Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp1732975img; Sat, 23 Mar 2019 10:40:54 -0700 (PDT) X-Google-Smtp-Source: APXvYqxsPnJsyUB12oLRvu5gPWkwZH3T2Fw4+P/POtvB8llJtOLSyshfSA7Egf6/9d+6AYphDVPG X-Received: by 2002:a63:5349:: with SMTP id t9mr15110267pgl.262.1553362853967; Sat, 23 Mar 2019 10:40:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553362853; cv=none; d=google.com; s=arc-20160816; b=GD2T5r7XA9q1a1esVfj6eW4h03Ogi6lr9tCeS1juw9tBpGVfO7AvlHsIjoZEsv3eRW 6ILVwZMCEo6EppQRkM0tqiCxbiTpUUSxlj7YCWL++ieCAT6t9Pu9wjrt3rk1YtUeCgKZ kOcB+ah8xqIu5iauKbcoQUvVVVgklBNnEfjnoct/HhKf/a4CuTvNR5vfB0ojLBxRzfjz ERc5W4OgW4PjB6KTcxSkDzwJDGNj8QH/BfQb7OX8MohBHbkSQmHBGbyyV7fceKbYfWg3 P60fCx+jJC3J6QrYKBsjvYtl1f+Hh6bNQczfL1HkVipsXhlA6owPEtSO1mM32WTIMTKo 3rzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :dlp-reaction:dlp-version:dlp-product:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from; bh=tF0OJ4mg7JH3XzCxnik5xBzflcPXEY9k6M0hlda87BM=; b=OKDXVM6T+mX1Cnw0O20fjLulI2Hr/fRpTt3eFLtJm5pk4+ogamn1nPN4eCtw49o2pi p5Tpt+x0MPXeTHG8VXqIpftViie5LLCpLKnPaUDjpe7hvp8AUP7YkF0llO1zuV7Q8ovx kULW/23wE9C0mvt7h6ZJ9yHWshwtJVZgnk+13DdNCT9Jf96YZRD7snXyY3zAHF7oifS8 Ao4nYqe6zrdqk4xoA2zBTCrFmNU67EcG8kTAv+6AAJOveTcud3Xy7Tx6Q84IdQrI+9TH s94Xipq9DekK4Fdzc/b/o+vTcKt+9nxs9qYq9Ptt5QG/ll+jUVlYKxMzKM6c+n4Es67g FvYQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l63si9240018pfj.53.2019.03.23.10.40.38; Sat, 23 Mar 2019 10:40:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727980AbfCWRgg convert rfc822-to-8bit (ORCPT + 99 others); Sat, 23 Mar 2019 13:36:36 -0400 Received: from mga09.intel.com ([134.134.136.24]:7532 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727440AbfCWRgf (ORCPT ); Sat, 23 Mar 2019 13:36:35 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 23 Mar 2019 10:36:34 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,256,1549958400"; d="scan'208";a="143234049" Received: from orsmsx102.amr.corp.intel.com ([10.22.225.129]) by FMSMGA003.fm.intel.com with ESMTP; 23 Mar 2019 10:36:34 -0700 Received: from orsmsx125.amr.corp.intel.com (10.22.240.125) by ORSMSX102.amr.corp.intel.com (10.22.225.129) with Microsoft SMTP Server (TLS) id 14.3.408.0; Sat, 23 Mar 2019 10:36:34 -0700 Received: from orsmsx116.amr.corp.intel.com ([169.254.7.78]) by ORSMSX125.amr.corp.intel.com ([169.254.3.65]) with mapi id 14.03.0415.000; Sat, 23 Mar 2019 10:36:33 -0700 From: "Xing, Cedric" To: "Christopherson, Sean J" CC: Jarkko Sakkinen , "linux-kernel@vger.kernel.org" , "x86@kernel.org" , "linux-sgx@vger.kernel.org" , "akpm@linux-foundation.org" , "Hansen, Dave" , "nhorman@redhat.com" , "npmccallum@redhat.com" , "Ayoun, Serge" , "Katz-zamir, Shay" , "Huang, Haitao" , "andriy.shevchenko@linux.intel.com" , "tglx@linutronix.de" , "Svahn, Kai" , "bp@alien8.de" , "josh@joshtriplett.org" , "luto@kernel.org" , "Huang, Kai" , "rientjes@google.com" , Andy Lutomirski , Dave Hansen , "Haitao Huang" , Jethro Beekman , "Dr . Greg Wettstein" Subject: RE: [PATCH v19,RESEND 24/27] x86/vdso: Add __vdso_sgx_enter_enclave() to wrap SGX enclave transitions Thread-Topic: [PATCH v19,RESEND 24/27] x86/vdso: Add __vdso_sgx_enter_enclave() to wrap SGX enclave transitions Thread-Index: AQHU3zmquZHDGSY4XUWmggeyxtSmi6YU12fwgACBcQD//5sEUIADt/WAgADIIJA= Date: Sat, 23 Mar 2019 17:36:33 +0000 Message-ID: <960B34DE67B9E140824F1DCDEC400C0F4E85E481@ORSMSX116.amr.corp.intel.com> References: <20190320162119.4469-1-jarkko.sakkinen@linux.intel.com> <20190320162119.4469-25-jarkko.sakkinen@linux.intel.com> <960B34DE67B9E140824F1DCDEC400C0F4E85C484@ORSMSX116.amr.corp.intel.com> <20190320191318.GF30469@linux.intel.com> <960B34DE67B9E140824F1DCDEC400C0F4E85C5AB@ORSMSX116.amr.corp.intel.com> <20190322215903.GE12666@linux.intel.com> In-Reply-To: <20190322215903.GE12666@linux.intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNDIzMWQ1ODItNjU4MS00ZDk2LTlhMmYtYTY5ZmMyOGI0OTE3IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiY0xcLzRkdEhvbENjTGVvY2pmN1dNUzBYUWRtV0d2bUFQMVRNVVJrXC9RZGErQ0JkZ2RoZ2tYcGJlaWU1M2NnRzJFIn0= x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.400.15 dlp-reaction: no-action x-originating-ip: [10.22.254.138] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Sean, > Although its just 9 LOC, consider its impact on someone who is looking > at > the kernel's SGX support for the first time. Questions they may have > when > looking at the vDSO code/documentation: > > - What's an exit handler? > - Why is an exit handler optional? Don't I always want to handle > exits? > - What value should my exit handler return? > - What should my exit handler do if it detects an error? > - Why would I want to preserve %rbp and not %rsp? > - Isn't it insecure to use the untrusted stack in my enclave? > > AFAIK, the only reason to preserve %rbp instead of %rsp, i.e. support an > "exit handler" callback, is to be able to implement an o-call scheme > using > the untrusted stack to pass data. Every idea I came up with for using > the > callback, e.g. logging, handling stack corruptiong, testing hooks, > etc... > was at worst no more difficult to implement when using a barebones vDSO. > > So, given the choice between a) documenting and maintaining all the > baggage > that comes with the exit handler and b) saying "go use signals", I chose > option b. Disagreed! This API is NOT even x86_64 compatible and NOT intended to be used by average developers. Instead, this API will be used by SGX SDK vendors who have all the needed background/expertise. And flexibility is way more important to them than reduced documentation. Just imagine how much one needs to read to understand how SGX works, do you really think a function comprised of 20 or so LOC will be a big deal? Anyway, the documentation needed IMO will not exceed even 1 page, which will be way shorter than most of docs in kernel source tree. I'll be more than happy to help you out if that's out of your competence! Regarding maintenance, I see an API may require maintenance for 2 possible categories of reasons: 1) its interface cannot satisfy emerging applications; or 2) the infrastructure it relies on has changed. Generally speaking, a more generic API with less assumption/dependence on other components will impose lower maintenance cost in the long run. Comparing our proposals, they share the same dependences (i.e. SGX ISA and vDSO extable) but mine is more generic (as yours could be implemented using mine as a subroutine). Thus, I bet your proposal will impose higher maintenance cost in the long run. -Cedric