Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp648714rwe; Wed, 31 Aug 2022 08:40:29 -0700 (PDT) X-Google-Smtp-Source: AA6agR5ld4vnk0UtwPfTHMaCH49UVARwwa4sZXOZ14G7czucmjiLy2Qwg/iJiFfZlgnBuFYr8b83 X-Received: by 2002:a17:907:72d5:b0:73d:d6ce:5d3a with SMTP id du21-20020a17090772d500b0073dd6ce5d3amr19578547ejc.489.1661960429291; Wed, 31 Aug 2022 08:40:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661960429; cv=none; d=google.com; s=arc-20160816; b=pTDct1CENRPI3Bq52QudRz8q3CsIP08cmIejpYxDaVhP1dhtaWy7yfLLGH7Ct4dUgo jyI77PObOxsmQjNxR46eba3Nto/abCkOnBmzo638BR90HEvbBBmjt8ThnADFGfAdKF7J vVQBSKtyGTOekAtMO06LCAC9nzm+1EGTogOI+XimK5mYm9VuoJTUCS1PSUmLD2rAnRdp /NVhqVoSQ7bTQULVf2oMZXpwm1BdpgvQWAtC9reuGt8j+ej78oaqovoTpE+qi3BALnAR uyzwmw9RAzmButuHrrzS3imJpf74TUCIah8w/Ix1jgbIazNd8rtv3CR8QWb5xzWZHHej qdgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:message-id:organization :from:content-transfer-encoding:mime-version:date:references:subject :cc:to:dkim-signature; bh=zPG8BOYYqzUvIUaseic59J7r5y5I+eCj/NFKIFV/sTc=; b=GRZT7c6T5qbad68mFeMchIqPPFcbSnfk1IAImjcMJFmgAwPAJuswXbr/tWEG8kun/z 26YcLHzDF2DAjGAnWU0y7/qcigv11yH5hT7c/CyF4JDxVMCJ2Um1IoPGQLc2qj3NH7WF Dy4rA+iHZ+Uksgp/DxVx7xlS2NwlIkVIKEyUlCRld+CFP/+SJ6GI0mkm70YDIi0VGtr9 wvaohSH5OO3sQiazRqva6E46LUBPjToZfdPyaND2KzAmmp5SSE916bVaAp4jh3yD6IQm MEBsoa4JZfsO6J+ORP/w9rLbwk0E0fmfwCv6hd/owe9QkTS5+83VGlXkLDehHEli8yu1 6ZiA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=m28TBWYb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z6-20020a056402274600b004486d90c931si8795260edd.49.2022.08.31.08.40.03; Wed, 31 Aug 2022 08:40:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=m28TBWYb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230455AbiHaPSG (ORCPT + 99 others); Wed, 31 Aug 2022 11:18:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58562 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230181AbiHaPSE (ORCPT ); Wed, 31 Aug 2022 11:18:04 -0400 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B421AD5DD2; Wed, 31 Aug 2022 08:18:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1661959083; x=1693495083; h=to:cc:subject:references:date:mime-version: content-transfer-encoding:from:message-id:in-reply-to; bh=TxLO0JiUZbqETHUngAijiycnecMsPeNwFP5Opt7eQo4=; b=m28TBWYbYlLp4NMuoDXUKMmF6aUHVuEpdGz8fdFXRrp7XaTEliqGbuW0 Ne2BauCrI37gX9Mz5LywoJ5kNys+yKP7/ZWhowlclOnZHH2csOvzNAhjR qZO+fxwDaf7T2GXRw1n0hb2tb48jsj6DUwiRG08n8JsmH/apqoww2t99k BAzdBzZkQQnDGkiEKZuTGYnyCeRlu1J8SDSDJTt2cbEwewuxAgpImGUtX preoJ+8VqZa4aNJKrrvKA1/SUkcxyzEHkA+d2S4rcYIW9YGRRLdiC0P2J wo+rwsdKdNBfQam+Z1iLFjI6qEEzYes4Y5l8FF1zZZLo4FhGJLYJOb6dc w==; X-IronPort-AV: E=McAfee;i="6500,9779,10456"; a="295473519" X-IronPort-AV: E=Sophos;i="5.93,278,1654585200"; d="scan'208";a="295473519" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 31 Aug 2022 08:18:02 -0700 X-IronPort-AV: E=Sophos;i="5.93,278,1654585200"; d="scan'208";a="563066045" Received: from hhuan26-mobl1.amr.corp.intel.com (HELO hhuan26-mobl1.mshome.net) ([10.212.96.122]) by orsmga003-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-SHA; 31 Aug 2022 08:18:01 -0700 Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes To: "jarkko@kernel.org" , "Huang, Kai" Cc: "pmenzel@molgen.mpg.de" , "linux-sgx@vger.kernel.org" , "x86@kernel.org" , "dave.hansen@linux.intel.com" , "Dhanraj, Vijay" , "Chatre, Reinette" , "mingo@redhat.com" , "tglx@linutronix.de" , "bp@alien8.de" , "hpa@zytor.com" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH 1/6] x86/sgx: Do not consider unsanitized pages an error References: <20220830031206.13449-1-jarkko@kernel.org> <20220830031206.13449-2-jarkko@kernel.org> <1f43e7b9-c101-3872-bd1b-add66933b285@intel.com> <1b3308a364317d36ad41961ea9cfee24aa122f02.camel@intel.com> Date: Wed, 31 Aug 2022 10:18:00 -0500 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Haitao Huang" Organization: Intel Corp Message-ID: In-Reply-To: User-Agent: Opera Mail/1.0 (Win32) X-Spam-Status: No, score=-7.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,SPF_HELO_NONE, SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Kai On Tue, 30 Aug 2022 22:17:08 -0500, Huang, Kai wrote: > On Wed, 2022-08-31 at 05:57 +0300, jarkko@kernel.org wrote: >> On Wed, Aug 31, 2022 at 02:55:52AM +0000, Huang, Kai wrote: >> > On Wed, 2022-08-31 at 05:44 +0300, jarkko@kernel.org wrote: >> > > On Wed, Aug 31, 2022 at 02:35:53AM +0000, Huang, Kai wrote: >> > > > On Wed, 2022-08-31 at 05:15 +0300, jarkko@kernel.org wrote: >> > > > > On Wed, Aug 31, 2022 at 01:27:58AM +0000, Huang, Kai wrote: >> > > > > > On Tue, 2022-08-30 at 15:54 -0700, Reinette Chatre wrote: >> > > > > > > Hi Jarkko, >> > > > > > > >> > > > > > > On 8/29/2022 8:12 PM, Jarkko Sakkinen wrote: >> > > > > > > > In sgx_init(), if misc_register() for the provision >> device fails, and >> > > > > > > > neither sgx_drv_init() nor sgx_vepc_init() succeeds, then >> ksgxd will be >> > > > > > > > prematurely stopped. >> > > > > > > >> > > > > > > I do not think misc_register() is required to fail for the >> scenario to >> > > > > > > be triggered (rather use "or" than "and"?). Perhaps just >> > > > > > > "In sgx_init(), if a failure is encountered after ksgxd is >> started >> > > > > > > (via sgx_page_reclaimer_init()) ...". >> > > > > > >> > > > > > IMHO "a failure" might be too vague. For instance, failure >> to sgx_drv_init() >> > > > > > won't immediately result in ksgxd to stop prematurally. As >> long as KVM SGX can >> > > > > > be initialized successfully, sgx_init() still returns 0. >> > > > > > >> > > > > > Btw I was thinking whether we should move >> sgx_page_reclaimer_init() to the end >> > > > > > of sgx_init(), after we make sure at least one of the driver >> and the KVM SGX is >> > > > > > initialized successfully. Then the code change in this patch >> won't be necessary >> > > > > > if I understand correctly. AFAICT there's no good reason to >> start the ksgxd at >> > > > > > early stage before we are sure either the driver or KVM SGX >> will work. >> > > > > >> > > > > I would focus fixing the existing flow rather than reinventing >> the flow. >> > > > > >> > > > > It can be made to work, and therefore it is IMHO correct action >> to take. >> > > > >> > > > From another perspective, the *existing flow* is the reason which >> causes this >> > > > bug. A real fix is to fix the flow itself. >> > > >> > > Any existing flow in part of the kernel can have a bug. That >> > > does not mean that switching flow would be proper way to fix >> > > a bug. >> > > >> > > BR, Jarkko >> > >> > Yes but I think this is only true when the flow is reasonable. If >> the flow >> > itself isn't reasonable, we should fix the flow (given it's easy to >> fix AFAICT). >> > >> > Anyway, let us also hear from others. >> >> The flow can be made to work without issues, which in the >> context of a bug fix is exactly what a bug fix should do. >> Not more or less. > > No. To me the flow itself is buggy. There's no reason to start ksgxd() > before > at least SGX driver is initialized to work. > Will it cause racing if we expose dev nodes to user space before ksgxd is started and sensitization done? > Patching the buggy flow is more like a workaround, but isn't a real fix. > >> >> You don't gain any measurable value for the user with this >> switch idea. > > There is actual gain by moving sgx_page_reclaimer_init() to > sgx_drv_init(), or > only calling sgx_page_reclaimer_init() when sgx_drv_init() returns > success: > > If somehow sgx_drv_init() fails to initialize, ksgxd() won't run. > > Currently, if SGX driver fails to initialize but virtual EPC initializes > successfully, ksgxd() still runs. However it achieves nothing but only > wastes > CPU cycles. > > You still need ksgxd for sanitizing (at least) and swapping (potentially) even if only virtual EPC initializes. Thanks Haitao