From: Josh Poimboeuf <jpoimboe@redhat.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: x86@kernel.org, linux-sgx@vger.kernel.org,
linux-kernel@vger.kernel.org,
Sean Christopherson <sean.j.christopherson@intel.com>,
Borislav Petkov <bp@alien8.de>,
Jethro Beekman <jethro@fortanix.com>,
Darren Kenny <darren.kenny@oracle.com>,
akpm@linux-foundation.org, andriy.shevchenko@linux.intel.com,
asapek@google.com, cedric.xing@intel.com,
chenalexchen@google.com, conradparker@google.com,
cyhanish@google.com, dave.hansen@intel.com,
haitao.huang@intel.com, josh@joshtriplett.org,
kai.huang@intel.com, kai.svahn@intel.com, kmoy@google.com,
ludloff@google.com, luto@kernel.org, nhorman@redhat.com,
npmccallum@redhat.com, puiterwijk@redhat.com,
rientjes@google.com, tglx@linutronix.de, yaozhangx@google.com
Subject: Re: [PATCH v37 02/24] x86/cpufeatures: x86/msr: Add Intel SGX Launch Control hardware bits
Date: Mon, 14 Sep 2020 10:18:16 -0500 [thread overview]
Message-ID: <20200914151816.u6camicid4bd5lgo@treble> (raw)
In-Reply-To: <20200911124019.42178-3-jarkko.sakkinen@linux.intel.com>
Hi Jarko,
It looks like some of the patches weren't delivered to the lists.
Patches 0, 1, 8, 9, and 17 seem to be missing.
Lore agrees with me:
https://lore.kernel.org/linux-sgx/20200911124019.42178-1-jarkko.sakkinen@linux.intel.com/
On Fri, Sep 11, 2020 at 03:39:57PM +0300, Jarkko Sakkinen wrote:
> From: Sean Christopherson <sean.j.christopherson@intel.com>
>
> Add X86_FEATURE_SGX_LC, which informs whether or not the CPU supports SGX
> Launch Control.
>
> Add MSR_IA32_SGXLEPUBKEYHASH{0, 1, 2, 3}, which when combined contain a
> SHA256 hash of a 3072-bit RSA public key. SGX backed software packages, so
> called enclaves, are always signed. All enclaves signed with the public key
> are unconditionally allowed to initialize. [1]
>
> Add FEAT_CTL_SGX_LC_ENABLED, which informs whether the aformentioned MSRs
> are writable or not. If the bit is off, the public key MSRs are read-only
> for the OS.
>
> If the MSRs are read-only, the platform must provide a launch enclave (LE).
> LE can create cryptographic tokens for other enclaves that they can pass
> together with their signature to the ENCLS(EINIT) opcode, which is used
> to initialize enclaves.
>
> Linux is unlikely to support the locked configuration because it takes away
> the control of the launch decisions from the kernel.
>
> [1] Intel SDM: 38.1.4 Intel SGX Launch Control Configuration
>
> Reviewed-by: Borislav Petkov <bp@alien8.de>
> Acked-by: Jethro Beekman <jethro@fortanix.com>
> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
> Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> Co-developed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> ---
> arch/x86/include/asm/cpufeatures.h | 1 +
> arch/x86/include/asm/msr-index.h | 7 +++++++
> 2 files changed, 8 insertions(+)
>
> diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
> index 159b635159c0..398e4f19c3d7 100644
> --- a/arch/x86/include/asm/cpufeatures.h
> +++ b/arch/x86/include/asm/cpufeatures.h
> @@ -354,6 +354,7 @@
> #define X86_FEATURE_CLDEMOTE (16*32+25) /* CLDEMOTE instruction */
> #define X86_FEATURE_MOVDIRI (16*32+27) /* MOVDIRI instruction */
> #define X86_FEATURE_MOVDIR64B (16*32+28) /* MOVDIR64B instruction */
> +#define X86_FEATURE_SGX_LC (16*32+30) /* Software Guard Extensions Launch Control */
>
> /* AMD-defined CPU features, CPUID level 0x80000007 (EBX), word 17 */
> #define X86_FEATURE_OVERFLOW_RECOV (17*32+ 0) /* MCA overflow recovery support */
> diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
> index c0b04f020162..e574b4bb5aad 100644
> --- a/arch/x86/include/asm/msr-index.h
> +++ b/arch/x86/include/asm/msr-index.h
> @@ -602,6 +602,7 @@
> #define FEAT_CTL_LOCKED BIT(0)
> #define FEAT_CTL_VMX_ENABLED_INSIDE_SMX BIT(1)
> #define FEAT_CTL_VMX_ENABLED_OUTSIDE_SMX BIT(2)
> +#define FEAT_CTL_SGX_LC_ENABLED BIT(17)
> #define FEAT_CTL_SGX_ENABLED BIT(18)
> #define FEAT_CTL_LMCE_ENABLED BIT(20)
>
> @@ -622,6 +623,12 @@
> #define MSR_IA32_UCODE_WRITE 0x00000079
> #define MSR_IA32_UCODE_REV 0x0000008b
>
> +/* Intel SGX Launch Enclave Public Key Hash MSRs */
> +#define MSR_IA32_SGXLEPUBKEYHASH0 0x0000008C
> +#define MSR_IA32_SGXLEPUBKEYHASH1 0x0000008D
> +#define MSR_IA32_SGXLEPUBKEYHASH2 0x0000008E
> +#define MSR_IA32_SGXLEPUBKEYHASH3 0x0000008F
> +
> #define MSR_IA32_SMM_MONITOR_CTL 0x0000009b
> #define MSR_IA32_SMBASE 0x0000009e
>
> --
> 2.25.1
>
--
Josh
next prev parent reply other threads:[~2020-09-14 15:19 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200911124019.42178-1-jarkko.sakkinen@linux.intel.com>
2020-09-11 12:39 ` [PATCH v37 02/24] x86/cpufeatures: x86/msr: Add Intel SGX Launch Control hardware bits Jarkko Sakkinen
2020-09-14 15:18 ` Josh Poimboeuf [this message]
2020-09-14 15:38 ` Josh Poimboeuf
2020-09-14 16:13 ` Sean Christopherson
2020-09-15 9:57 ` Jarkko Sakkinen
2020-09-15 13:27 ` Josh Poimboeuf
2020-09-15 13:39 ` Borislav Petkov
2020-09-15 14:02 ` Josh Poimboeuf
2020-09-15 14:48 ` Borislav Petkov
2020-09-16 16:09 ` Jarkko Sakkinen
2020-09-16 16:04 ` Jarkko Sakkinen
2020-09-16 16:20 ` Borislav Petkov
2020-09-16 15:57 ` Jarkko Sakkinen
2020-09-11 12:39 ` [PATCH v37 03/24] x86/mm: x86/sgx: Signal SIGSEGV with PF_SGX Jarkko Sakkinen
2020-09-11 12:39 ` [PATCH v37 04/24] x86/sgx: Add SGX microarchitectural data structures Jarkko Sakkinen
2020-09-11 12:40 ` [PATCH v37 05/24] x86/sgx: Add wrappers for ENCLS leaf functions Jarkko Sakkinen
2020-09-11 12:40 ` [PATCH v37 06/24] x86/cpu/intel: Detect SGX support Jarkko Sakkinen
2020-09-11 12:40 ` [PATCH v37 07/24] x86/cpu/intel: Add nosgx kernel parameter Jarkko Sakkinen
2020-09-11 12:40 ` [PATCH v37 10/24] mm: Add vm_ops->mprotect() Jarkko Sakkinen
2020-09-11 12:40 ` [PATCH v37 11/24] x86/sgx: Add SGX enclave driver Jarkko Sakkinen
2020-09-11 12:40 ` [PATCH v37 12/24] x86/sgx: Add SGX_IOC_ENCLAVE_CREATE Jarkko Sakkinen
2020-09-11 12:40 ` [PATCH v37 13/24] x86/sgx: Add SGX_IOC_ENCLAVE_ADD_PAGES Jarkko Sakkinen
2020-09-14 2:56 ` Haitao Huang
2020-09-15 9:54 ` Jarkko Sakkinen
2020-09-15 10:17 ` Jarkko Sakkinen
2020-09-15 14:49 ` Dave Hansen
2020-09-16 16:10 ` Jarkko Sakkinen
2020-09-11 12:40 ` [PATCH v37 14/24] x86/sgx: Add SGX_IOC_ENCLAVE_INIT Jarkko Sakkinen
2020-09-11 12:40 ` [PATCH v37 15/24] x86/sgx: Enable provisioning for remote attestation Jarkko Sakkinen
2020-09-11 12:40 ` [PATCH v37 16/24] x86/sgx: Add a page reclaimer Jarkko Sakkinen
2020-09-11 12:40 ` [PATCH v37 18/24] x86/vdso: Add support for exception fixup in vDSO functions Jarkko Sakkinen
2020-09-11 12:40 ` [PATCH v37 19/24] x86/fault: Add helper function to sanitize error code Jarkko Sakkinen
2020-09-11 12:40 ` [PATCH v37 20/24] x86/traps: Attempt to fixup exceptions in vDSO before signaling Jarkko Sakkinen
2020-09-11 12:40 ` [PATCH v37 21/24] x86/vdso: Implement a vDSO for Intel SGX enclave call Jarkko Sakkinen
2020-09-11 12:40 ` [PATCH v37 22/24] selftests/x86: Add a selftest for SGX Jarkko Sakkinen
2020-09-11 12:40 ` [PATCH v37 23/24] docs: x86/sgx: Document SGX micro architecture and kernel internals Jarkko Sakkinen
2020-09-11 12:40 ` [PATCH v37 24/24] x86/sgx: Update MAINTAINERS Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200914151816.u6camicid4bd5lgo@treble \
--to=jpoimboe@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=asapek@google.com \
--cc=bp@alien8.de \
--cc=cedric.xing@intel.com \
--cc=chenalexchen@google.com \
--cc=conradparker@google.com \
--cc=cyhanish@google.com \
--cc=darren.kenny@oracle.com \
--cc=dave.hansen@intel.com \
--cc=haitao.huang@intel.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jethro@fortanix.com \
--cc=josh@joshtriplett.org \
--cc=kai.huang@intel.com \
--cc=kai.svahn@intel.com \
--cc=kmoy@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=ludloff@google.com \
--cc=luto@kernel.org \
--cc=nhorman@redhat.com \
--cc=npmccallum@redhat.com \
--cc=puiterwijk@redhat.com \
--cc=rientjes@google.com \
--cc=sean.j.christopherson@intel.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=yaozhangx@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).