Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1059247imu; Fri, 7 Dec 2018 13:27:40 -0800 (PST) X-Google-Smtp-Source: AFSGD/WYoM5wafYVctJpUM2zYFUSswcIxO6UiPDJwrAm8Lm4DSaVGA6bHEJk1WwR1HSpmbglaDyJ X-Received: by 2002:a62:32c4:: with SMTP id y187mr3950014pfy.195.1544218060727; Fri, 07 Dec 2018 13:27:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544218060; cv=none; d=google.com; s=arc-20160816; b=fIQlbi+tmXiZj6voxQ+xJDwQhpKA8Phtxg0IhG3sW1GVzAz4WStmq1bwE1UDWcU63d bPPQoslrSNTrz0OVyzFhXuXM2+WzK/H0bi63q9+VMy0/0siAdwUWAQ8RGRiiJLGt1OOZ A/855RLVnDCubPiXoxg4ho2X2eDQW6rH/YM7QA5tTE3q827uxcBldkFZwZxEV8wnYGFh w6ogOOkYAjR7KWSYIiPcCrYoLS//6WDPSuykr/yXY39mHB7qnJTKeSAxyi516v7lhtlD 9YEOZwHWoFDtlZ020RIST4m4TTJC+Mt8sA8bOkdqfClwCodlcuW8UezQThjaVFjW6F97 DfdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=5IjLCkZSQx84gPbIqnRjOWQ2891bk3L0pIFNqudLejg=; b=TKrdQ1ORbXwwLHXiD8BqBwPxpSijScvM5lrGvH44TCkoVe0wmumVnBP94hNaAmP7ng nHz87RBgMFcreAHYtBXinb15mGgROp4rPtz1jIAX19PyzYhaaQTcBdKBtLGf+7Q5SOf3 Ac1JXrLkvIRU8tKY9qdC0ju+86JUkzGVhHaIXkYweXPx17IFD7dkByPoqy2Tl4ER1XMP cf2kAwvEan3to25e4UtykJawMnWnCrJSezyy5YeuDShaLGzf47AyOZRgsp37VNQPwM5E AKbkLlcoY5LRRi+06ufPp619GBlC+7/JHLlcQ8608VAETW8ODhzdTCms5QF2oFlcokQk bO8g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b1si3888520plc.332.2018.12.07.13.27.25; Fri, 07 Dec 2018 13:27:40 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726111AbeLGV0v (ORCPT + 99 others); Fri, 7 Dec 2018 16:26:51 -0500 Received: from mga06.intel.com ([134.134.136.31]:56181 "EHLO mga06.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726008AbeLGV0u (ORCPT ); Fri, 7 Dec 2018 16:26:50 -0500 X-Amp-Result: UNSCANNABLE X-Amp-File-Uploaded: False Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Dec 2018 13:26:49 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,327,1539673200"; d="scan'208";a="257733408" Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.154]) by orsmga004.jf.intel.com with ESMTP; 07 Dec 2018 13:26:49 -0800 Date: Fri, 7 Dec 2018 13:26:49 -0800 From: Sean Christopherson To: Andy Lutomirski Cc: Andy Lutomirski , Thomas Gleixner , Ingo Molnar , Borislav Petkov , X86 ML , Dave Hansen , Peter Zijlstra , "H. Peter Anvin" , LKML , Jarkko Sakkinen , Josh Triplett , linux-sgx@vger.kernel.org, haitao.huang@linux.intel.com, Jethro Beekman , "Dr. Greg Wettstein" Subject: Re: [RFC PATCH v2 4/4] x86/vdso: Add __vdso_sgx_enter_enclave() to wrap SGX enclave transitions Message-ID: <20181207212649.GG10404@linux.intel.com> References: <20181206221922.31012-1-sean.j.christopherson@intel.com> <20181206221922.31012-5-sean.j.christopherson@intel.com> <20181207165145.GB10404@linux.intel.com> <20181207190257.GC10404@linux.intel.com> <20181207200935.GE10404@linux.intel.com> <4CEB5945-9562-40FA-8CCA-A1675D55B001@amacapital.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4CEB5945-9562-40FA-8CCA-A1675D55B001@amacapital.net> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Dec 07, 2018 at 12:16:59PM -0800, Andy Lutomirski wrote: > > > > On Dec 7, 2018, at 12:09 PM, Sean Christopherson wrote: > > > >> On Fri, Dec 07, 2018 at 11:23:10AM -0800, Andy Lutomirski wrote: > >> > >> Ah, I see. You’re saying that, if the non-enclave stare is corrupted such > >> that RIP is okay and RSP still points somewhere reasonable but the return > >> address is garbage, then we can at least get to the fault handler and print > >> something? > > > > Yep. Even for something more subtle like GPR corruption it could dump the > > entire call stack before attempting to return back up. > > > >> This only works if the fault handler pointer itself is okay, though, which > >> somewhat limits the usefulness, given that its pointer is quite likely to > >> be on the stack very close to the return address. > > > > Yeah, it's not a silver bullet by any means, but it does seem useful for at > > least some scenarios. Even exploding when invoking the handler instead of > > at a random point might prove useful, e.g. "calling my exit handler exploded, > > maybe my enclave corrupted the stack!". > > Here’s another idea: calculate some little hash or other checksum of > RSP, RBP, and perhaps a couple words on the stack, and do: Corrupting RSP and RBP as opposed to the stack memory seems much less likely since the enclave would have to poke into the save state area. And as much as I dislike the practice of intentionally manipulating SSA.RSP, preventing the user from doing something because we're "helping" doesn't seem right. > call __vdso_enclave_corrupted_state > > If you get a mismatch after return. That function could be: > > call __vdso_enclave_corrupted_state: > ud2 > > And now the debug trace makes it very clear what happened. > > This may or may not be worth the effort. Running a checksum on the stack for every exit doesn't seem like it'd be worth the effort, especially since this type of bug should be quite rare, at least in production environments. If we want to pursue the checksum idea I think the easiest approach would be to combine it with an exit_handler and do a simple check on the handler. It'd be minimal overhead in the fast path and would flag cases where invoking exit_handle() would explode, while deferring all other checks to the user. E.g. something like this: diff --git a/arch/x86/entry/vdso/vsgx_enter_enclave.c b/arch/x86/entry/vdso/vsgx_enter_enclave.c index d5145e5c5a54..c89dd3cd8da9 100644 --- a/arch/x86/entry/vdso/vsgx_enter_enclave.c +++ b/arch/x86/entry/vdso/vsgx_enter_enclave.c @@ -42,10 +42,13 @@ enum sgx_enclu_leaf { SGX_EEXIT = 4, }; +#define VDSO_MAGIC 0xa5a5a5a5a5a5a5a5UL + notrace long __vdso_sgx_enter_enclave(u32 op, void *tcs, void *priv, struct sgx_enclave_exit_info *exit_info, sgx_enclave_exit_handler *exit_handler) { + volatile unsigned long hash; u64 rdi, rsi, rdx; u32 leaf; long ret; @@ -53,6 +56,9 @@ notrace long __vdso_sgx_enter_enclave(u32 op, void *tcs, void *priv, if (!tcs || !exit_info) return -EINVAL; + /* Always hash the handler. XOR is much cheaper than Jcc. */ + hash = (unsigned long)exit_handler ^ VDSO_MAGIC; + enter_enclave: if (op != SGX_EENTER && op != SGX_ERESUME) return -EINVAL; @@ -107,6 +113,8 @@ notrace long __vdso_sgx_enter_enclave(u32 op, void *tcs, void *priv, * or to return (EEXIT). */ if (exit_handler) { + if (hash != ((unsigned long)exit_handler ^ VDSO_MAGIC)) + asm volatile("ud2\n"); if (exit_handler(exit_info, tcs, priv)) { op = exit_info->leaf; goto enter_enclave; > But ISTM the enclave is almost as likely to corrupt the host state and > the. EEXIT as it is to corrupt the host state and then fault. Agreed, I would say even more likely. But the idea is that the exit_handler is called on any exit, not just exceptions.