Received: by 2002:a25:1104:0:0:0:0:0 with SMTP id 4csp561418ybr; Fri, 22 May 2020 13:16:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz8yqKrskPrxF20Y+9rVx5DnE5EZvJvNWetCvtTTKInTU7PYSfK8AWQmNuXVT02etZu5h4e X-Received: by 2002:a17:906:1746:: with SMTP id d6mr4339309eje.34.1590178596058; Fri, 22 May 2020 13:16:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590178596; cv=none; d=google.com; s=arc-20160816; b=bxFHYT6qLAS8aaNlPSKjtkIWiVSNkeLTIizsKzelAahUQQJM7S2WdpPz8574DhKRCX 3+fHf5b0Up06YoppVP/9unRPHoOrvqOugzQ+5dLwrbarv6O7+xr2cIKWo1PYgxlT2W9w Kn87SzLtjPl9ZZaWIJk0tlHJKSngBtwnvdHy3S3pTuUdeeHNLz7ETXoSBnPTaD9dMwDo 2G0I3k7RxrtcI2CSiSslrgPrkWwdv0uuX3JC2JyuXDibBvZvPbSZB2Efy3JCwUa0QQxL D9NX0n1MpvbfK894IJ2H3cqjfivFB1jaA1LjOpCH+HRL7Dd3i89lu8+TdPGSdObg5avc tesA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=8/GGNNisCG4EBVYkbH1n9wN7BF8tFWxg1dpjlvjo2DM=; b=SHHi/dHhqDuwH54iMWW/SpM7Tomgf3qQhkSNYE8/0ncNyqGy6eMoKt8whtcLjJ8K75 B/qG4PZGj7ai47Fc/57bDhcLic9tmf5/gZI63Uh9CtRpbYTgkf3IxfH6aoelXQ+6DrAE 8WPGnZsO9wLp4NFr9wOLX/ClYQ9+6dPhwQaPh6jR8gwnRAQd6lYhg2HWmrQLoSK2y33+ TYzdy3ClwqzeoeEspXKNgnz812dVxuZShKoOuvYgp7lW8uDMouUKZ204IuxSgfr+UBAp KZRgF1wMN2q4WPUPPZm1eaxVYg22LjqWsImEVKZwKQ+t/LJ9khJKfa9gIEzJZGVYQfSV Gfww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cs.unc.edu header.s=google header.b=h3xvlsAC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id yc7si5145017ejb.488.2020.05.22.13.16.12; Fri, 22 May 2020 13:16:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@cs.unc.edu header.s=google header.b=h3xvlsAC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730979AbgEVUOZ (ORCPT + 99 others); Fri, 22 May 2020 16:14:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51182 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730893AbgEVUOZ (ORCPT ); Fri, 22 May 2020 16:14:25 -0400 Received: from mail-qk1-x743.google.com (mail-qk1-x743.google.com [IPv6:2607:f8b0:4864:20::743]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 04895C061A0E for ; Fri, 22 May 2020 13:14:25 -0700 (PDT) Received: by mail-qk1-x743.google.com with SMTP id f83so11903279qke.13 for ; Fri, 22 May 2020 13:14:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.unc.edu; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=8/GGNNisCG4EBVYkbH1n9wN7BF8tFWxg1dpjlvjo2DM=; b=h3xvlsACySQjdSGbKcN4eN70OowwqoTviS00R4lIU8nA3+9dvSYx0gjFs2pKNzZuM4 4o8D4Rs4pvUFL/v85K9wT8PavcdHR0XZAh5/Rwggp0BLkXbU1uOPYH/YMOcyKKv0AiaF ouK0m7sfpAgzd863ZkaVMY8U4vvY5xL/pIuEk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=8/GGNNisCG4EBVYkbH1n9wN7BF8tFWxg1dpjlvjo2DM=; b=n5nhfg6n7V/2N43DokFdeedcnRhosfwQxFP9S1CN+dKZ84vhdAfH3W/kL8CwIAJdcJ EHR1/BJxZDOU7zzWrk13+4ZsUMNSY0U1dCN+zfqc3CA2dven/KVNwjxE1pMMJ6ohKHyc YuO8dZ7IS5/2gZkU9J8SFSFnkY0XrK8x8uwqgyC7aheKK9kKfySHwvjxpqaVjK12EhRA voeTRpeicxGkDJax6xLtx9RxMc87OfNoy095qtixHbNVklySRd1hZYklEEhyX87qHAjR +Drrsaiav6jLCODHlafksp1Gw3x1MCRO4SUqmK/2IBJGy5oMTXERL8Yj0+D2kRUBVgJW q5wA== X-Gm-Message-State: AOAM53066o5d2KZ38+pOc+xdI4913B/jo30fD2XDVARrM4sos9jUZWMd P7JSkmyLXS8QtaCZzGwb2Ytj6w== X-Received: by 2002:a05:620a:56a:: with SMTP id p10mr16679551qkp.287.1590178464170; Fri, 22 May 2020 13:14:24 -0700 (PDT) Received: from pepe.local (71-142-124-255.lightspeed.rlghnc.sbcglobal.net. [71.142.124.255]) by smtp.gmail.com with ESMTPSA id c68sm8324571qke.129.2020.05.22.13.14.22 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 22 May 2020 13:14:23 -0700 (PDT) Subject: Re: Re: [PATCH v12 00/18] Enable FSGSBASE instructions To: Jarkko Sakkinen , Thomas Gleixner Cc: Andi Kleen , Sasha Levin , linux-kernel@vger.kernel.org, bp@alien8.de, luto@kernel.org, hpa@zytor.com, dave.hansen@intel.com, tony.luck@intel.com, ravi.v.shankar@intel.com, chang.seok.bae@intel.com References: <20200511045311.4785-1-sashal@kernel.org> <0186c22a8a6be1516df0703c421faaa581041774.camel@linux.intel.com> <20200515164013.GF29995@sasha-vm> <20200518153407.GA499505@tassilo.jf.intel.com> <371e6a92cad25cbe7a8489785efa7d3457ecef3b.camel@linux.intel.com> <87v9ksvoaq.fsf@nanos.tec.linutronix.de> <20200519164853.GA19706@linux.intel.com> From: Don Porter Message-ID: <7eb45e02-03bf-0af0-c915-794bf49d66d7@cs.unc.edu> Date: Fri, 22 May 2020 16:14:20 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 MIME-Version: 1.0 In-Reply-To: <20200519164853.GA19706@linux.intel.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/19/20 12:48 PM, Jarkko Sakkinen wrote: > On Tue, May 19, 2020 at 01:03:25AM +0200, Thomas Gleixner wrote: >> Jarkko Sakkinen writes: >>> On Mon, 2020-05-18 at 08:34 -0700, Andi Kleen wrote: >>>>> Yes, for SGX this is functional feature because enclave entry points, >>>>> thread control structures (aka TCS's), reset FSBASE and GSBASE registers >>>>> to fixed (albeit user defined) values. And syscall's can be done only >>>>> outside of enclave. >>>>> >>>>> This is a required feature for fancier runtimes (such as Graphene). >>>> >>>> Can you please explain a bit more? What do they need GS for? >>> >>> Apparently, uses only wrfsbase: >>> >>> https://raw.githubusercontent.com/oscarlab/graphene/master/Pal/src/host/Linux-SGX/db_misc.c >>> >>> I'm not too familiar with the codebase yet but by reading some research >>> papers in the past the idea is to multiplex one TCS for multiple virtual >>> threads inside the enclave. >>> >>> E.g. TCS could represent a vcpu for a libos type of container and on >>> entry would pick on a thread and set fsbase accordingly for a thread >>> control block. >> >> That justifies to write books which recommend to load a kernel module >> which creates a full unpriviledged root hole. I bet none of these papers >> ever mentioned that. > > Fully agree that oot lkm for this is a worst idea ever. > > That's why I want to help with this. > > /Jarkko > > Hi all, and apologies for the resend, I wanted to clarify that we never intended the Graphene kernel module you mention for production use, as well as to comment in support of this patch. Setting the fs register in userspace is an essential feature for running legacy code in SGX. We have been following LKML discussions on this instruction for years, and hoping this feature would be supported by Linux, so that we can retire this module. To our knowledge, every SGX library OS has a similar module, waiting for this or a similar patch to be merged into Linux. This indicates a growing user base that needs this instruction. Just for some history, Graphene was originally a research proof-of-concept that started in my lab, and has since received substantial contributions as an open source project from companies including Intel. This code base is explicitly not intended or ready for production use at this point, as it is still missing essential features. We wrote the kernel module as a way to get something working quickly, so that we could focus on studying more difficult aspects of porting code to SGX. We had always assumed that the Linux community would eventually offer a correct and safe mechanism to enable this instruction, but we generally err on the side of publishing code we write for research studies as open source in the interest of supporting reproducibility and further science. Nonetheless, Graphene is moving towards adoption in production systems, and we are actively working to make the code base secure and robust. This issue has been on our to-do list before a production release. It would certainly make our lives easier to deprecate our module and just use a robust, in-kernel implementation. All the best, Don Porter Graphene Maintainer https://grapheneproject.io/