From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: Jethro Beekman <jethro@fortanix.com>
Cc: "x86@kernel.org" <x86@kernel.org>,
"linux-sgx@vger.kernel.org" <linux-sgx@vger.kernel.org>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"dave.hansen@intel.com" <dave.hansen@intel.com>,
"sean.j.christopherson@intel.com"
<sean.j.christopherson@intel.com>,
"nhorman@redhat.com" <nhorman@redhat.com>,
"npmccallum@redhat.com" <npmccallum@redhat.com>,
"serge.ayoun@intel.com" <serge.ayoun@intel.com>,
"shay.katz-zamir@intel.com" <shay.katz-zamir@intel.com>,
"haitao.huang@intel.com" <haitao.huang@intel.com>,
"andriy.shevchenko@linux.intel.com"
<andriy.shevchenko@linux.intel.com>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"kai.svahn@intel.com" <kai.svahn@intel.com>,
"bp@alien8.de" <bp@alien8.de>,
"josh@joshtriplett.org" <josh@joshtriplett.org>,
"luto@kernel.org" <luto@kernel.org>,
James Morris <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v18 19/25] x86/sgx: Add provisioning
Date: Mon, 24 Dec 2018 13:57:55 +0200 [thread overview]
Message-ID: <20181224115755.GD10971@linux.intel.com> (raw)
In-Reply-To: <f5b6cd98-99f1-fa21-041a-829026b51265@fortanix.com>
On Mon, Dec 24, 2018 at 05:36:36AM +0000, Jethro Beekman wrote:
> On 2018-12-22 04:41, Jarkko Sakkinen wrote:
> > In order to provide a mechanism for devilering provisoning rights:
> >
> > 1. Add a new file to the securityfs file called sgx/provision that works
> > as a token for allowing an enclave to have the provisioning privileges.
> > 2. Add a new ioctl called SGX_IOC_ENCLAVE_SET_ATTRIBUTE that accepts the
> > following data structure:
> >
> > struct sgx_enclave_set_attribute {
> > __u64 addr;
> > __u64 token_fd;
> > };
> >
> > A daemon could sit on top of sgx/provision and send a file descriptor of
> > this file to a process that needs to be able to provision enclaves.
> >
> > The way this API is used is more or less straight-forward. Lets assume that
> > dev_fd is a handle to /dev/sgx and prov_fd is a handle to sgx/provision.
> > You would allow SGX_IOC_ENCLAVE_CREATE to initialize an enclave with the
> > PROVISIONKEY attribute by
> >
> > params.addr = <enclave address>;
> > params.token_fd = prov_fd;
> >
> > ioctl(dev_fd, SGX_IOC_ENCLAVE_SET_ATTRIBUTE, ¶ms);
>
> I think the attribute handling in this and the previous patch doesn't work.
> How am I supposed to call this ioctl between sgx_encl_alloc and
> sgx_encl_create in sgx_ioc_enclave_create? Even if I somehow manage to call
> this, how is secs->attributes getting set? How do I unset SGX_ATTR_DEBUG?
encl->attributes was previously unused (noticed when I wrote this
patch). It is actually a mask for allowed attributes that is checked
on EINIT. Should rename the variable, yes.
/Jarkko
next prev parent reply other threads:[~2018-12-24 11:58 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-21 23:11 [PATCH v18 00/25] Intel SGX1 support Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 01/25] x86/cpufeatures: Add Intel-defined SGX feature bit Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 02/25] x86/cpufeatures: Add SGX sub-features (as Linux-defined bits) Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 03/25] x86/msr: Add IA32_FEATURE_CONTROL.SGX_ENABLE definition Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 04/25] x86/cpufeatures: Add Intel-defined SGX_LC feature bit Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 05/25] x86/msr: Add SGX Launch Control MSR definitions Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 06/25] x86/mm: x86/sgx: Add new 'PF_SGX' page fault error code bit Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 07/25] x86/mm: x86/sgx: Signal SIGSEGV for userspace #PFs w/ PF_SGX Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 08/25] x86/cpu/intel: Detect SGX support and update caps appropriately Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 09/25] x86/sgx: Define SGX1 and SGX2 ENCLS leafs Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 10/25] x86/sgx: Add ENCLS architectural error codes Jarkko Sakkinen
2018-12-24 5:17 ` Jethro Beekman
2018-12-24 11:53 ` Jarkko Sakkinen
2019-01-02 20:54 ` Sean Christopherson
2018-12-21 23:11 ` [PATCH v18 11/25] x86/sgx: Add SGX1 and SGX2 architectural data structures Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 12/25] x86/sgx: Add definitions for SGX's CPUID leaf and variable sub-leafs Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 13/25] x86/sgx: Add wrappers for ENCLS leaf functions Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 14/25] x86/sgx: Enumerate and track EPC sections Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 15/25] x86/sgx: Add functions to allocate and free EPC pages Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 16/25] x86/sgx: Add sgx_einit() for initializing enclaves Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 17/25] x86/mpx: pass @mm to kernel_managing_mpx_tables() in mpx_notify_unmap() Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 18/25] x86/sgx: Add the Linux SGX Enclave Driver Jarkko Sakkinen
2018-12-24 5:36 ` Jethro Beekman
2018-12-24 11:55 ` Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 19/25] x86/sgx: Add provisioning Jarkko Sakkinen
2018-12-24 5:36 ` Jethro Beekman
2018-12-24 11:57 ` Jarkko Sakkinen [this message]
2018-12-21 23:11 ` [PATCH v18 20/25] x86/sgx: Add swapping code to the SGX driver Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 21/25] x86/sgx: Add a simple swapper for the EPC memory manager Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 22/25] x86/sgx: ptrace() support for the SGX driver Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 23/25] x86/sgx: SGX documentation Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 24/25] selftests/x86: Add a selftest for SGX Jarkko Sakkinen
2018-12-21 23:11 ` [PATCH v18 25/25] x86/sgx: Update MAINTAINERS Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181224115755.GD10971@linux.intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=haitao.huang@intel.com \
--cc=jethro@fortanix.com \
--cc=jmorris@namei.org \
--cc=josh@joshtriplett.org \
--cc=kai.svahn@intel.com \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=luto@kernel.org \
--cc=nhorman@redhat.com \
--cc=npmccallum@redhat.com \
--cc=sean.j.christopherson@intel.com \
--cc=serge.ayoun@intel.com \
--cc=serge@hallyn.com \
--cc=shay.katz-zamir@intel.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.