Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp696926pxb; Thu, 12 Nov 2020 14:06:44 -0800 (PST) X-Google-Smtp-Source: ABdhPJz1Drg1jXZ32hE69Lpy6z80gVmJrrkIhPNQ1KzoUuiph8nC43AazW008vRTxsecqxNojza5 X-Received: by 2002:a17:906:2458:: with SMTP id a24mr1468412ejb.20.1605218804606; Thu, 12 Nov 2020 14:06:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605218804; cv=none; d=google.com; s=arc-20160816; b=qDKDjhy7JNDYNHpn+caHlumE5sS20CRaCMBiibnj5Gkke6RDKqKBAnxvHDv/osEMep rpz2oSzwKjwurJvl/9Q+nYEKBaVYFiGIuo9jbUNKcIcHE1/LYrqQ8BjfXN8OE15RK4NO Vt1dZlajRWFUcmTfhUAVDnuyqDgwcQTVoTbInNzAdhDU/cfEE21sTz7Oqal29oljKFSB ZDiTP62ARf7bdg2UEc8X1pyMF2XWjQ/xbcpmhbETQnxU2TwA0yJjaIAdCriEghCi4La5 XrVAHnRysbGgz5by7bfRLt5OsNirNnwfV8+ASzElz0hnpNbNacnxQc+bvLEatjJw8+FQ 2aEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=sJXzTn+Otj7sKN1T/cE/3tiJ8cOTzjqBAgpAHRMvsyI=; b=GSvxkIUcqcQtHdmLCMKHwNWVTf/4hJXSOSaWyRVdeJ3kV40Bhx8v1s4Du/rm4DaNEh 8eBKBq68g2yHEI2eDA5tNhx8xsap2JStmehTEwYbKBANFdPYX4DZN/rYKYuADStVixYF zVlRP6qmxNN5fuU+twlf6ost7Mx1wIPXQ42EUgtSJXRpky1CsvnnM3mg39wVCdDCukjo gVZMAdTM+zGSSF58QJCCri4L3d4OSnPzOZBTbRQlkY8pAb6WknFMdrmx98wvh+p1cn8X qWhJwPQu1knQI3rikwMlKvbMReusg5P3p+r6I1lokhL+BmruGUJnW+Snk8VBlz7SIVn9 rWBQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=E7NkNV1K; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j1si4856926edf.417.2020.11.12.14.06.21; Thu, 12 Nov 2020 14:06:44 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=E7NkNV1K; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727608AbgKLWCh (ORCPT + 99 others); Thu, 12 Nov 2020 17:02:37 -0500 Received: from mail.kernel.org ([198.145.29.99]:49868 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727553AbgKLWCe (ORCPT ); Thu, 12 Nov 2020 17:02:34 -0500 Received: from suppilovahvero.lan (83-245-197-237.elisa-laajakaista.fi [83.245.197.237]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8AF6521D7F; Thu, 12 Nov 2020 22:02:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1605218553; bh=YG6bBkYdWPGTx1ioQemKvWKBArdKCilAiewflMZmvDM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=E7NkNV1KuPDfH0vTpVWijBUemcD4qUNKYe8ZNh0z8wculPPAkeGduOr5zYm9Vuh5Y vkyv8Uc9NP8RScdEv56LLy+vscyJLckZ/CPLzshiRTog/pwkZC+0tuUX6Ou5dlY4Vp u5EACj8jH61fuXFMCSirWdZJQPECSESsTS9PADk0= From: Jarkko Sakkinen To: x86@kernel.org, linux-sgx@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Sean Christopherson , Jethro Beekman , Jarkko Sakkinen , akpm@linux-foundation.org, andriy.shevchenko@linux.intel.com, asapek@google.com, bp@alien8.de, cedric.xing@intel.com, chenalexchen@google.com, conradparker@google.com, cyhanish@google.com, dave.hansen@intel.com, haitao.huang@intel.com, kai.huang@intel.com, kai.svahn@intel.com, kmoy@google.com, ludloff@google.com, luto@kernel.org, nhorman@redhat.com, npmccallum@redhat.com, puiterwijk@redhat.com, rientjes@google.com, tglx@linutronix.de, yaozhangx@google.com, mikko.ylinen@intel.com Subject: [PATCH v41 07/24] x86/cpu/intel: Detect SGX support Date: Fri, 13 Nov 2020 00:01:18 +0200 Message-Id: <20201112220135.165028-8-jarkko@kernel.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20201112220135.165028-1-jarkko@kernel.org> References: <20201112220135.165028-1-jarkko@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Christopherson Kernel support for SGX is ultimately decided by the state of the launch control bits in the feature control MSR (MSR_IA32_FEAT_CTL). If the hardware supports SGX, but neglects to support flexible launch control, the kernel will not enable SGX. Enable SGX at feature control MSR initialization and update the associated X86_FEATURE flags accordingly. Disable X86_FEATURE_SGX (and all derivatives) if the kernel is not able to establish itself as the authority over SGX Launch Control. All checks are performed for each logical CPU (not just boot CPU) in order to verify that MSR_IA32_FEATURE_CONTROL is correctly configured on all CPUs. All SGX code in this series expects the same configuration from all CPUs. This differs from VMX where X86_FEATURE_VMX is intentionally cleared only for the current CPU so that KVM can provide additional information if KVM fails to load like which CPU doesn't support VMX. There’s not much the kernel or an administrator can do to fix the situation, so SGX neglects to convey additional details about these kinds of failures if they occur. Acked-by: Jethro Beekman # v40 # Signed-off-by: Sean Christopherson Co-developed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- arch/x86/kernel/cpu/feat_ctl.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/feat_ctl.c b/arch/x86/kernel/cpu/feat_ctl.c index 29a3bedabd06..d38e97325018 100644 --- a/arch/x86/kernel/cpu/feat_ctl.c +++ b/arch/x86/kernel/cpu/feat_ctl.c @@ -93,16 +93,32 @@ static void init_vmx_capabilities(struct cpuinfo_x86 *c) } #endif /* CONFIG_X86_VMX_FEATURE_NAMES */ +static void clear_sgx_caps(void) +{ + setup_clear_cpu_cap(X86_FEATURE_SGX); + setup_clear_cpu_cap(X86_FEATURE_SGX_LC); +} + void init_ia32_feat_ctl(struct cpuinfo_x86 *c) { bool tboot = tboot_enabled(); + bool enable_sgx; u64 msr; if (rdmsrl_safe(MSR_IA32_FEAT_CTL, &msr)) { clear_cpu_cap(c, X86_FEATURE_VMX); + clear_sgx_caps(); return; } + /* + * Enable SGX if and only if the kernel supports SGX and Launch Control + * is supported, i.e. disable SGX if the LE hash MSRs can't be written. + */ + enable_sgx = cpu_has(c, X86_FEATURE_SGX) && + cpu_has(c, X86_FEATURE_SGX_LC) && + IS_ENABLED(CONFIG_X86_SGX); + if (msr & FEAT_CTL_LOCKED) goto update_caps; @@ -124,13 +140,16 @@ void init_ia32_feat_ctl(struct cpuinfo_x86 *c) msr |= FEAT_CTL_VMX_ENABLED_INSIDE_SMX; } + if (enable_sgx) + msr |= FEAT_CTL_SGX_ENABLED | FEAT_CTL_SGX_LC_ENABLED; + wrmsrl(MSR_IA32_FEAT_CTL, msr); update_caps: set_cpu_cap(c, X86_FEATURE_MSR_IA32_FEAT_CTL); if (!cpu_has(c, X86_FEATURE_VMX)) - return; + goto update_sgx; if ( (tboot && !(msr & FEAT_CTL_VMX_ENABLED_INSIDE_SMX)) || (!tboot && !(msr & FEAT_CTL_VMX_ENABLED_OUTSIDE_SMX))) { @@ -143,4 +162,12 @@ void init_ia32_feat_ctl(struct cpuinfo_x86 *c) init_vmx_capabilities(c); #endif } + +update_sgx: + if (!(msr & FEAT_CTL_SGX_ENABLED) || + !(msr & FEAT_CTL_SGX_LC_ENABLED) || !enable_sgx) { + if (enable_sgx) + pr_err_once("SGX disabled by BIOS\n"); + clear_sgx_caps(); + } } -- 2.27.0