Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp8706930ybc; Fri, 29 Nov 2019 15:20:54 -0800 (PST) X-Google-Smtp-Source: APXvYqwFh4m0y1WJs87ViySKRQ11bg6rkU97l9cJ8Xe1XJ4Jr3RhQjhDMMwYxSkXcFA208NjZlg4 X-Received: by 2002:a17:906:49c5:: with SMTP id w5mr48749418ejv.21.1575069654339; Fri, 29 Nov 2019 15:20:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575069654; cv=none; d=google.com; s=arc-20160816; b=InGPvgrvtfiPQ6EYWWWb5Kdw5gqxIZNYcMzqCNXxPG30K6rm/snmUMSQ9VxEbLGpTT g0CX5h9K7u81JQ5KUsXTMVkmClcybeSGGv2V6rq3VdGNGyb8dMNvmrXVvcV38CSPjC7i ZX0xZbW1PwzBok0uKHmHOCKC878BPf9r+OsyUwMIb3ACb8KgMsoyR83njr3onaoIVsXQ /AviIglvD1DIoouZLnnchJNe5dEFw4Gz/eal1Kg+DsQk0SlJnHhx1UiSQxQqeLkS4vHb SpjJY9hmUy6Ka6Dqj9ouCJCqSLDlfZ314AVO/lzHPQEGGy6+7td9+17KrEvZZYjxJAQg /KbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=/0T2vLwcdh8LqHP9KC2NquImPIeFNWr5S0c7BJKoePA=; b=BwkVVXefb3gt6niykZvGo506uO2FQE4aMWVbkZcz9DmPAyStT/clFOewR5Qv3k8XzJ JC9GlgD5wjTrNDiEJiV6p86fJ4RdKStmn/gRXi48+YIsXsvyTiIFH67yDUB8TPd9PyPD oELEdqg7IxKIR/btslAwv0LZJBW6VKbRgTs7btnbWjmBiGaFqFFIBDSdMYFocj9K6KIv prfHIkkLGZO2C3JUvM6rQSdXKnQxfAq7m5p4BiXr4cpG+84V0tylRR/ZH8SUl2TFAXkK 8PAK1GYv9YFR67MX2reLn2SwzdLgD9NHqH/qdlmE0QRsamCSWkZNU1A98Zp+gOcsv+Xi nO6Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s17si5785727ejj.5.2019.11.29.15.20.31; Fri, 29 Nov 2019 15:20:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727430AbfK2XSc (ORCPT + 99 others); Fri, 29 Nov 2019 18:18:32 -0500 Received: from mga09.intel.com ([134.134.136.24]:60934 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727073AbfK2XSb (ORCPT ); Fri, 29 Nov 2019 18:18:31 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Nov 2019 15:18:31 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,259,1571727600"; d="scan'208";a="384194621" Received: from gamanzi-mobl4.ger.corp.intel.com (HELO localhost) ([10.252.3.126]) by orsmga005.jf.intel.com with ESMTP; 29 Nov 2019 15:18:24 -0800 From: Jarkko Sakkinen To: linux-kernel@vger.kernel.org, x86@kernel.org, linux-sgx@vger.kernel.org Cc: akpm@linux-foundation.org, dave.hansen@intel.com, sean.j.christopherson@intel.com, nhorman@redhat.com, npmccallum@redhat.com, serge.ayoun@intel.com, shay.katz-zamir@intel.com, haitao.huang@intel.com, andriy.shevchenko@linux.intel.com, tglx@linutronix.de, kai.svahn@intel.com, bp@alien8.de, josh@joshtriplett.org, luto@kernel.org, kai.huang@intel.com, rientjes@google.com, cedric.xing@intel.com, puiterwijk@redhat.com, linux-doc@vger.kernel.org, Jarkko Sakkinen Subject: [PATCH v24 24/24] docs: x86/sgx: Document kernel internals Date: Sat, 30 Nov 2019 01:13:26 +0200 Message-Id: <20191129231326.18076-25-jarkko.sakkinen@linux.intel.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191129231326.18076-1-jarkko.sakkinen@linux.intel.com> References: <20191129231326.18076-1-jarkko.sakkinen@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Christopherson Document some of the more tricky parts of the kernel implementation internals. Cc: linux-doc@vger.kernel.org Signed-off-by: Sean Christopherson Co-developed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- Documentation/x86/sgx/2.Kernel-internals.rst | 78 ++++++++++++++++++++ Documentation/x86/sgx/index.rst | 1 + 2 files changed, 79 insertions(+) create mode 100644 Documentation/x86/sgx/2.Kernel-internals.rst diff --git a/Documentation/x86/sgx/2.Kernel-internals.rst b/Documentation/x86/sgx/2.Kernel-internals.rst new file mode 100644 index 000000000000..7bfd5cb19b8e --- /dev/null +++ b/Documentation/x86/sgx/2.Kernel-internals.rst @@ -0,0 +1,78 @@ +.. SPDX-License-Identifier: GPL-2.0 + +================ +Kernel Internals +================ + +CPU configuration +================= + +Because SGX has an ever evolving and expanding feature set, it's possible for +a BIOS or VMM to configure a system in such a way that not all CPUs are equal, +e.g. where Launch Control is only enabled on a subset of CPUs. Linux does +*not* support such a heterogeneous system configuration, nor does it even +attempt to play nice in the face of a misconfigured system. With the exception +of Launch Control's hash MSRs, which can vary per CPU, Linux assumes that all +CPUs have a configuration that is identical to the boot CPU. + +EPC management +============== + +Because the kernel can't arbitrarily read EPC memory or share RO backing pages +between enclaves, traditional memory models such as CoW and fork() do not work +with enclaves. In other words, the architectural rules of EPC force it to be +treated as MAP_SHARED at all times. + +The inability to employ traditional memory models also means that EPC memory +must be isolated from normal memory pools, e.g. attempting to use EPC memory +for normal mappings would result in faults and/or perceived data corruption. +Furthermore, EPC is not enumerated as normal memory, e.g. BIOS enumerates +EPC as reserved memory in the e820 tables, or not at all. As a result, EPC +memory is directly managed by the SGX subsystem, e.g. SGX employs VM_PFNMAP to +manually insert/zap/swap page table entries, and exposes EPC to userspace via +a well known device, /dev/sgx/enclave. + +The net effect is that all enclave VMAs must be MAP_SHARED and are backed by +a single file, /dev/sgx/enclave. + +EPC oversubscription +==================== + +SGX allows to have larger enclaves the than amount of available EPC by providing +a subset of leaf instructions for swapping EPC pages to the system memory. The +details of these instructions are discussed in the architecture document. Due to +the unique requirements for swapping EPC pages, and because EPC pages do not +have associated page structures, management of the EPC is not handled by the +standard memory subsystem. + +SGX directly handles swapping of EPC pages, including a thread to initiate the +reclaiming process and a rudimentary LRU mechanism. When the amount of free EPC +pages goes below a low watermark the swapping thread starts reclaiming pages. +The pages that have not been recently accessed (i.e. do not have the A bit set) +are selected as victim pages. Each enclave holds an shmem file as a backing +storage for reclaimed pages. + +Launch Control +============== + +The current kernel implementation supports only writable MSRs. The launch is +performed by setting the MSRs to the hash of the public key modulus of the +enclave signer and a token with the valid bit set to zero. + +If the MSRs were read-only, the platform would need to provide a launch enclave +(LE), which would be signed with the key matching the MSRs. The LE creates +cryptographic tokens for other enclaves that they can pass together with their +signature to the ENCLS(EINIT) opcode, which is used to initialize enclaves. + +Provisioning +============ + +The use of provisioning must be controlled because it allows to get access to +the provisioning keys to attest to a remote party that the software is running +inside a legitimate enclave. This could be used by a malware network to ensure +that its nodes are running inside legitimate enclaves. + +The driver introduces a special device file /dev/sgx/provision and a special +ioctl SGX_IOC_ENCLAVE_SET_ATTRIBUTE to accomplish this. A file descriptor +pointing to /dev/sgx/provision is passed to ioctl from which kernel authorizes +the PROVISION_KEY attribute to the enclave. diff --git a/Documentation/x86/sgx/index.rst b/Documentation/x86/sgx/index.rst index c5dfef62e612..5d660e83d984 100644 --- a/Documentation/x86/sgx/index.rst +++ b/Documentation/x86/sgx/index.rst @@ -14,3 +14,4 @@ potentially malicious. :maxdepth: 1 1.Architecture + 2.Kernel-internals -- 2.20.1