Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp1596782imw; Tue, 5 Jul 2022 12:07:29 -0700 (PDT) X-Google-Smtp-Source: AGRyM1teq82bh2MCTFGxiPjH+JRnXmdHPxzANZ7Ok7C5nym15+bHM7HINIe2MknfxVwFPkKSHW0y X-Received: by 2002:a17:902:c641:b0:16b:dd82:c04 with SMTP id s1-20020a170902c64100b0016bdd820c04mr14917882pls.144.1657048048930; Tue, 05 Jul 2022 12:07:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657048048; cv=none; d=google.com; s=arc-20160816; b=GiblwBxPf2MUnPiIfhky4GWECLRprzWpcO7CPkPohgWkTnviM+g4M+c3P5xD7dwIWx GwtWbO8vxWQxXIQAO8Je71DEJ2mMXV5hsYkfn/LW/7EtJbDQVdMuFGJlGR9jI/HrvNyd dx4dbdQ5SCVcFPp4z31UIut/ujcgPSH1bgKIFifE5Ujm0htXNHcRwrbl0aCFK6T+ud4p ePnjCxfi2hYGPMf+uMvgGaa2YhkUmOJAuyNZaz4CQJQGrQSZ5NX9aD7/i0W/ruaOY8LI AbXvH8xBt+ph/b2aPdLLLN7RxpT75FspykY3UCzWAGbDHEUH7BUs+5qziz7rrxHCkeHg Xg3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=k2lCiVc+VMBWgNXmi6zSlORvxGJ6HW33lHjhPxXq7VY=; b=zi+aCwNyL/p64bLqA5V4wGYtXC8BAoVbF0V6JBPGC7gHAth+/3DkAw8T1cr4HPMflz Xs02uFCFxlNLkcJZegdeuNK33LhXtCwD4VWBSs8Qrbq3u56pLF/QMTaBP2vRBfWUAE2X 6z843auJJfaj1ExXOK578lpqQ0EoRIV/2yucBUJdA4LSup6CrVG1bIoHKiW9h6F7W3uw LbTvzp9H1d3USScihlOXmBEw6Vuzn78SaKeon5YGb4DEiCYZFaa9Yuoi56ZZxVyh2u1g tSH4T+kaRfNsf69YTnqKpTXQUwnMJBYNuKjs2e0G0XJL56/bHDSy8XuESpq44IMbOj1D aqng== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=YFmK8Qzl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v62-20020a638941000000b00408af8843c4si46784479pgd.262.2022.07.05.12.07.08; Tue, 05 Jul 2022 12:07:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=YFmK8Qzl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232788AbiGESjF (ORCPT + 99 others); Tue, 5 Jul 2022 14:39:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44182 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232444AbiGESi4 (ORCPT ); Tue, 5 Jul 2022 14:38:56 -0400 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BEF6A1EED0; Tue, 5 Jul 2022 11:38:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1657046335; x=1688582335; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=bp/6skjaHsxhHpW9+rU5zrpeFxQXZKGs9YnkmuQGVP8=; b=YFmK8QzleZ2+Oj7ovd/cL6offmnX+u8cWdJpPg+m+8iHxCkL141O8WOx ScjTSGPwHk92+vAXVKGs5NznqhHalQGVW8DW34n+xrxpy63azkJCnT+Pb xda5G34m9iEiiSxr9RgjxXuN7E45PNVCbnoVX4phrU96jzZ9QnYg9yXJK UOYWR1onRyXYvqaZsrBUh7/sY9PGEPOxun3xgyAuguewG9NgqAsIxK7Wc X1NtUXLRJ2Xz6cv3tnBG5M5rhLtOp5eLXoqhvjPIENxlm8K/iJtdMqJNc tp/LQZbCdxKpbu+qSQ+DMxwbZPfxYkF3vOGoOqLETzqLAfuq6jl5oRkZ2 w==; X-IronPort-AV: E=McAfee;i="6400,9594,10399"; a="284173882" X-IronPort-AV: E=Sophos;i="5.92,247,1650956400"; d="scan'208";a="284173882" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Jul 2022 11:38:55 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.92,247,1650956400"; d="scan'208";a="619965099" Received: from viggo.jf.intel.com (HELO ray2.sr71.net) ([10.54.77.144]) by orsmga008.jf.intel.com with ESMTP; 05 Jul 2022 11:38:55 -0700 From: Dave Hansen To: linux-kernel@vger.kernel.org Cc: Dave Hansen , Jarkko Sakkinen , Andy Lutomirski , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org, "H. Peter Anvin" , linux-sgx@vger.kernel.org Subject: [PATCH] x86/sgx: Allow enclaves to use Asynchrounous Exit Notification Date: Tue, 5 Jul 2022 11:36:48 -0700 Message-Id: <20220705183648.3739111-1-dave.hansen@linux.intel.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Short Version: Allow enclaves to use the new Asynchronous EXit (AEX) notification mechanism. This mechanism lets enclaves run a handler after an AEX event. These handlers can run mitigations for things like SGX-Step[1]. AEX Notify will be made available both on upcoming processors and on some older processors through microcode updates. Long Version: == SGX Attribute Background == The SGX architecture includes a list of SGX "attributes". These attributes ensure consistency and transparency around specific enclave features. As a simple example, the "DEBUG" attribute allows an enclave to be debugged, but also destroys virtually all of SGX security. Using attributes, enclaves can know that they are being debugged. Attributes also affect enclave attestation so an enclave can, for instance, be denied access to secrets while it is being debugged. The kernel keeps a list of known attributes and will only initialize enclaves that use a known set of attributes. This kernel policy eliminates the chance that a new SGX attribute could cause undesired effects. For example, imagine a new attribute was added called "PROVISIONKEY2" that provided similar functionality to "PROVISIIONKEY". A kernel policy that allowed indiscriminate use of unknown attributes and thus PROVISIONKEY2 would undermine the existing kernel policy which limits use of PROVISIONKEY enclaves. == AEX Notify Background == "Intel Architecture Instruction Set Extensions and Future Features - Version 45" is out[2]. There is a new chapter: Asynchronous Enclave Exit Notify and the EDECCSSA User Leaf Function. Enclaves exit can be either synchronous and consensual (EEXIT for instance) or asynchronous (on an interrupt or fault). The asynchronous ones can evidently be exploited to single step enclaves[1], on top of which other naughty things can be built. AEX Notify will be made available both on upcoming processors and on some older processors through microcode updates. == The Problem == These attacks are currently entirely opaque to the enclave since the hardware does the save/restore under the covers. The Asynchronous Enclave Exit Notify (AEX Notify) mechanism provides enclaves an ability to detect and mitigate potential exposure to these kinds of attacks. == The Solution == Define the new attribute value for AEX Notification. Ensure the attribute is cleared from the list reserved attributes which allows it to be used in enclaves. I just built this and ran it to make sure there were no obvious regressions since I do not have the hardware to test it handy. Tested-by's would be much appreciated. 1. https://github.com/jovanbulck/sgx-step 2. https://cdrdv2.intel.com/v1/dl/getContent/671368?explicitVersion=true Signed-off-by: Dave Hansen Cc: Jarkko Sakkinen Cc: Andy Lutomirski Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: x86@kernel.org Cc: "H. Peter Anvin" Cc: linux-sgx@vger.kernel.org Cc: linux-kernel@vger.kernel.org --- arch/x86/include/asm/sgx.h | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/arch/x86/include/asm/sgx.h b/arch/x86/include/asm/sgx.h index 3f9334ef67cd..f7328d8efd83 100644 --- a/arch/x86/include/asm/sgx.h +++ b/arch/x86/include/asm/sgx.h @@ -110,17 +110,28 @@ enum sgx_miscselect { * %SGX_ATTR_EINITTOKENKEY: Allow to use token signing key that is used to * sign cryptographic tokens that can be passed to * EINIT as an authorization to run an enclave. + * %SGX_ATTR_ASYNC_EXIT_NOTIFY: Allow enclaves to be notified after an + * asynchronous exit has occurred. */ enum sgx_attribute { - SGX_ATTR_INIT = BIT(0), - SGX_ATTR_DEBUG = BIT(1), - SGX_ATTR_MODE64BIT = BIT(2), - SGX_ATTR_PROVISIONKEY = BIT(4), - SGX_ATTR_EINITTOKENKEY = BIT(5), - SGX_ATTR_KSS = BIT(7), + SGX_ATTR_INIT = BIT(0), + SGX_ATTR_DEBUG = BIT(1), + SGX_ATTR_MODE64BIT = BIT(2), + /* BIT(3) is reserved */ + SGX_ATTR_PROVISIONKEY = BIT(4), + SGX_ATTR_EINITTOKENKEY = BIT(5), + /* BIT(6) is for CET */ + SGX_ATTR_KSS = BIT(7), + /* BIT(8) is reserved */ + /* BIT(9) is reserved */ + SGX_ATTR_ASYNC_EXIT_NOTIFY = BIT(10), }; -#define SGX_ATTR_RESERVED_MASK (BIT_ULL(3) | BIT_ULL(6) | GENMASK_ULL(63, 8)) +#define SGX_ATTR_RESERVED_MASK (BIT_ULL(3) | \ + BIT_ULL(6) | \ + BIT_ULL(8) | \ + BIT_ULL(9) | \ + GENMASK_ULL(63, 11)) /** * struct sgx_secs - SGX Enclave Control Structure (SECS) -- 2.34.1