Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2484245imu; Tue, 6 Nov 2018 15:45:11 -0800 (PST) X-Google-Smtp-Source: AJdET5d1ZRulvuk9vmCKo/KuEYZOtmGQO/dygBFda3PnDiDfcs03kLVO1M4uL+gVGXXQBdhM89LH X-Received: by 2002:a63:be4d:: with SMTP id g13mr25789663pgo.378.1541547911114; Tue, 06 Nov 2018 15:45:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541547911; cv=none; d=google.com; s=arc-20160816; b=AgezB0it06O5bB5IO8iSwSg3aFaQjs5jrviHBDNIaAgyE9K7z5uFG1H/h7hSSbt05Q b4Vm4gjmAOS5T3gYA3J6TcLBS0H4WWnHAnpny6dqpjZ5lkHqGK7BHNnOaW2HeHimYuV4 dvhU9Cwk7/pRzHdgOUz51dhsGgMcuRVSg47xgxH65cjgkweNWOs8gS7lRYVAtwvMD8Lo bZqqhgh1cP4xBc2QeYQuBcVrZNvpxsHkDt32UXtbInrUkI6bnrvDSvqeim+Qbnq/pq3e TvXvQuT37chkcPUu2UifztLIan6UJQc1C6xt6fmVoDUZRzMeZLILFvVrGgt4z8qCLDeF ztOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=36OfC1Lnii+AYoN8xnkE5SIIIqx/FIjyYpVr2bXLOso=; b=rOWqSkbKZEzztGjkgKeMzELdqwzk4kR1WNa0LAR6TSACINXXsEnmSzuf1CagBks2yN 2g7ImXGKXtIhqWo2YjUHmgIgsSVYFRZmlEcSie/mdEob0V07lPz2JriqlibZOuRxewRZ cSD8mw/ysn38G9Zh7Fx3whX2xwje3YbGSk7OOqpYO5d6p218jy7Zw54A4xHgDLp5zgUi wMw0JZIJHEozG4bGs3yAkDVb/6EXXPPY+3iNwr3++vrQ74BBcI0tT920JdheGy656Sjf xHH+Atyy2yIBGLVhHWV1p9maZyvKsMB8vV3xGIbZXp3HCG5/Z13L9lSb0nz/Rzt+UDJG 3xZw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y10-v6si13463524plt.145.2018.11.06.15.44.56; Tue, 06 Nov 2018 15:45:11 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388104AbeKGIx5 (ORCPT + 99 others); Wed, 7 Nov 2018 03:53:57 -0500 Received: from mga02.intel.com ([134.134.136.20]:36687 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726446AbeKGIx5 (ORCPT ); Wed, 7 Nov 2018 03:53:57 -0500 X-Amp-Result: UNSCANNABLE X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Nov 2018 15:26:17 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,473,1534834800"; d="scan'208";a="277680927" Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.154]) by fmsmga005.fm.intel.com with ESMTP; 06 Nov 2018 15:26:16 -0800 Date: Tue, 6 Nov 2018 15:26:16 -0800 From: Sean Christopherson To: Rich Felker Cc: Andy Lutomirski , Dave Hansen , Jann Horn , Linus Torvalds , Dave Hansen , Jethro Beekman , Jarkko Sakkinen , Florian Weimer , Linux API , X86 ML , linux-arch , LKML , Peter Zijlstra , nhorman@redhat.com, npmccallum@redhat.com, "Ayoun, Serge" , shay.katz-zamir@intel.com, linux-sgx@vger.kernel.org, Andy Shevchenko , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Carlos O'Donell , adhemerval.zanella@linaro.org Subject: Re: RFC: userspace exception fixups Message-ID: <20181106232616.GA11101@linux.intel.com> References: <20181102220437.GI7393@linux.intel.com> <1541518670.7839.31.camel@intel.com> <1541524750.7839.51.camel@intel.com> <22596E35-F5D1-4935-86AB-B510DCA0FABE@amacapital.net> <20181106231730.GR5150@brightrain.aerifal.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181106231730.GR5150@brightrain.aerifal.cx> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 06, 2018 at 06:17:30PM -0500, Rich Felker wrote: > On Tue, Nov 06, 2018 at 11:02:11AM -0800, Andy Lutomirski wrote: > > On Tue, Nov 6, 2018 at 10:41 AM Dave Hansen wrote: > > > > > > On 11/6/18 10:20 AM, Andy Lutomirski wrote: > > > > I almost feel like the right solution is to call into SGX on its own > > > > private stack or maybe even its own private address space. > > > > > > Yeah, I had the same gut feeling. Couldn't the debugger even treat the > > > enclave like its own "thread" with its own stack and its own set of > > > registers and context? That seems like a much more workable model than > > > trying to weave it together with the EENTER context. > > > > So maybe the API should be, roughly > > > > sgx_exit_reason_t sgx_enter_enclave(pointer_to_enclave, struct > > host_state *state); > > sgx_exit_reason_t sgx_resume_enclave(same args); > > > > where host_state is something like: > > > > struct host_state { > > unsigned long bp, sp, ax, bx, cx, dx, si, di; > > }; > > > > and the values in host_state explicitly have nothing to do with the > > actual host registers. So, if you want to use the outcall mechanism, > > you'd allocate some memory, point sp to that memory, call > > sgx_enter_enclave(), and then read that memory to do the outcall. > > > > Actually implementing this would be distinctly nontrivial, and would > > almost certainly need some degree of kernel help to avoid an explosion > > when a signal gets delivered while we have host_state.sp loaded into > > the actual SP register. Maybe rseq could help with this? > > > > The ISA here is IMO not well thought through. > > Maybe I'm mistaken about some fundamentals here, but my understanding > of SGX is that the whole point is that the host application and the > code running in the enclave are mutually adversarial towards one > another. Do any or all of the proposed protocols here account for this > and fully protect the host application from malicious code in the > enclave? It seems that having control over the register file on exit > from the enclave is fundamentally problematic but I assume there must > be some way I'm missing that this is fixed up. SGX provides protections for the enclave but not the other way around. The kernel has all of its normal non-SGX protections in place, but the enclave can certainly wreak havoc on its userspace process. The basic design idea is that the enclave is a specialized .so that gets extra security protections but is still effectively part of the overall application, e.g. it has full access to its host userspace process' virtual memory.