Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2423246imu; Thu, 10 Jan 2019 14:05:05 -0800 (PST) X-Google-Smtp-Source: ALg8bN4WQoSqJVq+txgXauRDZ1SXlfYqzGn+MCtmI+wVDbYAwecai6AVERwn57tQ1Z+shVSImiTh X-Received: by 2002:a65:6215:: with SMTP id d21mr11020138pgv.289.1547157905383; Thu, 10 Jan 2019 14:05:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547157905; cv=none; d=google.com; s=arc-20160816; b=ctHYnenpE5ECUjCGZeYPIuUuWqNPrc3CFcAeLDtzWFPOHPPBDCHmZFBT5TKXTrH+Ft A1QZs6AHy82E6/qet5ezJt4QIdqStAG9/6eM3F9YmzXVNqJYaERwM7PW71O6dAsTloQK nXBD/uaXDQ0iwlh6K04hxDwrw5h3OXPGb8ohAfRhheesoWZvPlbDn0kIpc6FC+1IqC2s UrOv2ywWcDENvpJjftIG2rOKPpvVgZghLHY3Jz1BwbhXxtZUViZRqYzHQyBCBJGF7Ae1 Ndq1knMwxWvSUhxnnsclajHYffygmlHSN/quWy52u6PdKuNmulwkPdXCpDgSDVQ5rfNA ty+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=20VHCuRg8dMmbVfeGwxABwCF7JAISul7RCSiAoozTLk=; b=yo5NwO69zOIAq3JXo0J3k/8caoLb+0G7NSaQgr6O5c5hlzeqKfTLnP7JSmcPv94rce mVYxTfJAetI9ef68WTAAjTMqGVt9RrJJ53WE+qNH7kt0KFVukpoR6ybNZj/Wt9mtypYr +mJxySJHZdMxwBWkUp4W8opTUG7fm6/p9OxkGF3idh7nKVwbvJ/LA6pnsPnpfy/uVoxB Xl7zvzVsLNo/KQtOnjQfL6bzsp6QgzZyUnFSKRPz+8WVYBsFuf+4vlUNZbh7W9IS3seF cBo/xkRWU58hYwBEGWZKe4+s+LvTNSUOmWklxouR7hj/xvqjyaAsX4LdvIx6Q3vVg8d0 7kgw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=j2fD8EgL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k22si66485188pgl.29.2019.01.10.14.04.49; Thu, 10 Jan 2019 14:05:05 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=j2fD8EgL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729136AbfAJVfA (ORCPT + 99 others); Thu, 10 Jan 2019 16:35:00 -0500 Received: from mail.kernel.org ([198.145.29.99]:43742 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729029AbfAJVfA (ORCPT ); Thu, 10 Jan 2019 16:35:00 -0500 Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5B663217F9 for ; Thu, 10 Jan 2019 21:34:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1547156098; bh=V3reuBOkp9sf/Vb+CQYQ1QVoEay/cabzsBnJpstF/fA=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=j2fD8EgL6Q5JkF/dovjykaxsuNoTxOqLbFndHaMe2IPuFRIwXL1mhyFq5iHmEPPEe u5YYvL58Pxp6lacbPxKtLNm75A45D2Bgm8J85+2Sdr90IPSyCE3s4PwMt5eFsoTZXz pjeyOnaUH7wlXN/rdzkmguQPGoYtvo3aQMIAXP0c= Received: by mail-wm1-f47.google.com with SMTP id y8so456294wmi.4 for ; Thu, 10 Jan 2019 13:34:58 -0800 (PST) X-Gm-Message-State: AJcUukfjegTXjj1hfx7rOwc2IX7bS5TFRxN0k2eNK73J1NiOLwvM5w0d tUvI4lwxZ8SZNa4m+GHqhbkIxYZNa54eEuu0XL23Sg== X-Received: by 2002:a1c:aa0f:: with SMTP id t15mr401172wme.108.1547156096726; Thu, 10 Jan 2019 13:34:56 -0800 (PST) MIME-Version: 1.0 References: <7706b2aa71312e1f0009958bcab24e1e9d8d1237.camel@linux.intel.com> <598cd050-f0b5-d18c-96a0-915f02525e3e@fortanix.com> <20181219091148.GA5121@linux.intel.com> <613c6814-4e71-38e5-444a-545f0e286df8@fortanix.com> <20181219144515.GA30909@linux.intel.com> <20181221162825.GB26865@linux.intel.com> <105F7BF4D0229846AF094488D65A0989355A45B6@PGSMSX112.gar.corp.intel.com> <20190108220946.GA30462@linux.intel.com> <20190109163135.GA1821@linux.intel.com> In-Reply-To: <20190109163135.GA1821@linux.intel.com> From: Andy Lutomirski Date: Thu, 10 Jan 2019 13:34:44 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: x86/sgx: uapi change proposal To: Sean Christopherson Cc: Andy Lutomirski , "Huang, Kai" , Jethro Beekman , Jarkko Sakkinen , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "x86@kernel.org" , Dave Hansen , Peter Zijlstra , "H. Peter Anvin" , "linux-kernel@vger.kernel.org" , "linux-sgx@vger.kernel.org" , Josh Triplett , Haitao Huang , "Dr . Greg Wettstein" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org >> On Jan 9, 2019, at 8:31 AM, Sean Christopherson wrote: >> >> On Tue, Jan 08, 2019 at 02:54:11PM -0800, Andy Lutomirski wrote: >> On Tue, Jan 8, 2019 at 2:09 PM Sean Christopherson >> wrote: >>> >>> Cleaner in the sense that it's faster to get basic support up and runni= ng >>> since there are fewer touchpoints, but there are long term ramification= s >>> to cramming EPC management in KVM. >>> >>> And at this point I'm not stating any absolutes, e.g. how EPC will be >>> handled by KVM. What I'm pushing for is to not eliminate the possibili= ty >>> of having the SGX subsystem own all EPC management, e.g. don't tie >>> /dev/sgx to a single enclave. >> >> I haven't gone and re-read all the relevant SDM bits, so I'll just >> ask: what, if anything, are the actual semantics of mapping "raw EPC" >> like this? You can't actually do anything with the mapping from user >> mode unless you actually get an enclave created and initialized in it >> and have it mapped at the correct linear address, right? I still >> think you have the right idea, but it is a bit unusual. > > Correct, the EPC is inaccessible until a range is "mapped" with ECREATE. > But I'd argue that it's not unusual, just different. And really it's not > all that different than userspace mmap'ing /dev/sgx/enclave prior to > ioctl(ENCLAVE_CREATE). In that case, userspace can still (attempt to) > access the "raw" EPC, i.e. generate a #PF, the kernel/driver just happens > to consider any faulting EPC address without an associated enclave as > illegal, e.g. signals SIGBUS. > > The /dev/sgx/epc case simply has different semantics for moving pages in > and out of the EPC, i.e. different fault and eviction semantics. Yes, > this allows the guest kernel to directly access the "raw" EPC, but that's > conceptually in line with hardware where priveleged software can directly > "access" the EPC (or rather, the abort page for all intents and purposes)= . > I.e. it's an argument for requiring certain privileges to open /dev/sgx/e= pc, > but IMO it's not unusual. > > Maybe /dev/sgx/epc is a poor name and is causing confusion, e.g. > /dev/sgx/virtualmachine might be more appropriate. > >> I do think it makes sense to have QEMU delegate the various ENCLS >> operations (especially EINIT) to the regular SGX interface, which will >> mean that VM guests will have exactly the same access controls applied >> as regular user programs, which is probably what we want. > > To what end? Except for EINIT, none of the ENCLS leafs are interesting > from a permissions perspective. Trapping and re-executing ENCLS leafs > is painful, e.g. most leafs have multiple virtual addresses that need to > be translated. And routing everything through the regular interface > would make SGX even slower than it already is, e.g. every ENCLS would > take an additional ~900 cycles just to handle the VM-Exit, and that's > not accounting for any additional overhead in the SGX code, e.g. using > the regular interface would mean superfluous locks, etc... Trapping EINIT is what I have in mind. > > Couldn't we require the same privilege/capability for VMs and and EINIT > tokens? I.e. /dev/sgx/virtualmachine can only be opened by a user that > can also generate tokens. Hmm, maybe. Or we can use Jarkko=E2=80=99s securityfs attribute thingy. Concretely, I think there are two things we care about: First, if the host enforces some policy as to which enclaves can launch, then it should apply the same policy to guests =E2=80=94 otherwise = KVM lets programs do an end run around the policy. So, in the initial incarnation of this, QEMU should probably have to open the provision attribute fd if it wants its guest to be able to EINIT a provisioning enclave. When someone inevitably adds an EINIT LSM hook, the KVM interface should also call it. Second, the normal enclave interface won't allow user code to supply an EINITTOKEN, so the KVM interface will presumably need to be different, unless we're going to emulate EINIT by ignoring the token. That seems like a very strange thing to do.