Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp750175imu; Tue, 11 Dec 2018 07:03:21 -0800 (PST) X-Google-Smtp-Source: AFSGD/WW+QoYCO+kOPvuW4E3MxcXr5SvdzNZ9FiSujsbbCGiB29qzm7XtGar4lceQkqzeiRuYQpk X-Received: by 2002:a63:b218:: with SMTP id x24mr14463374pge.223.1544540601633; Tue, 11 Dec 2018 07:03:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544540601; cv=none; d=google.com; s=arc-20160816; b=Y+2qfCcp7Bj32E+hZ3FkqmX1uyVQEJA9WcSY4JEFSnzg4hoquUWH9ik+9Kb5mc6Jv5 AjT+iPK+lCm3w/xn2GEt3AaIEF88PImIlJZF8LTJ/YOYfEHDCtIoZ1j55CEX/QOygUGh XTUlSkaHTz9ehcLN3c3AL6pXz11Klfqx9QfqbCpJSsENGYeI3l/LMJPSj4mEfJWRxqT8 ymCAhB8aaRYwISwET7J/68R5fxMYSAEcKo3uKi+Zp8RHaP7eVQWXxnHagb3VpsS9Qyha UTaq0Sw0eMc3fYzR4qXHko5AVtXt+/FwYd7C9EDTWuzbH3mYOQ7khW13TnhAvFNy+YoN 5Ipg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:reply-to:message-id :subject:cc:to:from:date; bh=SjwE1kPJM+Nwy4vzk/GzoId0z+yedn8majEMXYdhi0E=; b=xgMSBqZV6uJjWEdiOan26GDthywDlG+zeyThtiF6OmM3eNkbxBl9nbeS2U57LQAUY9 ns0yxuzTowIDlr8ji+XmNS8yvPOsoXNoBZh9tY9YW6LSfivimWdF5KGjesbZ5fVyevc2 uJ3kcfU5sgg7FktRHxGN9ql52M7rjzHqltHGkDPo0f9ToJrJkzjDTiJG5YybVjuJDiMT byWbIO7smYjZsGoDBnyV5B2+9VENoqZ5QnkXNX2e3x4o9p/v6WE2mZLTfzJ4dGB/NhDQ WCP8/+2RTMWczLWGm5Y/z6jxjy+BhUjflz4zpRVc0zSlWwi6UcSPbtWmeqBrV5RJBKgq /Jsw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r6si13143222pli.248.2018.12.11.07.03.05; Tue, 11 Dec 2018 07:03:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726578AbeLKO4h (ORCPT + 99 others); Tue, 11 Dec 2018 09:56:37 -0500 Received: from wind.enjellic.com ([76.10.64.91]:56764 "EHLO wind.enjellic.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726231AbeLKO4h (ORCPT ); Tue, 11 Dec 2018 09:56:37 -0500 Received: from wind.enjellic.com (localhost [127.0.0.1]) by wind.enjellic.com (8.15.2/8.15.2) with ESMTP id wBBEre8E008223; Tue, 11 Dec 2018 08:53:40 -0600 Received: (from greg@localhost) by wind.enjellic.com (8.15.2/8.15.2/Submit) id wBBErdTu008222; Tue, 11 Dec 2018 08:53:39 -0600 Date: Tue, 11 Dec 2018 08:53:39 -0600 From: "Dr. Greg" To: Josh Triplett Cc: Sean Christopherson , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org, Jarkko Sakkinen , Dave Hansen , Andy Lutomirski , Peter Zijlstra , "H. Peter Anvin" , linux-kernel@vger.kernel.org, linux-sgx@vger.kernel.org, Andy Lutomirski , Haitao Huang , Jethro Beekman Subject: Re: [RFC PATCH v3 0/4] x86: Add exception fixup for SGX ENCLU Message-ID: <20181211145339.GA7528@wind.enjellic.com> Reply-To: "Dr. Greg" References: <20181210232141.5425-1-sean.j.christopherson@intel.com> <20181210232449.GA11843@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181210232449.GA11843@localhost> User-Agent: Mutt/1.4i X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.3 (wind.enjellic.com [127.0.0.1]); Tue, 11 Dec 2018 08:53:40 -0600 (CST) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Dec 10, 2018 at 03:24:50PM -0800, Josh Triplett wrote: Good morning to everyone, I hope the week is progressing well. > On Mon, Dec 10, 2018 at 03:21:37PM -0800, Sean Christopherson wrote: > > At that point I realized it's a hell of a lot easier to simply provide > > an IOCTL via /dev/sgx that allows userspace to register a per-process > > ENCLU exception handler. At a high level, the basic idea is the same > > as the vDSO approach: provide a hardcoded fixup handler for ENCLU and > > attempt to fixup select unhandled exceptions that occurred in user code. > So, on the one hand, this is *absolutely* much cleaner than the VDSO > approach. On the other hand, this is global process state and has > some of the same problems as a signal handler as a result. Sean's architecture is very simple and straight forward and thus has a lot going for it. As Sean's approach indicates, by linking the exception handler to current->mm, SGX is very much a per memory map concept. The issue is that there can be multiple enclaves loaded and excecuting in a processes memory map, the problem is, execution and thus exception handling, is very much at the per thread level. Based on the responses to my previous e-mail in this thread, the primary driver for addressing the exception handler issue is for shared libraries to implement independent execution of enclaves. So the question for Sean becomes where the 'pull' to address this issue is coming from, is it the Intel SDK/PSW folks? If so it might be helpful for them to weigh in on requirements and needs. To be very frank, there are only 3-4 groups actually working at this level; the Intel SDK/PSW team, Fortanix, us and probably Baidu. Given the complexity of the issues involved with a runtime, the Linux SGX development community, whether it be application or library developers are going to be building on top of runtimes maintained by groups such as these. If we boil issues down to the very basics, the setup of an exception handler is going to have to be wrapped into whatever code is being executed by a thread doing enclave entry for the runtime being used. It thus may be useful to think about this as being the responsibility of whatever loaded and initialized the enclave against which ENCLU[EENTER] is being issued against. To add an additional wrinkle to this, our runtime is already doing what amounts to recursive enclave invocation. We handle remote attestation quote generation and verification almost completely inside of enclaves. This requires that we issue an OCALL in order to exit the enclave being attested in order to load and execute the platform certification and quoting enclaves. So if Linux is going to deal with this correctly, without invoking any global state, the issue will come down conceptually to registering a per-thread/per-EENTER exception handler by whatever mechanism the kernel chooses to provide. Which means we need to be thinking about the ramifications of OCALL's. So whatever we do has to be simple, straight forward and flexible. If not the bike shedding will last until something other then SGX gets invented... :-) I hope the above reflections are useful. Best wishes for a productive day. Dr. Greg As always, Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC. 4206 N. 19th Ave. Specializing in information infra-structure Fargo, ND 58102 development. PH: 701-281-1686 FAX: 701-281-3949 EMAIL: greg@enjellic.com ------------------------------------------------------------------------------ "If your doing something the same way you have been doing it for ten years, the chances are you are doing it wrong." -- Charles Kettering