Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1375054imu; Tue, 11 Dec 2018 18:48:26 -0800 (PST) X-Google-Smtp-Source: AFSGD/UvcbzTAmxFKCXxNojZ7L2z18btYm9zELo+UNslPxPHVo1/WQDe0y3pb43nGEmcordFaXGh X-Received: by 2002:a17:902:b7c7:: with SMTP id v7mr18403254plz.75.1544582906933; Tue, 11 Dec 2018 18:48:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544582906; cv=none; d=google.com; s=arc-20160816; b=0LvC0leDY/VZ41JApXNcE+P+tVMc/xkIe+hypHW+jg9nS6Rmi40cSl+WwjGzE1udH/ Fddy2KH0OulGVNlM4bLi/T2lB2SY5dtRWhtQbzX51+NJTIMelUh1F10LRB0XhCfbBcqd bKRHrn5/LEvs184bFoSBjEqZM+H3mOQRRdw/9VZw7y6H4KG7G6uQrlXgNVwWa0JtoNx2 cHaaBSazXAPbWit2pywWOO34Aqj2gVow00Gh5Axn0xpATi8nLBlcRQ3UNUpBhh9isl8z WzhsWNmuaMlOn4HR5q2/WaqJcnpX/xpQixalsgqmu0Ci3ES/HVujpJSeiWwlGLw50Kmp MNhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:reply-to:message-id :subject:cc:to:from:date; bh=Pkfh1/xqjDfZ11/VkwZsDUWE9udawyhDP8VR+gv5wSU=; b=Yc8hV+TrdLcmSB1MfQ3Te3S/xml2You+SQHAVuKd6OyzqCR/BChxzMFlOQIpwQlfMw toVyrA6sIdXYkzsnIfhSSR0H+N0xxpW5bw/UWtk4GQ8PPKV/4u461bch5atRRa2d5WQK 9TWnbQeW1gfqBDM/+A7gIb92n5XQhgliuTWnc1rwifSE3Jjzm0tRj9FFbArvF+nT0k2P Lu4Fr1A7sbyjgiwCZMuEBOxAHmeOCusTaBcNY4Z7rH6PKvO8+fsRTcixHXEYGTyet6m8 pIy6/0ZXUxI6aIB34I7H0k5aY1nAdrBY/s+eZl9J0n5ckE0xotv2Uqdypyt2+0CwqUXf ooxg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m7si17231989pfc.118.2018.12.11.18.48.12; Tue, 11 Dec 2018 18:48:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726364AbeLLCpt (ORCPT + 99 others); Tue, 11 Dec 2018 21:45:49 -0500 Received: from wind.enjellic.com ([76.10.64.91]:56906 "EHLO wind.enjellic.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726211AbeLLCps (ORCPT ); Tue, 11 Dec 2018 21:45:48 -0500 Received: from wind.enjellic.com (localhost [127.0.0.1]) by wind.enjellic.com (8.15.2/8.15.2) with ESMTP id wBC2gkBM028859; Tue, 11 Dec 2018 20:42:46 -0600 Received: (from greg@localhost) by wind.enjellic.com (8.15.2/8.15.2/Submit) id wBC2gk8w028858; Tue, 11 Dec 2018 20:42:46 -0600 Date: Tue, 11 Dec 2018 20:42:46 -0600 From: "Dr. Greg" To: Andy Lutomirski Cc: "Christopherson, Sean J" , Josh Triplett , Thomas Gleixner , Ingo Molnar , Borislav Petkov , X86 ML , Jarkko Sakkinen , Dave Hansen , Peter Zijlstra , "H. Peter Anvin" , LKML , linux-sgx@vger.kernel.org, Haitao Huang , Jethro Beekman Subject: Re: [RFC PATCH v3 0/4] x86: Add exception fixup for SGX ENCLU Message-ID: <20181212024246.GA28530@wind.enjellic.com> Reply-To: "Dr. Greg" References: <20181210232141.5425-1-sean.j.christopherson@intel.com> <20181210232449.GA11843@localhost> <20181211165253.GB14731@linux.intel.com> <20181211222312.GI14731@linux.intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.3 (wind.enjellic.com [127.0.0.1]); Tue, 11 Dec 2018 20:42:46 -0600 (CST) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Dec 11, 2018 at 03:10:52PM -0800, Andy Lutomirski wrote: Good evening, I hope the day has gone well for everyone. > > > > On Dec 11, 2018, at 8:52 AM, Sean Christopherson wrote: > > > > > > > > This isn't fundamentally different than forcing all EENTER > > > > calls through the vDSO, which is also per-process. > > > > Technically this is more flexible in that regard since > > > > userspace gets to choose where their one ENCLU gets to reside. > > > > Userspace can have per-enclave entry flows so long as the > > > > actual ENLU[EENTER] is common, same as vDSO. > > > Right. The problem is that user libraries have a remarkably hard > > > time agreeing on where their one copy of anything lives. > > Are you concerned about userspace shooting themselves in the foot, > > e.g. unknowingly overwriting their handler? Requiring > > unregister->register to change the handler would mitigate that > > issue for the most part. Or we could even say it's a write-once > > property. > > > > That obviously doesn't solve the issue of a userspace application > > deliberately using two different libraries to run enclaves in a > > single process, but I have a hard time envisioning a scenario > > where someone would want to use two different *SGX* libraries in a > > single process. Don't most of the signal issue arise due to > > loading multiple libraries that provide *different* services > > needing to handle signals? > I can easily imagine two SGX libraries that know nothing about each > other running in the same process. One or both could be PKCS#11 > modules, for example. Very good, I see that Sean agreed with this down thread. I was concerned that our discussion was lacking precision and we were talking past one another. > I suspect that Linux will eventually want the ability for libraries > to register exception handlers, but that's not going to get designed > and implemented quickly enough for SGX's initial Linux rollout. A > vDSO helper like in your earlier series should solve most of the > problem without any contention issues. Let me see if I can impart some framework for additional clarity as discussions proceed forward. I believe it would be helpful if we could agree to refer to a body of code, possibly in library form, that loads, initializes and executes an enclave as an 'SGX runtime'. In this framework, the term 'library' refers to code that an application links to for domain specific functionality, ie. libpkcs11, libkrb5, libsasl. These 'libraries' may implement enclaves, using 'SGX runtimes' of their choice, to improve their security guarantees. In this model it is the 'SGX runtime' that is responsible for registering SGX exception handlers under their management. In order for mainline Linux SGX support to be relevant, it must admit mutually distrusting 'SGX runtimes' in the same process context. The SGX exception handler architecture must also support the notion of 'nested enclave' invocation where an enclave may execute an OCALL and then go on to execute an enclave, possibly based on a different 'SGX runtime', before returning into its previous enclave. Hopefully the above will help assist further discussions. Have a good evening. Dr. Greg As always, Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC. 4206 N. 19th Ave. Specializing in information infra-structure Fargo, ND 58102 development. PH: 701-281-1686 FAX: 701-281-3949 EMAIL: greg@enjellic.com ------------------------------------------------------------------------------ "If you think nobody cares if you're alive, try missing a couple of car payments." -- Earl Wilson