Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp634191ybx; Wed, 30 Oct 2019 02:31:58 -0700 (PDT) X-Google-Smtp-Source: APXvYqy10UKh06/GrRhq/62eX7mw/S3ZnvXYTQ32TNyf7sj1K40sBWUwxL37nTaC+/98G8gjIny+ X-Received: by 2002:aa7:d554:: with SMTP id u20mr22377997edr.6.1572427918895; Wed, 30 Oct 2019 02:31:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572427918; cv=none; d=google.com; s=arc-20160816; b=VkAmDtD9fjXzD24sra14iNCZpTepL4xm0L29cYA/PniMyb31pVnZxGZOwl1PEjwRLy VnW6UszbDincGEbdkw+KrY4mqAby4n1nMwe4gdGbx4uPHtcrX+lfLxcvw7ieSbBT1SC0 LGjB9ICmNcNS905aeKO1NMc8hamzIfY3vuIYqidX10BANK20xlQ4LbQHRqHY679iRXAE 3Wqy5J4cJEoWaGiQv2lWvh/OLG7eZMAjVKfrJ9H8nBZ/qCNuaXzJEjn57WtDFCP760IH xEcheitlr7ftnIUP6D3XKTlIzGUDU+c2IiXfUof2kKGDUDfFWXd8BNnq6XmVnUdF6Sds pikg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=VGa+QS0no9Vp4oryL0FTBcEMYJrzpn8BEa8tlmE4t3w=; b=szWUZeJ7hbSuaejphGREhX3nNnRhi8ZOEGBL203r/0TZzSqmwCmwZBnM6T+9Tnhule MtaKmyExHrxLKKt6G4agFkMfGe+WVk01M1OyZN4OWBWvPfcYre/GGdw0yBWiKgJRYton TVnnuwS6xkp17IY+GE2LnVFfDB7XKv6W2qkX1tShUAuwM40QzcGUzn1ZsPHIY9e2YA2s IuyOU1nbjEhYFbT3VTMgzWOZumaQvztohlsS4kEYGFQJx4z0hZlZzZdosLxxHRDl6QfU 1Y11tzwxo8UH8AuOMvXXG+dRhMzBr/uZY1UutC7928Pp++GTP72C0Obz9NEOQUStsG1k MdOQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o3si1152763edi.374.2019.10.30.02.31.34; Wed, 30 Oct 2019 02:31:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726134AbfJ3Jar (ORCPT + 99 others); Wed, 30 Oct 2019 05:30:47 -0400 Received: from mga01.intel.com ([192.55.52.88]:4690 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726028AbfJ3Jar (ORCPT ); Wed, 30 Oct 2019 05:30:47 -0400 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Oct 2019 02:30:46 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,247,1569308400"; d="scan'208";a="198625928" Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.41]) by fmsmga008.fm.intel.com with ESMTP; 30 Oct 2019 02:30:45 -0700 Date: Wed, 30 Oct 2019 02:30:45 -0700 From: Sean Christopherson To: Jarkko Sakkinen Cc: linux-kernel@vger.kernel.org, x86@kernel.org, linux-sgx@vger.kernel.org, akpm@linux-foundation.org, dave.hansen@intel.com, nhorman@redhat.com, npmccallum@redhat.com, serge.ayoun@intel.com, shay.katz-zamir@intel.com, haitao.huang@intel.com, andriy.shevchenko@linux.intel.com, tglx@linutronix.de, kai.svahn@intel.com, bp@alien8.de, josh@joshtriplett.org, luto@kernel.org, kai.huang@intel.com, rientjes@google.com, cedric.xing@intel.com, puiterwijk@redhat.com, linux-security-module@vger.kernel.org, Suresh Siddha Subject: Re: [PATCH v23 12/24] x86/sgx: Linux Enclave Driver Message-ID: <20191030093045.GB12481@linux.intel.com> References: <20191028210324.12475-1-jarkko.sakkinen@linux.intel.com> <20191028210324.12475-13-jarkko.sakkinen@linux.intel.com> <20191029092920.GA14494@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20191029092920.GA14494@linux.intel.com> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 29, 2019 at 11:29:20AM +0200, Jarkko Sakkinen wrote: > On Mon, Oct 28, 2019 at 11:03:12PM +0200, Jarkko Sakkinen wrote: > > +/** > > + * sgx_ioc_enclave_add_pages() - The handler for %SGX_IOC_ENCLAVE_ADD_PAGES > > + * @encl: pointer to an enclave instance (via ioctl() file pointer) > > + * @arg: a user pointer to a struct sgx_enclave_add_pages instance > > + * > > + * Add (EADD) one or more pages to an uninitialized enclave, and optionally > > + * extend (EEXTEND) the measurement with the contents of the page. The range of > > + * pages must be virtually contiguous. The SECINFO and measurement mask are > > + * applied to all pages, i.e. pages with different properties must be added in > > + * separate calls. > > + * > > + * A SECINFO for a TCS is required to always contain zero permissions because > > + * CPU silently zeros them. Allowing anything else would cause a mismatch in > > + * the measurement. > > + * > > + * mmap()'s protection bits are capped by the page permissions. For each page > > + * address, the maximum protection bits are computed with the following > > + * heuristics: > > + * > > + * 1. A regular page: PROT_R, PROT_W and PROT_X match the SECINFO permissions. > > + * 2. A TCS page: PROT_R | PROT_W. > > + * 3. No page: PROT_NONE. > > + * > > + * mmap() is not allowed to surpass the minimum of the maximum protection bits > > + * within the given address range. > > + * > > + * As stated above, a non-existent page is interpreted as a page with no > > + * permissions. In effect, this allows mmap() with PROT_NONE to be used to seek > > + * an address range for the enclave that can be then populated into SECS. > > + * > > + * @arg->addr, @arg->src and @arg->length are adjusted to reflect the > > + * remaining pages that need to be added to the enclave, e.g. userspace can > > + * re-invoke SGX_IOC_ENCLAVE_ADD_PAGES using the same struct in response to an > > + * ERESTARTSYS error. > > + * > > + * Return: > > + * 0 on success, > > + * -EINVAL if any input param or the SECINFO contains invalid data, > > + * -EACCES if an executable source page is located in a noexec partition, > > + * -ENOMEM if any memory allocation, including EPC, fails, > > + * -ERESTARTSYS if a pending signal is recognized > > + */ > > +static long sgx_ioc_enclave_add_pages(struct sgx_encl *encl, void __user *arg) > > This should return the number of pages processed instead of zero on > success. Kernel needs to be able to cap the amount it will process. Why? The number of pages processed is effectively returned via the params on any error, e.g. wouldn't it be more appropriate to return -ERESTARTSYS? And I don't see any reason to add an arbitrary cap on the number of pages, e.g. SGX plays nice with the scheduler and signals, and restricting the number of EPC pages available to a process via cgroups (returning -ENOMEM) is a better solution for managing EPC.