx_sigstruct *sigstruct,
+ void *token)
+{
+ u64 mrsigner[4];
+ u64 *signer;
+ int ret;
+ int signcnt = 1;
+
+ /* Configure the launch policy. */
+ ret = sgx_policy_get_params(encl, sigstruct->modulus, mrsigner,
+ &signcnt);
+ if (ret)
+ return ret;
+
+ /*
+ * Deny initializing enclaves with attributes (namely provisioning)
+ * that have not been explicitly allowed.
+ */
+ if (encl->attributes & ~encl->attributes_mask)
+ return -EACCES;
+
+ /*
+ * Attributes should not be enforced *only* against what's available on
+ * platform (done in sgx_encl_create) but checked and enforced against
+ * the mask for enforcement in sigstruct. For example an enclave could
+ * opt to sign with AVX bit in xfrm, but still be loadable on a platform
+ * without it if the sigstruct->body.attributes_mask does not turn that
+ * bit on.
+ */
+ if (sigstruct->body.attributes & sigstruct->body.attributes_mask &
+ sgx_attributes_reserved_mask)
+ return -EINVAL;
+
+ if (sigstruct->body.miscselect & sigstruct->body.misc_mask &
+ sgx_misc_reserved_mask)
+ return -EINVAL;
+
+ if (sigstruct->body.xfrm & sigstruct->body.xfrm_mask &
+ sgx_xfrm_reserved_mask)
+ return -EINVAL;
+
+ /* Try the available policies. */
+ signer = mrsigner;
+ while (signcnt--) {
+ ret = sgx_encl_try_init(encl, sigstruct, token, signer);
+ if (!ret)
+ return ret;
+ if (signcnt)
+ signer = sgx_policy_get_signer(signer);
+ }
+
+ return ret;
+}
+
/**
* sgx_ioc_enclave_init() - handler for %SGX_IOC_ENCLAVE_INIT
* @encl: an enclave pointer
@@ -621,7 +619,16 @@ static long sgx_ioc_enclave_init(struct sgx_encl *encl, void __user *arg)

sigstruct = kmap(initp_page);
token = (void *)((unsigned long)sigstruct + PAGE_SIZE / 2);
- memset(token, 0, SGX_LAUNCH_TOKEN_SIZE);
+ if (!init_arg.token)
+ memset(token, 0, SGX_LAUNCH_TOKEN_SIZE);
+ else {
+ if (copy_from_user((uint8_t *) token,
+ (void __user *) init_arg.token,
+ SGX_LAUNCH_TOKEN_SIZE)) {
+ ret = -EFAULT;
+ goto out;
+ }
+ }

if (copy_from_user(sigstruct, (void __user *)init_arg.sigstruct,
sizeof(*sigstruct))) {
diff --git a/arch/x86/kernel/cpu/sgx/policy.c b/arch/x86/kernel/cpu/sgx/policy.c
new file mode 100644
index 000000000000..e51440759192
--- /dev/null
+++ b/arch/x86/kernel/cpu/sgx/policy.c
@@ -0,0 +1,569 @@
+// SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)
+// Copyright(c) Enjellic Systems Development, LLC
+
+#define KEY_SIZE 32
+
+#include <linux/types.h>
+#include <linux/seq_file.h>
+#include <linux/atomic.h>
+#include <linux/security.h>
+#include "driver.h"
+#include "encl.h"
+
+static struct dentry *sgx_fs;
+
+struct list_key {
+ struct list_head list;
+ u64 key[KEY_SIZE / 8];
+};
+
+struct list_key_iterator {
+ char *type;
+ atomic_t *opencount;
+ unsigned int *count;
+ struct mutex *lock;
+ struct list_head *list;
+ bool *lockfile;
+};
+
+static struct dentry *launch_keys;
+static atomic_t launch_keys_opencount = ATOMIC_INIT(1);
+static unsigned int launch_keys_count;
+static bool launch_keys_locked;
+static DEFINE_MUTEX(launch_key_list_mutex);
+static LIST_HEAD(launch_key_list);
+
+static struct dentry *provision_keys;
+static atomic_t provision_keys_opencount = ATOMIC_INIT(1);
+static unsigned int provision_keys_count;
+static bool provision_keys_locked;
+static DEFINE_MUTEX(provision_key_list_mutex);
+static LIST_HEAD(provision_key_list);
+
+static struct dentry *signing_keys;
+static atomic_t signing_keys_opencount = ATOMIC_INIT(1);
+static unsigned int signing_keys_count;
+static bool signing_keys_locked;
+static DEFINE_MUTEX(signing_key_list_mutex);
+static LIST_HEAD(signing_key_list);
+
+static struct dentry *dynamic_keys;
+static atomic_t dynamic_keys_opencount = ATOMIC_INIT(1);
+static unsigned int dynamic_keys_count;
+static bool dynamic_keys_locked;
+static DEFINE_MUTEX(dynamic_key_list_mutex);
+static LIST_HEAD(dynamic_key_list);
+
+/**
+ * have_signer - Verify the presence of a key signer.
+ *
+ * @signature: Pointer to signature of signer.
+ *
+ * Return:
+ * 0 Signer signature was not found.
+ * 1 Signer signature was found.
+ */
+static bool have_signer(struct list_head *keylist, struct mutex *lock,
+ uint8_t *signature)
+{
+ bool retn = false;
+ struct list_key *kp;
+
+ mutex_lock(lock);
+ list_for_each_entry(kp, keylist, list) {
+ pr_debug("%s: Checking signer=%*phN, ks=%*phN\n", __func__,
+ KEY_SIZE, signature, KEY_SIZE, kp->key);
+ if (memcmp(kp->key, signature, KEY_SIZE) == 0) {
+ retn = true;
+ goto done;
+ }
+ }
+
+ done:
+ mutex_unlock(lock);
+ return retn;
+}
+
+static int process_write_key(const char __user *buf, size_t datalen,
+ unsigned int *keycnt, struct mutex *lock,
+ struct list_head *keylist)
+{
+ ssize_t retn;
+
+ char *p, keybufr[KEY_SIZE*2 + 1], key[KEY_SIZE];
+
+ struct list_key *kp;
+
+ if (datalen != sizeof(keybufr)) {
+ retn = -EINVAL;
+ goto done;
+ }
+
+ memset(keybufr, '\0', sizeof(keybufr));
+ if (copy_from_user(keybufr, buf, datalen)) {
+ retn = -EFAULT;
+ goto done;
+ }
+
+ p = strchr(keybufr, '\n');
+ if (!p) {
+ retn = -EINVAL;
+ goto done;
+ }
+ *p = '\0';
+ if (hex2bin(key, keybufr, sizeof(key))) {
+ retn = -EINVAL;
+ goto done;
+ }
+
+ kp = kzalloc(sizeof(*kp), GFP_KERNEL);
+ if (!kp) {
+ retn = -ENOMEM;
+ goto done;
+ }
+ memcpy(kp->key, key, sizeof(kp->key));
+
+ mutex_lock(lock);
+ list_add_tail(&kp->list, keylist);
+ ++*keycnt;
+ mutex_unlock(lock);
+
+ retn = datalen;
+ pr_debug("%s: Added key: %*phN\n", __func__, KEY_SIZE, key);
+
+ done:
+ return retn;
+}
+
+static int process_lock(const char __user *buf, size_t datalen, bool *lockfile)
+{
+ char bufr[5];
+
+ if (datalen != strlen("lock") + 1)
+ return 0;
+
+ memset(bufr, '\0', sizeof(bufr));
+ if (copy_from_user(bufr, buf, datalen-1))
+ return -EFAULT;
+ if (strcmp(bufr, "lock") != 0)
+ return 0;
+
+ *lockfile = true;
+ return datalen;
+}
+
+static int process_clear(const char __user *buf, size_t datalen, char *type,
+ unsigned int *keycnt, struct mutex *lock,
+ struct list_head *keylist)
+{
+ char bufr[6];
+ struct list_key *kp, *kp_tmp;
+
+ if (datalen != strlen("clear") + 1)
+ return 0;
+
+ memset(bufr, '\0', sizeof(bufr));
+ if (copy_from_user(bufr, buf, datalen-1))
+ return -EFAULT;
+ if (strcmp(bufr, "clear") != 0)
+ return 0;
+
+ mutex_lock(lock);
+ list_for_each_entry_safe(kp, kp_tmp, keylist, list) {
+ pr_debug("[%s]: Freeing signature: %*phN\n", __FILE__,
+ KEY_SIZE, kp->key);
+ list_del(&kp->list);
+ kfree(kp);
+ }
+ *keycnt = 0;
+ mutex_unlock(lock);
+
+ pr_info("Cleared %s signatures.\n", type);
+ return datalen;
+}
+
+static void *key_start(struct seq_file *c, loff_t *pos)
+{
+ struct list_key_iterator *ki = (struct list_key_iterator *) c->private;
+
+ if (*pos >= *ki->count)
+ return NULL;
+
+ mutex_lock(ki->lock);
+ return seq_list_start(ki->list, *pos);
+}
+
+static void *key_next(struct seq_file *c, void *p, loff_t *pos)
+{
+ struct list_key_iterator *ki = (struct list_key_iterator *) c->private;
+
+ return seq_list_next(p, ki->list, pos);
+}
+
+static void key_stop(struct seq_file *c, void *p)
+{
+ struct list_key_iterator *ki = (struct list_key_iterator *) c->private;
+
+ mutex_unlock(ki->lock);
+}
+
+static int key_show(struct seq_file *c, void *key)
+{
+ struct list_key *kp;
+
+ kp = list_entry(key, struct list_key, list);
+ seq_printf(c, "%*phN\n", KEY_SIZE, kp->key);
+ return 0;
+}
+
+static const struct seq_operations keys_seqops = {
+ .start = key_start,
+ .next = key_next,
+ .stop = key_stop,
+ .show = key_show
+};
+
+static ssize_t write_keys(struct file *file, const char __user *buf,
+ size_t datalen, loff_t *ppos)
+{
+ struct seq_file *s = file->private_data;
+ struct list_key_iterator *ki = (struct list_key_iterator *) s->private;
+ ssize_t retn;
+
+ if (*ppos != 0)
+ return -EINVAL;
+
+ retn = process_lock(buf, datalen, ki->lockfile);
+ if (retn != 0)
+ return retn;
+
+ retn = process_clear(buf, datalen, ki->type, ki->count, ki->lock,
+ ki->list);
+ if (retn != 0)
+ return retn;
+
+ retn = process_write_key(buf, datalen, ki->count, ki->lock, ki->list);
+ return retn;
+}
+
+static int release_keys(struct inode *inode, struct file *file)
+{
+ struct seq_file *s = file->private_data;
+ struct list_key_iterator *ki = (struct list_key_iterator *) s->private;
+
+ atomic_set(ki->opencount, 1);
+ seq_release_private(inode, file);
+ return 0;
+}
+
+static int open_launch_keys(struct inode *inode, struct file *filp)
+{
+ struct list_key_iterator *ki;
+
+ if (launch_keys_locked)
+ return -EACCES;
+
+ if (!atomic_dec_and_test(&launch_keys_opencount))
+ return -EBUSY;
+
+ ki = __seq_open_private(filp, &keys_seqops, sizeof(*ki));
+ if (!ki)
+ return -ENOMEM;
+
+ ki->type = "launch control";
+ ki->opencount = &launch_keys_opencount;
+ ki->count = &launch_keys_count;
+ ki->lock = &launch_key_list_mutex;
+ ki->list = &launch_key_list;
+ ki->lockfile = &launch_keys_locked;
+
+ return 0;
+}
+
+static const struct file_operations launch_keys_ops = {
+ .open = open_launch_keys,
+ .write = write_keys,
+ .release = release_keys,
+ .read = seq_read,
+ .llseek = seq_lseek,
+};
+
+/* Provisioning control. */
+
+static int open_provision_keys(struct inode *inode, struct file *filp)
+{
+ struct list_key_iterator *ki;
+
+ if (provision_keys_locked)
+ return -EACCES;
+
+ if (!atomic_dec_and_test(&provision_keys_opencount))
+ return -EBUSY;
+
+ ki = __seq_open_private(filp, &keys_seqops, sizeof(*ki));
+ if (!ki)
+ return -ENOMEM;
+
+ ki->type = "provisioning control";
+ ki->opencount = &provision_keys_opencount;
+ ki->count = &provision_keys_count;
+ ki->lock = &provision_key_list_mutex;
+ ki->list = &provision_key_list;
+
+ return 0;
+}
+
+static const struct file_operations provision_keys_ops = {
+ .open = open_provision_keys,
+ .write = write_keys,
+ .release = release_keys,
+ .read = seq_read,
+ .llseek = seq_lseek,
+};
+
+/* Signing control. */
+
+static int open_signing_keys(struct inode *inode, struct file *filp)
+{
+ struct list_key_iterator *ki;
+
+ if (signing_keys_locked)
+ return -EACCES;
+
+ if (!atomic_dec_and_test(&signing_keys_opencount))
+ return -EBUSY;
+
+ ki = __seq_open_private(filp, &keys_seqops, sizeof(*ki));
+ if (!ki)
+ return -ENOMEM;
+
+ ki->type = "signing control";
+ ki->opencount = &signing_keys_opencount;
+ ki->count = &signing_keys_count;
+ ki->lock = &signing_key_list_mutex;
+ ki->list = &signing_key_list;
+
+ return 0;
+}
+
+static const struct file_operations signing_keys_ops = {
+ .open = open_signing_keys,
+ .write = write_keys,
+ .release = release_keys,
+ .read = seq_read,
+ .llseek = seq_lseek,
+};
+
+/* Dynamic memory control. */
+
+static int open_dynamic_keys(struct inode *inode, struct file *filp)
+{
+ struct list_key_iterator *ki;
+
+ if (dynamic_keys_locked)
+ return -EACCES;
+
+ if (!atomic_dec_and_test(&dynamic_keys_opencount))
+ return -EBUSY;
+
+ ki = __seq_open_private(filp, &keys_seqops, sizeof(*ki));
+ if (!ki)
+ return -ENOMEM;
+
+ ki->type = "dynamic control";
+ ki->opencount = &dynamic_keys_opencount;
+ ki->count = &dynamic_keys_count;
+ ki->lock = &dynamic_key_list_mutex;
+ ki->list = &dynamic_key_list;
+ ki->lockfile = &dynamic_keys_locked;
+
+ return 0;
+}
+
+static const struct file_operations dynamic_keys_ops = {
+ .open = open_dynamic_keys,
+ .write = write_keys,
+ .release = release_keys,
+ .read = seq_read,
+ .llseek = seq_lseek,
+};
+
+static int __sgx_get_key_hash(struct crypto_shash *tfm, const void *modulus,
+ void *hash)
+{
+ SHASH_DESC_ON_STACK(shash, tfm);
+
+ shash->tfm = tfm;
+
+ return crypto_shash_digest(shash, modulus, SGX_MODULUS_SIZE, hash);
+}
+
+static int sgx_get_key_hash(const void *modulus, void *hash)
+{
+ struct crypto_shash *tfm;
+ int ret;
+
+ tfm = crypto_alloc_shash("sha256", 0, CRYPTO_ALG_ASYNC);
+ if (IS_ERR(tfm))
+ return PTR_ERR(tfm);
+
+ ret = __sgx_get_key_hash(tfm, modulus, hash);
+
+ crypto_free_shash(tfm);
+ return ret;
+}
+
+/**
+ * sgx_policy_get_params
+ *
+ * This function sets the cryptographically configured initialization
+ * policy parameters. These include the identity modulus signature to
+ * be used as well as the configuration of the allowed enclave
+ * attributes.
+ *
+ * Return:
+ * 0 on success.
+ * -errno otherwise
+ */
+
+int sgx_policy_get_params(struct sgx_encl *encl, void *modulus, u64 *signer,
+ int *signcnt)
+{
+ int retn = -EINVAL;
+ uint8_t mrsigner[KEY_SIZE];
+ struct list_key *kp;
+
+ retn = sgx_get_key_hash(modulus, mrsigner);
+ if (retn)
+ goto no_signer;
+
+ if (provision_keys_count > 0 &&
+ have_signer(&provision_key_list, &provision_key_list_mutex,
+ mrsigner))
+ encl->attributes_mask |= SGX_ATTR_PROVISIONKEY;
+
+ if (dynamic_keys_count > 0 &&
+ have_signer(&dynamic_key_list, &dynamic_key_list_mutex, mrsigner))
+ encl->dynamic = 1;
+
+ if (signing_keys_count == 0 && launch_keys_count == 0)
+ goto have_signer;
+
+ if (signing_keys_count > 0 &&
+ have_signer(&signing_key_list, &signing_key_list_mutex,
+ mrsigner))
+ goto have_signer;
+
+ if (launch_keys_count == 0)
+ goto no_signer;
+
+ if (encl->attributes & SGX_ATTR_EINITTOKENKEY) {
+ if (have_signer(&launch_key_list, &launch_key_list_mutex,
+ mrsigner)) {
+ encl->attributes_mask |= SGX_ATTR_EINITTOKENKEY;
+ goto have_signer;
+ } else
+ goto no_signer;
+ }
+
+ *signcnt = launch_keys_count;
+ kp = list_first_entry(&launch_key_list, struct list_key, list);
+ memcpy(mrsigner, kp->key, KEY_SIZE);
+
+ have_signer:
+ memcpy(signer, mrsigner, KEY_SIZE);
+ pr_debug("%s: Using signer: %*phN\n", __func__, KEY_SIZE, signer);
+ return 0;
+ no_signer:
+ memset(signer, '\0', KEY_SIZE);
+ return retn;
+}
+
+/**
+ * sgx_policy_get_launch_signer - Iterate through list of enclave signers.
+ *
+ * @signer: The last returned enclave signer.
+ *
+ * This function iterates through the list of enclave signers from the
+ * last signature. Calling the function with a NULL value
+ * resets the iteration to the beginning of the list.
+ *
+ * Return:
+ * NULL indicates end of list
+ * non-NULL the next enclave signature on the list.
+ */
+
+u64 *sgx_policy_get_signer(u64 *signer)
+{
+ bool seeking = false;
+ u64 *retn = NULL;
+ struct list_key *kp;
+
+ if (!signer) {
+ kp = list_first_entry(&launch_key_list, struct list_key, list);
+ return kp->key;
+ }
+ kp = list_last_entry(&launch_key_list, struct list_key, list);
+ if (memcmp(kp->key, signer, sizeof(kp->key)) == 0)
+ return NULL;
+
+ mutex_lock(&launch_key_list_mutex);
+ list_for_each_entry(kp, &launch_key_list, list) {
+ if (seeking) {
+ retn = kp->key;
+ goto done;
+ }
+ pr_debug("%s: Skipping: %*phN\n", __func__, KEY_SIZE, kp->key);
+ if (memcmp(kp->key, signer, KEY_SIZE) == 0)
+ seeking = true;
+ }
+
+ done:
+ mutex_unlock(&launch_key_list_mutex);
+ return retn;
+}
+
+int __init sgx_policy_fs_init(void)
+{
+ int retn = -1;
+
+ sgx_fs = securityfs_create_dir("sgx", NULL);
+ if (IS_ERR(sgx_fs)) {
+ retn = PTR_ERR(sgx_fs);
+ goto err;
+ }
+
+ launch_keys = securityfs_create_file("launch_keys", 0600, sgx_fs,
+ NULL, &launch_keys_ops);
+ if (IS_ERR(launch_keys)) {
+ retn = PTR_ERR(launch_keys);
+ goto err;
+ }
+
+ provision_keys = securityfs_create_file("provisioning_keys", 0600,
+ sgx_fs, NULL,
+ &provision_keys_ops);
+ if (IS_ERR(provision_keys)) {
+ retn = PTR_ERR(provision_keys);
+ goto err;
+ }
+
+ signing_keys = securityfs_create_file("signing_keys", 0600, sgx_fs,
+ NULL, &signing_keys_ops);
+ if (IS_ERR(signing_keys)) {
+ retn = PTR_ERR(signing_keys);
+ goto err;
+ }
+
+ dynamic_keys = securityfs_create_file("dynamic_keys", 0600, sgx_fs,
+ NULL, &dynamic_keys_ops);
+ if (IS_ERR(dynamic_keys)) {
+ retn = PTR_ERR(dynamic_keys);
+ goto err;
+ }
+
+ return 0;
+
+ err:
+ return retn;
+}
--
2.19.2

---------------------------------------------------------------------------

As always,
Dr. Greg Wettstein, Ph.D, Worker Autonomously self-defensive
Enjellic Systems Development, LLC IOT platforms and edge devices.
4206 N. 19th Ave.
Fargo, ND 58102
PH: 701-281-1686 EMAIL: [email protected]
------------------------------------------------------------------------------
"If we thought this was a trap, we wouldn't be doing it, and as you know,
we have a lot of lawyers."
-- Irving Wladawsky-Berger

2020-11-21 16:27:48

by Dave Hansen

[permalink] [raw]
Subject: Re: [PATCH v40 00/24] Intel SGX foundations

On 11/21/20 7:12 AM, Dr. Greg wrote:
>> Important Kernel Touch Points
>> =============================
>>
>> This implementation is picky and will decline to work on hardware which
>> is locked to Intel's root of trust.
> Given that this driver is no longer locked to the Intel trust root, by
> virtue of being restricted to run only on platforms which support
> Flexible Launch Control, there is no longer any legitimate technical
> reason to not expose all of the functionality of the hardware.

I honestly can't understand what the point of this is, and I mean that
on multiple levels.

First of all, there's not a coherent description of the problem you're
solving with ~700 lines of code and the treatise you wrote here instead
of a changelog.

Second, is the point here to distract folks from testing the branch in
the tip tree? Or, is it to show appreciation to maintainers by giving
them more of the thing they love: code to review?

2020-11-21 18:39:32

by Andy Lutomirski

[permalink] [raw]
Subject: Re: [PATCH v40 00/24] Intel SGX foundations

Dr. Greg, I know you like sending these emails, but they're not really
helpful for Linux kernel development. Please see below.

On Sat, Nov 21, 2020 at 7:13 AM Dr. Greg <[email protected]> wrote:
>
> On Wed, Nov 04, 2020 at 04:54:06PM +0200, Jarkko Sakkinen wrote:
>
> Good morning, I hope the weekend is going well for everyone.
>
> > Important Kernel Touch Points
> > =============================
> >
> > This implementation is picky and will decline to work on hardware which
> > is locked to Intel's root of trust.
>
> Given that this driver is no longer locked to the Intel trust root, by
> virtue of being restricted to run only on platforms which support
> Flexible Launch Control, there is no longer any legitimate technical
> reason to not expose all of the functionality of the hardware.

I read this three times, and I can't tell what functionality you're
referring to.

>
> The patch that I am including below implements signature based policy
> controls for enclave initialization. It does so in a manner that is
> completely transparent to the default behavior of the driver, which is
> to initialize any enclave passed to it with the exception of enclaves
> that set the PROVISION_KEY attribute bit.

It's completely unreviewable. It's an ABI patch, and it does not
document what it does, nor does it document why it does it. It's just
a bunch of code. NAK.

To be crystal clear, I will not review, and I will NAK outright, any
patches of this sort, until ALL of the following conditions are met:

a) Either a functioning SGX driver lands in a -rc kernel or there is
an excellent justification for why a change of this sort is needed
prior to a release. Dr. Greg, you seem to be interested in SGX
actually landing upstream, but these patches are just causing delays.
Please stop.

b) The patch needs to explain what problem it solves and why it is a
good solution to that problem.

c) The patch needs to explain, either in a changelog or in a text file
in the patch, *exactly* what it does. Imagine MSDN-like documentation
in the good old days. The documentation needs to be sufficiently
clear that a userspace programmer could use your mechanism without
reference to your implementation and that a kernel programmer could,
in principle, re-implement your code from the description.

Unless all three of these are met, your patch is going nowhere, and I
think no one should waste their time trying to read it.

>
> Secondary to the discussions that have been ongoing regarding the
> restriction of mmap/mprotect, this patch has been extended to
> implement signature based controls on dynamic enclaves. The default
> behavior of the driver under this patch is to reject mmap/mprotect on
> initialized enclaves, unless the platform owner has elected to allow
> the enclave signer the option to implement 'dynamic' enclaves,
> ie. enclaves that are allowed to modify their page permissions after
> initialization.

You have sent this change repeatedly, and now for some reason you're
sending it mixed in with unrelated changes. Please stop. At no point
have you explained why this approach is better than anything else. It
has the obnoxious side effect that you can't usefully SCM_RIGHTS an
enclave to a different process with your patch applied, which is at
least a minor disadvantage. You have not explained any advantage to
your patch at all.

Dr Greg, before you hit send on further emails about SGX, could you
kindly try to imagine you're a kernel maintainer, read your own email,
and consider whether how to make it add something useful to the
discussion?

Thanks,
Andy

2020-11-24 17:54:02

by Andy Lutomirski

[permalink] [raw]
Subject: Re: [PATCH v40 00/24] Intel SGX foundations

On Tue, Nov 24, 2020 at 2:56 AM Dr. Greg <[email protected]> wrote:
>
> On Sat, Nov 21, 2020 at 08:25:23AM -0800, Dave Hansen wrote:
>

> You will get a fully 'git am' compliant patch, including a changelog.
>
> The changelog was written in a parlance consistent with someone who
> would have a basic understanding of the technology under review. If
> this entire review and vetting process is being done absent that kind
> of understanding, then the case can be made that the kernel
> development process has larger issues on its hands.

No, it wasn't.

I have a fairly good understanding of SGX, and I told you quite
explicitly what was wrong with your changelog. Understanding the
sentences you wrote and having the background is not at all the same
thing as extracting meaning from your writing. Your patch conveyed no
information. This email you just sent also conveys no information.



>
> Lets be honest though, that is not the case here, we have been talking
> about this issue for over a year, everyone involved with this
> technology knows what the problem is.
>
> Since LKML is copied, the basic issue is as follows:
>
> 1.) SGX as a technology is designed to execute code and operate on
> data in a manner that is confidential to inspection and impervious to
> modification and control by the kernel.
>
> 2.) The mindset of the driver developers is that the kernel should be
> the ultimate authority on what SGX is allowed to do.
>
> The two world views are inherently and technically incompatible and
> lead to a potential security dilemma for the kernel. We simply
> advocate for an additional level of cryptographic security that
> supplements, not replaces, kernel controls to address this issue.

No, they are not.

The kernel can and will enforce policy on what SGX may do. Your own
NAKked patch, in fact, does exactly this. At the same time, SGX
provides security to the contents of enclaves. These are not mutually
exclusive.


> Our patch has two external functions of around 30 lines (~1 screen)
> each that impact the driver. The bulk of the 700 lines, all in one
> file, is boilerplate code, largely replicated for each instance,
> needed to read/write sysfs files and maintain four, nearly identical,
> linked lists. If this is an insurmountable review burden then the
> kernel development process has larger problems on its hands.

Frankly, the largest problem in the kernel development process with
regards to SGX is the distraction created by your emails. Please just
stop.

If you have something useful to say, distill it down to the smallest
amount of text that actually says what you're trying to say. And
don't forget the part about "something useful to say". If you do not
have something useful to say, please don't say it.

2020-11-24 18:43:36

by Dr. Greg

[permalink] [raw]
Subject: Re: [PATCH v40 00/24] Intel SGX foundations

On Sat, Nov 21, 2020 at 10:36:58AM -0800, Andy Lutomirski wrote:

Good morning to everyone.

> Dr. Greg, I know you like sending these emails, but they're not
> really helpful for Linux kernel development. Please see below.

I don't necessarily enjoy sending these e-mails and they take time
away from a major initiative that I'm taking on, which is why I wanted
to close all of this out.

Since we are establishing the last correspondence on these issues, I
just wanted to establish some final clarifications for everyone
reading along at home.

Andy, I've always publically recognized you as a gifted kernel
developer, but for the record, have you a-priori architected or
written either an SGX application stack or a trusted/untrusted runtime
stack that exceeded 65 KLOC in size?

I've done both, in the case of native SGX application stacks, multiple
times. Including the first enclave<->enclave remote attestation and
communications framework that bypassed the need for an Attestation
Service Provider.

Intel SGX developer licensing requires that you provide application
recipients with a full and complete runtime along with the signed
application. Our developer license allowed us to substitute our
runtime for Intel's.

I also spent 4+ years of back and forth with Washington, DC working to
establish the importance of this technology for the DOD, DHS and
various other groups that were interested in our national
cybersecurity posture. Including demonstrations of the technology in
Faraday shielded rooms.

That doesn't make me an expert in kernel programming but it did make
me feel obligated to ask what I believe are legitimate technical
questions regarding the design and evolution of this driver.

> On Sat, Nov 21, 2020 at 7:13 AM Dr. Greg <[email protected]> wrote:
> >
> > On Wed, Nov 04, 2020 at 04:54:06PM +0200, Jarkko Sakkinen wrote:
> >
> > Good morning, I hope the weekend is going well for everyone.
> >
> > > Important Kernel Touch Points
> > > =============================
> > >
> > > This implementation is picky and will decline to work on hardware which
> > > is locked to Intel's root of trust.
> >
> > Given that this driver is no longer locked to the Intel trust root, by
> > virtue of being restricted to run only on platforms which support
> > Flexible Launch Control, there is no longer any legitimate technical
> > reason to not expose all of the functionality of the hardware.

> I read this three times, and I can't tell what functionality you're
> referring to.

Yes you do, as I mentioned to Dave in my last e-mail, we have been
disagreeing about this for a year.

You were at some kind of seminar where SGX was discussed. Based on
that you developed a 'manifesto' regarding how Linux should implement
the technology. That manifesto indicated there would be no place for
cryptographic policy control on enclaves.

A well taken and considered point on a locked launch control platform
but completely irrelevant for this driver, that only operates on
Flexible Launch Control platforms. By demanding compliance with only
that vision you deny platform owners a final measure of defense
against anonymous code execution.

> > The patch that I am including below implements signature based policy
> > controls for enclave initialization. It does so in a manner that is
> > completely transparent to the default behavior of the driver, which is
> > to initialize any enclave passed to it with the exception of enclaves
> > that set the PROVISION_KEY attribute bit.

> It's completely unreviewable. It's an ABI patch, and it does not
> document what it does, nor does it document why it does it. It's
> just a bunch of code. NAK.

You can certainly NAK-away Andy[0]. I've had sufficent private
feedback from reasoned and informed individuals that I've made my
point that this isn't about technical considerations.

Here is the link, again, to the patch in 'git am' compliant format.

ftp://ftp.enjellic.com/pub/sgx/kernel/SFLC-v41.patch

I've been watching Linux patches go by for close to 30 years. If this
is completely unreviewable garbage, legitimate concerns can be raised
about what is getting pushed into the kernel.

> To be crystal clear, I will not review, and I will NAK outright, any
> patches of this sort, until ALL of the following conditions are met:
>
> a) Either a functioning SGX driver lands in a -rc kernel or there is
> an excellent justification for why a change of this sort is needed
> prior to a release. Dr. Greg, you seem to be interested in SGX
> actually landing upstream, but these patches are just causing delays.
> Please stop.

For the record I am stopping, I've said everything that I can say and
the debate is not intellectually honest from a technical perspective,
continuing forward would be a waste of my time and that of others.

Everything is now publically documented for the decision makers.

As to delaying the driver. I was told a year ago that any
consideration of these security issues would hopelessly delay the
driver. I was told six months ago, when I refreshed the patch against
the new driver design, that the release of the driver was imminent and
thus the issue couldn't be addressed. Three months ago I was
admonished for my apparent attempt to delay the driver.

It is now a year later and we are patching grammar and noun
possessiveness issues in the driver, so I don't think it is
intellectually honest to suggest I've delayed the driver, more on that
below.

> b) The patch needs to explain what problem it solves and why it is a
> good solution to that problem.

For the official record let me see if I can frame why I think we have
not been intellectually honest with respect to this driver nor my
suggested delay of it.

1.) SGX/TEE's are designed to be secure to an adversarial operating
system or application space, ie. an IAGO threat model. Major players
financing Linux development believe there is a commercial opportunity
available in this capability.

2.) One year ago you indicated that the then current driver
implementation was deficient, since it allowed executable code from
anonymous memory, ie. executable code that was not surveilled by the
LSM.

3.) At that time I pointed out that this makes little difference since
the technology was perfectly capable of dynamically loading any
executable code or data that it wanted to, using integrity and
confidentiality protections that would prevent any inspection or
control by the operating system, see point 1.

4.) This only leaves reputational or identity based security as a
final and ultimate check as to who can execute code on a platform.
Our patch provides that without requiring it.

You and Dave have both indicated, in response to my concerns, that
there is minimal threat to enclave based code. If that is the case we
have needlessly delayed the driver for a year engineering a solution
to what is a non-existent threat.

> c) The patch needs to explain, either in a changelog or in a text
> file in the patch, *exactly* what it does. Imagine MSDN-like
> documentation in the good old days. The documentation needs to be
> sufficiently clear that a userspace programmer could use your
> mechanism without reference to your implementation and that a kernel
> programmer could, in principle, re-implement your code from the
> description.

I will let the patch speak for itself, if I honestly believed that
writing a monograph on the design would make any difference I would,
but I think we can all agree that is not the case.

For the record, this is infrastructure for a system administrator, a
userspace programmer would have no involvement in it whatsoever.

As I indicated in my mail to Dave, the changelog was designed for
someone who has a working knowledge of SGX and basic kernel
fundamentals such as linked lists and readable/writable /sysfs files.

> Unless all three of these are met, your patch is going nowhere, and
> I think no one should waste their time trying to read it.

It is fine if it doesn't go anywhere, I've made my point, my intention
in all of this was to provide what I believed to be an informed
viewpoint on relevant technical issues.

> > Secondary to the discussions that have been ongoing regarding the
> > restriction of mmap/mprotect, this patch has been extended to
> > implement signature based controls on dynamic enclaves. The default
> > behavior of the driver under this patch is to reject mmap/mprotect on
> > initialized enclaves, unless the platform owner has elected to allow
> > the enclave signer the option to implement 'dynamic' enclaves,
> > ie. enclaves that are allowed to modify their page permissions after
> > initialization.

> You have sent this change repeatedly, and now for some reason you're
> sending it mixed in with unrelated changes. Please stop. At no
> point have you explained why this approach is better than anything
> else.

In the discussion surrounding the mmap/mprotect based introspection of
page permissions implemented by the SGX driver, you indicated that we
should 'pretend' that some potential security model could be built on
top of the EPCM page permission walking infrastructure. I believe we
do significantly better than that.

There are currently no controls over dynamic enclave behavior. Given
that our patch implements a generic policy control framework we could
implement this naturally and with little cost or complexity.

For the LKML record, absent our patch the driver has an open security
issue with respect to anonymous code execution that should be
addressed, if that issue is indeed of any concern.

In the vm_ops->mprotect thread, Haitao Huang elegantly described how
this can be achieved, even without EDMM instructions, in a manner that
would never allow the LSM to see WX permissions on a page. In fact
the current page permission introspection infrastructure enables that
behavior.

> It has the obnoxious side effect that you can't usefully
> SCM_RIGHTS an enclave to a different process with your patch
> applied, which is at least a minor disadvantage. You have not
> explained any advantage to your patch at all.

I guess I don't understand the SCM_RIGHTS issue. The policy controls
are implemented after the ioctl resolves the enclave control structure
from the file descriptor and just prior to enclave initialization. It
isn't clear how this would affect or inhibit a process that has
possession of the file descriptor.

The only thing that I can think of is that you disagree with the
optional capability of blocking the enclave from implementing
anonymously executable memory. Absent that ability there is the
security issue that has now been extensively discussed.

The current EPCM page permission walking code only enforces the wishes
of the enclave signer not the platform owner. As I've noted multiple
times, the SGX hardware itself is perfectly capable of enforcing those
wishes. The security threat comes from the enclave conspiring with
the untrusted component of the application, the current code only
endorses what the enclave wants to do, not necessarily the wishes of
the platform owner.

Beyond that it is unclear where the issue of SCM_RIGHTS comes from. I
know for certain our runtime doesn't use the concept nor does
Intel's. The only reference that GOOGLE has is of you saying it would
be nice to have if the system administrator wanted to enforce
restrictions on what can be executed inside of an enclave and then
give the enclave to another process.

As has been discussed, this is largely irrelevant as the new process
owner of the enclave handle (fd) can choose to load whatever code they
are interested in without any inspection or controls.

In fact, this is an often stated desire of the SGX user community in
order to protect their algorithms in a cloud environment.

> Dr Greg, before you hit send on further emails about SGX, could you
> kindly try to imagine you're a kernel maintainer, read your own
> email, and consider whether how to make it add something useful to
> the discussion?

You can breath a sign of relief as I won't be hitting send anymore.

> Thanks,
> Andy

Have a good day.

Dr. Greg

[0]: If you have the facts on your side pound on the facts, if you have
the law on your side pound on the law, if you have neither pound
on the table.

As always,
Dr. Greg Wettstein, Ph.D, Worker Autonomously self-defensive
Enjellic Systems Development, LLC IOT platforms and edge devices.
4206 N. 19th Ave.
Fargo, ND 58102
PH: 701-281-1686 EMAIL: [email protected]
------------------------------------------------------------------------------
"There is no safe haven from irresponsible leadership."
-- Lou Dobbs

2020-11-25 00:02:04

by Andy Lutomirski

[permalink] [raw]
Subject: Re: [PATCH v40 00/24] Intel SGX foundations

On Tue, Nov 24, 2020 at 10:40 AM Dr. Greg <[email protected]> wrote:
>
> On Sat, Nov 21, 2020 at 10:36:58AM -0800, Andy Lutomirski wrote:
>

> Intel SGX developer licensing requires that you provide application
> recipients with a full and complete runtime along with the signed
> application. Our developer license allowed us to substitute our
> runtime for Intel's.

Upstream Linux wants nothing to do with Intel's developer licensing.

> > > Given that this driver is no longer locked to the Intel trust root, by
> > > virtue of being restricted to run only on platforms which support
> > > Flexible Launch Control, there is no longer any legitimate technical
> > > reason to not expose all of the functionality of the hardware.
>
> > I read this three times, and I can't tell what functionality you're
> > referring to.
>
> Yes you do, as I mentioned to Dave in my last e-mail, we have been
> disagreeing about this for a year.

No, I don't. It's entirely possible that I'm aware of the
functionality you're referring to, but that doesn't mean that your
description quoted above is sufficient for me to have the slightest
idea which functionality you mean right here.

>
> You were at some kind of seminar where SGX was discussed. Based on
> that you developed a 'manifesto' regarding how Linux should implement
> the technology. That manifesto indicated there would be no place for
> cryptographic policy control on enclaves.

That's not what I said. Paraphrasing myself, I said that there is no
place for a driver in upstream Linux that allows only Intel-approved
code to run. That is not at all the same thing as saying we won't
support cryptographic policy in a way that allows the platform owner
an appropriate degree of control.

Actually supporting launch control (the EINIT-enforced kind) in
upstream Linux will be tricky but is surely possible. It would
probably help if Intel or firmware vendors had some clear
specification of exactly how they intend for platform owners to select
an SGXLEPUBKEYHASH value. (A nice spec in which an authenticated UEFI
variable contained the desired SGXLEPUBKEYHASH and lock state might be
an excellent start.) Supporting this in upstream Linux will also
require decoupling the user code that creates an enclave from the user
code that invokes the LE. Jarkko already wrote some code for this,
and it could be revived. If this ends up being inconsistent with
Intel's licensing requirements, then Intel can change their licensing
requirements or people can just ignore Intel and use a different
signing key.

Frankly, using Intel's signing key in SGXLEPUBKEYHASH offers a dubious
degree of protection in the first place -- it assumes that Intel will
never approve a malware enclave, and it also assumes that the lack of
functioning EINITTOKEN revocation won't break the whole scheme.

>
> A well taken and considered point on a locked launch control platform
> but completely irrelevant for this driver, that only operates on
> Flexible Launch Control platforms. By demanding compliance with only
> that vision you deny platform owners a final measure of defense
> against anonymous code execution.

I am denying Intel the chance to impose their licensing requirements.
The fact that Intel chose to poison the well with their licensing
system and that, as a result, Linux won't support the Intel model of
launch control to protect platform owners is an unfortunate side
effect.

>
> > > The patch that I am including below implements signature based policy
> > > controls for enclave initialization. It does so in a manner that is
> > > completely transparent to the default behavior of the driver, which is
> > > to initialize any enclave passed to it with the exception of enclaves
> > > that set the PROVISION_KEY attribute bit.
>
> > It's completely unreviewable. It's an ABI patch, and it does not
> > document what it does, nor does it document why it does it. It's
> > just a bunch of code. NAK.
>
> You can certainly NAK-away Andy[0]. I've had sufficent private
> feedback from reasoned and informed individuals that I've made my
> point that this isn't about technical considerations.

Depends on what you mean by "technical". In the submitting-patches
guide (https://www.kernel.org/doc/html/v5.9/process/submitting-patches.html),
you will find instructions to "describe your changes" and "separate
your changes". If you can produce a reasonably, reviewable submission
of your code, I will review it. But I am not going to dig through
your diff to try to find the hidden technical merit.

>
> Here is the link, again, to the patch in 'git am' compliant format.
>
> ftp://ftp.enjellic.com/pub/sgx/kernel/SFLC-v41.patch
>
> I've been watching Linux patches go by for close to 30 years. If this
> is completely unreviewable garbage, legitimate concerns can be raised
> about what is getting pushed into the kernel.

The kernel review process is by no means perfect. That does not mean
that you get to apply your unreviewable garbage just because other
people have pulled it off in the past.

> For the LKML record, absent our patch the driver has an open security
> issue with respect to anonymous code execution that should be
> addressed, if that issue is indeed of any concern.

What do you mean?


> The only thing that I can think of is that you disagree with the
> optional capability of blocking the enclave from implementing
> anonymously executable memory. Absent that ability there is the
> security issue that has now been extensively discussed.

You keep sending a patch that blocks mmap and mprotect on an
initialized enclave. As far as I can tell, you haven't explained how
it's any better than the code it replaces. The code it replaces
enforces per-page maximum permissions, and all the infrastructure is
in place for the platform owner to be able to enforce their rules
without breaking ABI.

Your proposal appears to accomplish something a little bit like what
the code in -tip does, except without as much room for future
improvements. Since you haven't tried to explain why you think it's
better, I can't really evaluate it.

2020-11-25 02:03:22

by Dr. Greg

[permalink] [raw]
Subject: Re: [PATCH v40 00/24] Intel SGX foundations

On Sat, Nov 21, 2020 at 08:25:23AM -0800, Dave Hansen wrote:

Good morning, I hope the week has started well for everyone.

> On 11/21/20 7:12 AM, Dr. Greg wrote:
> >> Important Kernel Touch Points
> >> =============================
> >>
> >> This implementation is picky and will decline to work on hardware which
> >> is locked to Intel's root of trust.

> > Given that this driver is no longer locked to the Intel trust root, by
> > virtue of being restricted to run only on platforms which support
> > Flexible Launch Control, there is no longer any legitimate technical
> > reason to not expose all of the functionality of the hardware.

> I honestly can't understand what the point of this is, and I mean
> that on multiple levels.

I'm sorry the issue is elusive to you but that doesn't mean it isn't
technically relevant or grounded.

It also doesn't mean this issue isn't relevant to the kernel community
at large. I have been active in Linux since late 1991 and my
perception was that technical honesty was always the imperative, hence
my last e-mail on this subject.

> First of all, there's not a coherent description of the problem
> you're solving with ~700 lines of code and the treatise you wrote
> here instead of a changelog.

A number of points.

While I'm flattered, I cannot ethically accept the fact that the
e-mail I wrote amounted to a treatise. To do so would do injustice to
the likes of Euclid[0], Descartes[1] and Newton[2] among notable
others. From a literary metric perspective it wouldn't rise to the
level of a monograph let alone an essay on the subject.

With that behind us.

There was a full changelog with the patch, the e-mail essentially
wrapped the changelog and patch with a cover letter that was directed
at being responsive to the issue of including the SGX driver in the
kernel.

If you would have clicked on the link that I provided, which I will
replicate below:

ftp://ftp.enjellic.com/pub/sgx/kernel/SFLC-v41.patch

You will get a fully 'git am' compliant patch, including a changelog.

The changelog was written in a parlance consistent with someone who
would have a basic understanding of the technology under review. If
this entire review and vetting process is being done absent that kind
of understanding, then the case can be made that the kernel
development process has larger issues on its hands.

Lets be honest though, that is not the case here, we have been talking
about this issue for over a year, everyone involved with this
technology knows what the problem is.

Since LKML is copied, the basic issue is as follows:

1.) SGX as a technology is designed to execute code and operate on
data in a manner that is confidential to inspection and impervious to
modification and control by the kernel.

2.) The mindset of the driver developers is that the kernel should be
the ultimate authority on what SGX is allowed to do.

The two world views are inherently and technically incompatible and
lead to a potential security dilemma for the kernel. We simply
advocate for an additional level of cryptographic security that
supplements, not replaces, kernel controls to address this issue.

Issue #1 isn't theoretical. The Linux Foundation feels there is
commercial value to this concept, as do the primary signatories
(Intel, GOOGLE, Microsoft, IBM/RedHat, Alibaba, ARM, Huawei) to the
Confidential Computing Consortium, all of which have a desire to
economically exploit the notion of a generic Trusted Execution
Environment such as SGX.

So this is either a legitimate technical issue that needs to be
addressed or these companies and their customers are on a fools
errand.

> Second, is the point here to distract folks from testing the branch
> in the tip tree? Or, is it to show appreciation to maintainers by
> giving them more of the thing they love: code to review?

Overall, given the extremely small number of people that understand
this technology end to end, let alone who can effectively test it, our
involvement was driven by:

Quis custodiet ipsos custodes?

With respect to the maintainers, I'm sure it is a thankless job.

However, if you are getting paid to review and maintain kernel code
then one needs to review kernel code or find a different job if it is
too thankless. I have plenty of thankless things to do in my job but
I do them since it is my job.

Our patch has two external functions of around 30 lines (~1 screen)
each that impact the driver. The bulk of the 700 lines, all in one
file, is boilerplate code, largely replicated for each instance,
needed to read/write sysfs files and maintain four, nearly identical,
linked lists. If this is an insurmountable review burden then the
kernel development process has larger problems on its hands.

Have a good day.

Dr. Greg

[0]: The Elements
[1]: Discourse on the Method
[2]: Opticks

As always,
Greg Wettstein, Ph.D, Worker Autonomously self-defensive
Enjellic Systems Development, LLC IOT platforms and edge devices.
4206 N. 19th Ave.
Fargo, ND 58102
PH: 701-281-1686 EMAIL: [email protected]
------------------------------------------------------------------------------
"I can only provide the information, I can't make you hear it."
-- Shelley Bainter