Received: by 2002:a25:d783:0:0:0:0:0 with SMTP id o125csp92273ybg; Wed, 18 Mar 2020 18:04:37 -0700 (PDT) X-Google-Smtp-Source: ADFU+vuuKFuCJYSrl8RIrTpm+MpC18xj3W+TPyqCq5KEJUcIUZUi8lXHfvKX1w9Cy3nJ0bRMiGL6 X-Received: by 2002:aca:aa55:: with SMTP id t82mr558268oie.147.1584579877195; Wed, 18 Mar 2020 18:04:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584579877; cv=none; d=google.com; s=arc-20160816; b=ZX9ra/VvjdKnyIXisa0ghRS2/jaleLcvBDJOEmc84nHFyLYgdfTdW8VnnVE+LUVxer 8AAj25ikDWq2E+jk4TsLGmG5jTzVKRPpMxwUykqNGeF7Rc4l8K36kuO6ATr9OyUHiex7 NRcrNnguFFB7BLcI2BvJo/skSNQa4vxIhoR6ZQL2x/mv+/Mc4dXPD83+m3Ms7rNsBk/6 Zmj7QP5oqOGu2B2T86O1kRwjHWs5XfKK4/ho1ixvgB411aapuWDPXQMy9sAf5mr1kjuH Ulc8Dvg/ts2Hp2D9y+MupFOM7TgfYczUfVR/2VLzA7wBPI8aq85vtnAj5eT73CNMM2qH LoCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:ironport-sdr:ironport-sdr; bh=WlEytQL5jovdSI0UlRAv3qQBQgil/K9FD9NBCAt3WDI=; b=CmKjkMnT6RprK9EEUNuc4/AIXXPlzBdwoPiqG/jbz8JAU9vX9mWWIOSVY8N3pdhBnq yk5DrBUKCjVkzJidtyPO6NwiKwcXcmt+7lKdpw04YEkD5lurLx4MAokPfd/0amRXx8Zn CFuU+3VaDF7agM6D9ihcx5J55pt+KwmuCdfiT9DP7gVGZvgLm81PZVZ62Lr+MGUt/GWB awb/IiKUDX/DoDuREnOn7knlghVYqlkVtr8jnDkDd7iCbC/p9SfxfPqxR8oNTGcTQtkN 8XOYIIGxvXM7Jjv9tUqzCgwFua9ckgeFcJzqKR/wh5H3GjD1NfDstu25cDt7CW6DwNie 0oGA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n6si381469otf.147.2020.03.18.18.04.24; Wed, 18 Mar 2020 18:04:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726866AbgCSBDJ (ORCPT + 99 others); Wed, 18 Mar 2020 21:03:09 -0400 Received: from mga11.intel.com ([192.55.52.93]:15997 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726596AbgCSBDI (ORCPT ); Wed, 18 Mar 2020 21:03:08 -0400 IronPort-SDR: UDarT0/D/mTUCwecBuFy32V5q6u2OVguKKwZO/R5comHwo7QHJFjRJzkXUgig5dXe+4XWRoNTG 4AT+xjx+B/Dw== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Mar 2020 18:03:07 -0700 IronPort-SDR: CGUYWfkphOuI4TIm7YiOkLmPVqj85z7yp25k0oamOOD/R+j1F8nhSgN8bm9EUnvY4ZnaYA4Y3C 1ot4B9TZezhQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,569,1574150400"; d="scan'208";a="238348272" Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.202]) by fmsmga008.fm.intel.com with ESMTP; 18 Mar 2020 18:03:06 -0700 Date: Wed, 18 Mar 2020 18:03:06 -0700 From: Sean Christopherson To: "Xing, Cedric" Cc: Nathaniel McCallum , Jethro Beekman , Jarkko Sakkinen , linux-kernel@vger.kernel.org, x86@kernel.org, linux-sgx@vger.kernel.org, akpm@linux-foundation.org, dave.hansen@intel.com, Neil Horman , "Huang, Haitao" , andriy.shevchenko@linux.intel.com, tglx@linutronix.de, "Svahn, Kai" , bp@alien8.de, Josh Triplett , luto@kernel.org, kai.huang@intel.com, David Rientjes , Patrick Uiterwijk , Andy Lutomirski , Connor Kuehl , Harald Hoyer , Lily Sturmann Subject: Re: [PATCH v28 21/22] x86/vdso: Implement a vDSO for Intel SGX enclave call Message-ID: <20200319010306.GA8347@linux.intel.com> References: <254f1e35-4302-e55f-c00d-0f91d9503498@fortanix.com> <20200313164622.GC5181@linux.intel.com> <20200313184452.GD5181@linux.intel.com> <20200313220820.GE5181@linux.intel.com> <20200318234057.GE26164@linux.intel.com> <858d19ed-868b-b4be-cbac-6cb92349d8fb@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <858d19ed-868b-b4be-cbac-6cb92349d8fb@intel.com> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 18, 2020 at 05:38:29PM -0700, Xing, Cedric wrote: > On 3/18/2020 4:40 PM, Sean Christopherson wrote: > %rbx can always be restored as long as it is saved at a fixed offset from > %rbp. For example, given the standard prolog below: > > push %rbp > mov %rsp, %rbp > push %rbx > > It can be paired with the following standard epilog: > > mov -8(%rbp), %rbx > leave > ret > > Alternatively, given "red zone" of 128 bytes, the following epilog will also > work: > > leave > mov -0x10(%rsp), %rbx > ret > > In no cases do we have to worry about enclave mucking the stack as long as > %rbp is preserved. > > >>>>While this is more work, it is standard calling convention work that > >>>>doesn't require internal knowledge of __vdso..(). Alternatively, if we > >>>>don't like the extra work, we can document the %rbx hack explicitly > >>>>into the handler documentation and make it part of the interface. But > >>>>we need some explicit way for the handler to pop enclave output stack > >>>>params that doesn't depend on internal knowledge of the __vdso...() > >>>>invariants. > >>> > >>>IIUC, this is what you're suggesting? Having to align the stack makes this > >>>a bit annoying, but it's not bad by any means. > >>> > >>>diff --git a/arch/x86/entry/vdso/vsgx_enter_enclave.S b/arch/x86/entry/vdso/vsgx_enter_enclave.S > >>>index 94a8e5f99961..05d54f79b557 100644 > >>>--- a/arch/x86/entry/vdso/vsgx_enter_enclave.S > >>>+++ b/arch/x86/entry/vdso/vsgx_enter_enclave.S > >>>@@ -139,8 +139,9 @@ SYM_FUNC_START(__vdso_sgx_enter_enclave) > >>> /* Pass the untrusted RSP (at exit) to the callback via %rcx. */ > >>> mov %rsp, %rcx > >>> > >>>- /* Save the untrusted RSP in %rbx (non-volatile register). */ > >>>+ /* Save the untrusted RSP offset in %rbx (non-volatile register). */ > >>> mov %rsp, %rbx > >>>+ and $0xf, %rbx > >>> > >>> /* > >>> * Align stack per x86_64 ABI. Note, %rsp needs to be 16-byte aligned > >>>@@ -161,8 +162,8 @@ SYM_FUNC_START(__vdso_sgx_enter_enclave) > >>> mov 0x20(%rbp), %rax > >>> call .Lretpoline > >>> > >>>- /* Restore %rsp to its post-exit value. */ > >>>- mov %rbx, %rsp > >>>+ /* Undo the post-exit %rsp adjustment. */ > >>>+ lea 0x20(%rsp,%rbx), %rsp > >>> > > Per discussion above, this is useful only if the enclave has problem > cleaning up its own mess left on the untrusted stack, and the exit handler > wants to EENTER the enclave again by returning to __vdso...(). It sounds > very uncommon to me, and more like a bug than an expected behavior. Are > there any existing code doing this or any particular application that needs > this. If no, I'd say not to do it. Ya, I'm on the fence as well. The only counter-argument is that doing: push %rbp mov %rsp, %rbp push %rbx ... pop %rbx leave ret with the relative adjustment would allow the exit handler (or enclave) to change %rbx. I'm not saying that is remote sane, but if we're going for maximum flexibility... Anyways, patches incoming, let's discuss there.