All of lore.kernel.org
 help / color / mirror / Atom feed
From: Randy Dunlap <rdunlap@infradead.org>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
	intel-sgx-kernel-dev@lists.01.org
Cc: platform-driver-x86@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v4 09/12] intel_sgx: driver documentation
Date: Mon, 16 Oct 2017 17:51:38 -0700	[thread overview]
Message-ID: <35dadcde-5cb0-c40d-7aa5-191e9684be1b@infradead.org> (raw)
In-Reply-To: <20171016191855.16964-10-jarkko.sakkinen@linux.intel.com>

On 10/16/17 12:18, Jarkko Sakkinen wrote:
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> ---
>  Documentation/index.rst         |   1 +
>  Documentation/x86/intel_sgx.rst | 131 ++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 132 insertions(+)
>  create mode 100644 Documentation/x86/intel_sgx.rst
> 
> diff --git a/Documentation/x86/intel_sgx.rst b/Documentation/x86/intel_sgx.rst
> new file mode 100644
> index 000000000000..ee7fe9487d7b
> --- /dev/null
> +++ b/Documentation/x86/intel_sgx.rst
> @@ -0,0 +1,131 @@
> +===================
> +Intel(R) SGX driver
> +===================
> +
> +Introduction
> +============
> +
> +Intel(R) SGX is a set of CPU instructions that can be used by applications to
> +set aside private regions of code and data. The code outside the enclave is
> +disallowed to access the memory inside the enclave by the CPU access control.
> +In a way you can think that SGX provides inverted sandbox. It protects the
> +application from a malicious host.
> +
> +There is a new hardware unit in the processor called Memory Encryption Engine
> +(MEE) starting from the Skylake microachitecture. BIOS can define one or many

                                   microarchitecture.

> +MEE regions that can hold enclave data by configuring them with PRMRR registers.
> +
> +The MEE automatically encrypts the data leaving the processor package to the MEE
> +regions. The data is encrypted using a random key whose life-time is exactly one
> +power cycle.
> +
> +You can tell if your CPU supports SGX by looking into ``/proc/cpuinfo``:
> +
> +	``cat /proc/cpuinfo  | grep ' sgx '``

Are you sure about a space both before and after 'sgx'?

> +
> +Enclave data types
> +==================
> +
> +SGX defines new data types to maintain information about the enclaves and their
> +security properties.
> +
> +The following data structures exist in MEE regions:
> +
> +* **Enclave Page Cache (EPC):** memory pages for protected code and data
> +* **Enclave Page Cache Map (EPCM):** meta-data for each EPC page
> +
> +The Enclave Page Cache holds following types of pages:
> +
> +* **SGX Enclave Control Structure (SECS)**: meta-data defining the global
> +  properties of an enclave such as range of addresses it can access.
> +* **Regular (REG):** containing code and data for the enclave.
> +* **Thread Control Structure (TCS):** defines an entry point for a hardware
> +  thread to enter into the enclave. The enclave can only be entered through
> +  these entry points.
> +* **Version Array (VA)**: an EPC page receives a unique 8 byte version number
> +  when it is swapped, which is then stored into a VA page. A VA page can hold up
> +  to 512 version numbers.
> +
> +Launch control
> +==============
> +
> +For launching an enclave, two structures must be provided for ENCLS(EINIT):
> +
> +1. **SIGSTRUCT:** a signed measurement of the enclave binary.
> +2. **EINITTOKEN:** the measurement, the public key of the signer and various
> +   enclave attributes. This structure contains a MAC of its contents using
> +   hardware derived symmetric key called *launch key*.
> +
> +The hardware platform contains a root key pair for signing the SIGTRUCT
> +for a *launch enclave* that is able to acquire the *launch key* for
> +creating EINITTOKEN's for other enclaves.  For the launch enclave
> +EINITTOKEN is not needed because it is signed with the private root key.
> +
> +There are two feature control bits associate with launch control

                                      associated            control:

> +
> +* **IA32_FEATURE_CONTROL[0]**: locks down the feature control register
> +* **IA32_FEATURE_CONTROL[17]**: allow runtime reconfiguration of
> +  IA32_SGXLEPUBKEYHASHn MSRs that define MRSIGNER hash for the launch
> +  enclave. Essentially they define a signing key that does not require
> +  EINITTOKEN to be let run.
> +
> +The BIOS can configure IA32_SGXLEPUBKEYHASHn MSRs before feature control
> +register is locked.
> +
> +It could be tempting to implement launch control by writing the MSRs
> +every time when an enclave is launched. This does not scale because for
> +generic case because BIOS might lock down the MSRs before handover to
> +the OS.
> +
> +Debug enclaves
> +--------------
> +
> +Enclave can be set as a *debug enclave* of which memory can be read or written
> +by using the ENCLS(EDBGRD) and ENCLS(EDBGWR) opcodes. The Intel provided launch
> +enclave provides them always a valid EINITTOKEN and therefore they are a low
> +hanging fruit way to try out SGX.
> +
> +Virtualization
> +==============
> +
> +Launch control
> +--------------
> +
> +The values for IA32_SGXLEPUBKEYHASHn MSRs cannot be emulated for a virtual
> +machine guest. It would easily seem feasible to hold virtual values for these
> +MSRs, trap ENCLS(EINIT) and use the host LE to generate a token when a guest LE
> +is initialized.
> +
> +However, looking at the pseudo code of ENCLS(EINIT) from the SDM there is a
> +constraint that the instruction will fail if ATTRIBUTES.EINITTOKENKEY is set
> +(the documentation does not tell the reason why the constraint exists but it
> +exists).
> +
> +Thus, only when the MSRs are left unlocked before handover to the OS the
> +setting of these MSRs can be supported for VM guests.
> +
> +Suspend and resume
> +------------------
> +
> +If the host suspends and resumes, the enclave memory for the VM guest could
> +become invalid. This can make ENCLS leaf operations suddenly fail.
> +
> +The driver has a graceful fallback mechanism to manage this situation. If any of
> +the ENCLS leaf operations fail, the driver will fallback by kicking threads out
> +of the enclave, removing the TCS entries and marking enclave as invalid. After
> +this no new pages can be allocated for the enclave and no entry can be done.



-- 
~Randy

  reply	other threads:[~2017-10-17  0:51 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-16 19:18 [PATCH v4 00/12] Intel(R) SGX Driver Jarkko Sakkinen
2017-10-16 19:18 ` [PATCH v4 01/12] intel_sgx: updated MAINTAINERS Jarkko Sakkinen
2017-10-16 19:18 ` [PATCH v4 02/12] x86: add SGX definition to cpufeature Jarkko Sakkinen
2017-10-16 19:18 ` [PATCH v4 03/12] x86: define the feature control MSR's SGX enable bit Jarkko Sakkinen
2017-10-16 19:18 ` [PATCH v4 04/12] x86: define the feature control MSR's SGX launch control bit Jarkko Sakkinen
2017-10-16 19:18 ` [PATCH v4 05/12] x86: add SGX MSRs to msr-index.h Jarkko Sakkinen
2017-10-16 19:18 ` [PATCH v4 06/12] fs/pipe.c: export create_pipe_files() and replace_fd() Jarkko Sakkinen
2017-10-19  8:06   ` Christoph Hellwig
2017-10-19 12:36     ` Jarkko Sakkinen
2017-10-19 14:55       ` Christoph Hellwig
2017-10-20 10:14         ` Jarkko Sakkinen
2017-10-20 14:32           ` [intel-sgx-kernel-dev] " Dave Hansen
2017-10-23  2:55             ` Jarkko Sakkinen
2017-10-23  5:09               ` Dave Hansen
2017-10-24 13:39                 ` Jarkko Sakkinen
2017-10-24 15:10                   ` Dave Hansen
2017-10-24 16:40                     ` Jarkko Sakkinen
2017-10-16 19:18 ` [PATCH v4 07/12] intel_sgx: driver for Intel Software Guard Extensions Jarkko Sakkinen
2017-10-18 15:21   ` Jarkko Sakkinen
2017-10-16 19:18 ` [PATCH v4 08/12] intel_sgx: ptrace() support Jarkko Sakkinen
2017-10-16 19:18 ` [PATCH v4 09/12] intel_sgx: driver documentation Jarkko Sakkinen
2017-10-17  0:51   ` Randy Dunlap [this message]
2017-10-18 14:25     ` Jarkko Sakkinen
2017-10-16 19:18 ` [PATCH v4 10/12] intel_sgx: in-kernel launch enclave Jarkko Sakkinen
2017-10-16 19:18 ` [PATCH v4 11/12] intel_sgx: glue code for in-kernel LE Jarkko Sakkinen
2017-10-16 19:18 ` [PATCH v4 12/12] intel_sgx: update IA32_SGXLEPUBKEYHASH* MSRs Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=35dadcde-5cb0-c40d-7aa5-191e9684be1b@infradead.org \
    --to=rdunlap@infradead.org \
    --cc=intel-sgx-kernel-dev@lists.01.org \
    --cc=jarkko.sakkinen@linux.intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=platform-driver-x86@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.