From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: Sean Christopherson <sean.j.christopherson@intel.com>
Cc: x86@kernel.org, linux-sgx@vger.kernel.org,
akpm@linux-foundation.org, dave.hansen@intel.com,
nhorman@redhat.com, npmccallum@redhat.com, serge.ayoun@intel.com,
shay.katz-zamir@intel.com, haitao.huang@intel.com,
andriy.shevchenko@linux.intel.com, tglx@linutronix.de,
kai.svahn@intel.com, bp@alien8.de, josh@joshtriplett.org,
luto@kernel.org, kai.huang@intel.com, rientjes@google.com
Subject: Re: [PATCH v19 25/27] x86/sgx: SGX documentation
Date: Thu, 21 Mar 2019 18:24:22 +0200 [thread overview]
Message-ID: <20190321162422.GV4603@linux.intel.com> (raw)
In-Reply-To: <20190320171422.GD30469@linux.intel.com>
On Wed, Mar 20, 2019 at 10:14:22AM -0700, Sean Christopherson wrote:
> On Sun, Mar 17, 2019 at 11:14:54PM +0200, Jarkko Sakkinen wrote:
> > Documentation of the features of the Software Guard eXtensions (SGX),
> > the basic design choices for the core and driver functionality and
> > the UAPI.
> >
> > Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> > Co-developed-by: Sean Christopherson <sean.j.christopherson@intel.com>
> > Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> > ---
> > +Intel(R) SGX is a set of CPU instructions that can be used by applications to
> > +set aside private regions of code and data. The code outside the enclave is
> > +disallowed to access the memory inside the enclave by the CPU access control.
> > +In a way you can think that SGX provides an inverted sandbox. It protects the
> > +application from a malicious host.
> > +
> > +You can tell if your CPU supports SGX by looking into ``/proc/cpuinfo``:
> > +
> > + ``cat /proc/cpuinfo | grep sgx``
> > +
> > +Overview of SGX
> > +===============
> > +
> > +SGX has a set of data structures to maintain information about the enclaves and
> > +their security properties. BIOS reserves a fixed size region of physical memory
> > +for these structures by setting Processor Reserved Memory Range Registers
> > +(PRMRR).
> > +
> > +This memory range is protected from outside access by the CPU and all the data
> > +coming in and out of the CPU package is encrypted by a key that is generated for
> > +each boot cycle.
>
> The overview should probably be limited to architectural features, e.g. the
> ISA, *architectural* EPC and EPCM behavior, etc... Then add a dedicated
> section on EPC implementation(s), which are micro-architecture specific.
>
> > +
> > +Enclaves execute in ring 3 in a special enclave submode using pages from the
> > +reserved memory range. A fixed logical address range for the enclave is reserved
> ^^^^^^^
>
> I'm 99.99999% certain the above should be "linear address range". The SDM
> SDM first introduces ELRANGE as working with logical addresses:
>
> Address space allocation is the specification of the range of logical
> addresses that the enclave may use. This range is called the ELRANGE.
>
> but I think that's a documentation bug. Subsequent references in the SDM
> all refer to linear addresses, and the ELRANGE checks definitely work with
> linear addresses.
>
> > +by ENCLS(ECREATE), a leaf instruction used to create enclaves. It is referred to
> > +in the documentation commonly as the *ELRANGE*.
> > +
> > +Every memory access to the ELRANGE is asserted by the CPU. If the CPU is not
> > +executing in the enclave mode inside the enclave, #GP is raised. On the other
>
> This isn't correct. ELRANGE protections are activated when only executing
> inside an enclave. An enclave's memory is protected by the EPC{M} when the
> CPU is operating outside the enclave or in a different enclave.
>
> > +hand, enclave code can make memory accesses both inside and outside of the
> > +ELRANGE.
> > +
> > +An enclave can only execute code inside the ELRANGE. Instructions that may cause
> > +VMEXIT, IO instructions and instructions that require a privilege change are
>
> The VM-Exit blurb is technically no longer accurate, e.g. a VMM can choose
> to intercept RDTSC, but RDTSC is also allowed in enclaves.
>
> > +prohibited inside the enclave. Interrupts and exceptions always cause an enclave
> > +to exit and jump to an address outside the enclave given when the enclave is
> > +entered by using the leaf instruction ENCLS(EENTER).
> > +
> > +Protected memory
> > +----------------
> > +
> > +Enclave Page Cache (EPC)
> > + Physical pages used with enclaves that are protected by the CPU from
> > + unauthorized access.
> > +
> > +Enclave Page Cache Map (EPCM)
> > + A database that describes the properties and state of the pages e.g. their
> > + permissions or which enclave they belong to.
> > +
> > +Memory Encryption Engine (MEE) integrity tree
> > + Autonomously updated integrity tree. The root of the tree located in on-die
> > + SRAM.
> > +
> > +EPC data types
> > +--------------
> > +
> > +SGX Enclave Control Structure (SECS)
> > + Describes the global properties of an enclave. Will not be mapped to the
> > + ELRANGE.
> > +
> > +Regular (REG)
> > + These pages contain code and data.
> > +
> > +Thread Control Structure (TCS)
> > + The pages that define the entry points inside an enclave. An enclave can
> > + only be entered through these entry points and each can host a single
> > + hardware thread at a time.
> > +
> > +Version Array (VA)
> > + The pages contain 64-bit version numbers for pages that have been swapped
> > + outside the enclave. Each page has the capacity of 512 version numbers.
>
> The page type descriptions could use a bit of improvement. Tangentially
> related, would it make sense to add a "Terminology" section given the
> absurd number of acronyms used by SGX?
>
> > +
> > +Launch control
> > +--------------
> > +
> > +To launch an enclave, two structures must be provided for ENCLS(EINIT):
> > +
> > +1. **SIGSTRUCT:** signed measurement of the enclave binary.
> > +2. **EINITTOKEN:** a cryptographic token CMAC-signed with a AES256-key called
> > + *launch key*, which is regenerated for each boot cycle.
> > +
> > +The CPU holds a SHA256 hash of a 3072-bit RSA public key inside
> > +IA32_SGXLEPUBKEYHASHn MSRs. Enclaves with a SIGSTRUCT that is signed with this
> > +key do not require a valid EINITTOKEN and can be authorized with special
> > +privileges. One of those privileges is ability to acquire the launch key with
> > +ENCLS(EGETKEY).
>
> This section should also call out that the IA32_SGXLEPUBKEYHASHn MSRs also
> affect EINIT tokens. And simply being signed with the key referenced by
> IA32_SGXLEPUBKEYHASHn doesn't grant access to the EINITTOKEN_KEY, the
> enclave still needs to explicit request access, e.g. the kernel could deny
> access to the EINITTOKEN_KEY by refusing to create enclaves that request
> said key.
>
> > +**IA32_FEATURE_CONTROL[SGX_LE_WR]** is used by the BIOS configure whether
> > +IA32_SGXLEPUBKEYHASH MSRs are read-only or read-write before locking the feature
> > +control register and handing over control to the operating system.
>
> ...
>
> > +The PF_SGX bit is set if and only if the #PF is detected by the SGX Enclave Page
>
> The ordering here is a bit backwards, e.g. the EPCM and its protections
> should come first, and then describe the faults that can be signaled by
> the EPCM.
>
> > +Cache Map (EPCM). The EPCM is a hardware-managed table that enforces accesses to
> > +an enclave's EPC pages in addition to the software-managed kernel page tables,
> > +i.e. the effective permissions for an EPC page are a logical AND of the kernel's
> > +page tables and the corresponding EPCM entry.
> > +
> > +The EPCM is consulted only after an access walks the kernel's page tables, i.e.:
> > +
> > +1. the access was allowed by the kernel
> > +2. the kernel's tables have become less restrictive than the EPCM
> > +3. the kernel cannot fixup the cause of the fault
> > +
> > +Notably, (2) implies that either the kernel has botched the EPC mappings or the
> > +EPCM has been invalidated (see below). Regardless of why the fault occurred,
> > +userspace needs to be alerted so that it can take appropriate action, e.g.
> > +restart the enclave. This is reinforced by (3) as the kernel doesn't really
> > +have any other reasonable option, i.e. signalling SIGSEGV is actually the least
> > +severe action possible.
> > +
> > +Although the primary purpose of the EPCM is to prevent a malicious or
> > +compromised kernel from attacking an enclave, e.g. by modifying the enclave's
> > +page tables, do not WARN on a #PF with PF_SGX set. The SGX architecture
> > +effectively allows the CPU to invalidate all EPCM entries at will and requires
> > +that software be prepared to handle an EPCM fault at any time. The architecture
> > +defines this behavior because the EPCM is encrypted with an ephemeral key that
> > +isn't exposed to software. As such, the EPCM entries cannot be preserved across
> > +transitions that result in a new key being used, e.g. CPU power down as part of
> > +an S3 transition or when a VM is live migrated to a new physical system.
> > +
> > +SGX UAPI
> > +========
> > +
> > +.. kernel-doc:: drivers/platform/x86/intel_sgx/sgx_ioctl.c
>
> Stale file reference.
>
> > + :functions: sgx_ioc_enclave_create
> > + sgx_ioc_enclave_add_page
> > + sgx_ioc_enclave_init
> > +
> > +.. kernel-doc:: arch/x86/include/uapi/asm/sgx.h
> > +
> > +References
> > +==========
> > +
> > +* A Memory Encryption Engine Suitable for General Purpose Processors
> > + <https://eprint.iacr.org/2016/204.pdf>
> > +* System Programming Manual: 39.1.4 Intel® SGX Launch Control Configuration
>
> Probably should leave off the exact section, e.g. "39.1.4" is already out
> of date.
>
> IMO this whole document could use an overhaul to uplevel the overview
> and {micro-}architecture descriptions to make it a useful standalone doc
> instead of a poor man's regurgitation of the SDM. If there are no
> objections, I'll start typing and reply with a fresh patch at some point.
>
> Oh, and the vDSO interface needs to be added, I'll do that too.
Shortly: agree with the comments.
/Jarkko
next prev parent reply other threads:[~2019-03-21 16:24 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-17 21:14 [PATCH v19 00/27] Intel SGX1 support Jarkko Sakkinen
2019-03-17 21:14 ` [PATCH v19 01/27] x86/cpufeatures: Add Intel-defined SGX feature bit Jarkko Sakkinen
2019-03-17 21:14 ` [PATCH v19 02/27] x86/cpufeatures: Add SGX sub-features (as Linux-defined bits) Jarkko Sakkinen
2019-03-17 21:14 ` [PATCH v19 03/27] x86/msr: Add IA32_FEATURE_CONTROL.SGX_ENABLE definition Jarkko Sakkinen
2019-03-17 21:14 ` [PATCH v19 04/27] x86/cpufeatures: Add Intel-defined SGX_LC feature bit Jarkko Sakkinen
2019-03-17 21:14 ` [PATCH v19 05/27] x86/msr: Add SGX Launch Control MSR definitions Jarkko Sakkinen
2019-03-17 21:14 ` [PATCH v19 06/27] x86/mm: x86/sgx: Add new 'PF_SGX' page fault error code bit Jarkko Sakkinen
2019-03-17 21:14 ` [PATCH v19 07/27] x86/mm: x86/sgx: Signal SIGSEGV for userspace #PFs w/ PF_SGX Jarkko Sakkinen
2019-03-18 17:15 ` Dave Hansen
2019-03-18 19:53 ` Sean Christopherson
2019-03-17 21:14 ` [PATCH v19 08/27] x86/cpu/intel: Detect SGX support and update caps appropriately Jarkko Sakkinen
2019-03-17 21:14 ` [PATCH v19 09/27] x86/sgx: Add ENCLS architectural error codes Jarkko Sakkinen
2019-03-17 21:14 ` [PATCH v19 10/27] x86/sgx: Add SGX1 and SGX2 architectural data structures Jarkko Sakkinen
2019-03-17 21:14 ` [PATCH v19 11/27] x86/sgx: Add definitions for SGX's CPUID leaf and variable sub-leafs Jarkko Sakkinen
2019-03-17 21:14 ` [PATCH v19 12/27] x86/sgx: Enumerate and track EPC sections Jarkko Sakkinen
2019-03-18 19:50 ` Sean Christopherson
2019-03-21 14:40 ` Jarkko Sakkinen
2019-03-21 15:28 ` Sean Christopherson
2019-03-22 10:19 ` Jarkko Sakkinen
2019-03-22 10:50 ` Jarkko Sakkinen
2019-03-17 21:14 ` [PATCH v19 13/27] x86/sgx: Add wrappers for ENCLS leaf functions Jarkko Sakkinen
2019-03-19 19:59 ` Sean Christopherson
2019-03-21 14:51 ` Jarkko Sakkinen
2019-03-21 15:40 ` Sean Christopherson
2019-03-22 11:00 ` Jarkko Sakkinen
2019-03-22 16:43 ` Sean Christopherson
2019-03-17 21:14 ` [PATCH v19 16/27] x86/sgx: Add the Linux SGX Enclave Driver Jarkko Sakkinen
2019-03-19 21:19 ` Sean Christopherson
2019-03-21 15:51 ` Jarkko Sakkinen
2019-03-21 16:47 ` Sean Christopherson
2019-03-22 11:10 ` Jarkko Sakkinen
2019-03-26 13:26 ` Jarkko Sakkinen
2019-03-26 23:58 ` Sean Christopherson
2019-03-27 5:28 ` Jarkko Sakkinen
2019-03-27 17:57 ` Sean Christopherson
2019-03-27 18:38 ` Jethro Beekman
2019-03-27 20:06 ` Sean Christopherson
2019-03-28 1:21 ` Jethro Beekman
2019-03-28 13:19 ` Jarkko Sakkinen
2019-03-28 19:05 ` Andy Lutomirski
2019-03-29 9:43 ` Jarkko Sakkinen
2019-03-29 16:20 ` Sean Christopherson
2019-04-01 10:01 ` Jarkko Sakkinen
2019-04-01 17:25 ` Jethro Beekman
2019-04-01 22:57 ` Jarkko Sakkinen
2019-03-28 13:15 ` Jarkko Sakkinen
2019-03-19 23:00 ` Sean Christopherson
2019-03-21 16:18 ` Jarkko Sakkinen
2019-03-21 17:38 ` Sean Christopherson
2019-03-22 11:17 ` Jarkko Sakkinen
2019-03-17 21:14 ` [PATCH v19 17/27] x86/sgx: Add provisioning Jarkko Sakkinen
2019-03-19 20:09 ` Sean Christopherson
2019-03-21 2:08 ` Huang, Kai
2019-03-21 14:32 ` Jarkko Sakkinen
2019-03-21 21:41 ` Huang, Kai
2019-03-22 11:31 ` Jarkko Sakkinen
2019-03-21 14:30 ` Jarkko Sakkinen
2019-03-21 14:38 ` Nathaniel McCallum
2019-03-22 11:22 ` Jarkko Sakkinen
2019-03-21 16:50 ` Andy Lutomirski
2019-03-22 11:29 ` Jarkko Sakkinen
2019-03-22 11:43 ` Jarkko Sakkinen
2019-03-22 18:20 ` Andy Lutomirski
2019-03-25 14:55 ` Jarkko Sakkinen
2019-03-27 0:14 ` Sean Christopherson
2019-04-05 10:18 ` Jarkko Sakkinen
2019-04-05 13:53 ` Andy Lutomirski
2019-04-05 14:20 ` Jarkko Sakkinen
2019-04-05 14:34 ` Greg KH
2019-04-09 13:37 ` Jarkko Sakkinen
2019-04-05 14:21 ` Greg KH
2019-03-17 21:14 ` [PATCH v19 19/27] x86/sgx: ptrace() support for the SGX driver Jarkko Sakkinen
2019-03-19 22:22 ` Sean Christopherson
2019-03-21 15:02 ` Jarkko Sakkinen
2019-03-17 21:14 ` [PATCH v19 20/27] x86/vdso: Add support for exception fixup in vDSO functions Jarkko Sakkinen
2019-03-17 21:14 ` [PATCH v19 21/27] x86/fault: Add helper function to sanitize error code Jarkko Sakkinen
2019-03-17 21:14 ` [PATCH v19 22/27] x86/fault: Attempt to fixup unhandled #PF in vDSO before signaling Jarkko Sakkinen
2019-03-17 21:14 ` [PATCH v19 23/27] x86/traps: Attempt to fixup exceptions " Jarkko Sakkinen
2019-03-17 21:14 ` [PATCH v19 25/27] x86/sgx: SGX documentation Jarkko Sakkinen
2019-03-20 17:14 ` Sean Christopherson
2019-03-21 16:24 ` Jarkko Sakkinen [this message]
2019-03-17 21:14 ` [PATCH v19 26/27] selftests/x86: Add a selftest for SGX Jarkko Sakkinen
2019-03-17 21:14 ` [PATCH v19 27/27] x86/sgx: Update MAINTAINERS Jarkko Sakkinen
2019-03-19 17:12 ` Sean Christopherson
2019-03-21 14:42 ` Jarkko Sakkinen
[not found] ` <20190317211456.13927-19-jarkko.sakkinen@linux.intel.com>
2019-03-19 22:09 ` [PATCH v19 18/27] x86/sgx: Add swapping code to the core and SGX driver Sean Christopherson
2019-03-21 14:59 ` Jarkko Sakkinen
2019-03-19 23:41 ` [PATCH v19 00/27] Intel SGX1 support Sean Christopherson
2019-03-19 23:52 ` Jethro Beekman
2019-03-20 0:22 ` Sean Christopherson
2019-03-21 16:20 ` Jarkko Sakkinen
2019-03-21 16:00 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190321162422.GV4603@linux.intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=haitao.huang@intel.com \
--cc=josh@joshtriplett.org \
--cc=kai.huang@intel.com \
--cc=kai.svahn@intel.com \
--cc=linux-sgx@vger.kernel.org \
--cc=luto@kernel.org \
--cc=nhorman@redhat.com \
--cc=npmccallum@redhat.com \
--cc=rientjes@google.com \
--cc=sean.j.christopherson@intel.com \
--cc=serge.ayoun@intel.com \
--cc=shay.katz-zamir@intel.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).