From: Kai Huang <kai.huang@intel.com>
To: linux-sgx@vger.kernel.org, kvm@vger.kernel.org, x86@kernel.org
Cc: seanjc@google.com, jarkko@kernel.org, luto@kernel.org,
dave.hansen@intel.com, rick.p.edgecombe@intel.com,
haitao.huang@intel.com, pbonzini@redhat.com, bp@alien8.de,
tglx@linutronix.de, mingo@redhat.com, hpa@zytor.com,
jmattson@google.com, joro@8bytes.org, vkuznets@redhat.com,
wanpengli@tencent.com, Kai Huang <kai.huang@intel.com>
Subject: [RFC PATCH v4 23/26] KVM: VMX: Add emulation of SGX Launch Control LE hash MSRs
Date: Mon, 8 Feb 2021 23:55:33 +1300 [thread overview]
Message-ID: <76b580c72541b17a7ee1f8cd3038329d9ad6023d.1612777752.git.kai.huang@intel.com> (raw)
In-Reply-To: <cover.1612777752.git.kai.huang@intel.com>
From: Sean Christopherson <sean.j.christopherson@intel.com>
Emulate the four Launch Enclave public key hash MSRs (LE hash MSRs) that
exist on CPUs that support SGX Launch Control (LC). SGX LC modifies the
behavior of ENCLS[EINIT] to use the LE hash MSRs when verifying the key
used to sign an enclave. On CPUs without LC support, the LE hash is
hardwired into the CPU to an Intel controlled key (the Intel key is also
the reset value of the LE hash MSRs). Track the guest's desired hash so
that a future patch can stuff the hash into the hardware MSRs when
executing EINIT on behalf of the guest, when those MSRs are writable in
host.
Note, KVM allows writes to the LE hash MSRs if IA32_FEATURE_CONTROL is
unlocked. This is technically not architectural behavior, but it's
roughly equivalent to the arch behavior of the MSRs being writable prior
to activating SGX[1]. Emulating SGX activation is feasible, but adds no
tangible benefits and would just create extra work for KVM and guest
firmware.
[1] SGX related bits in IA32_FEATURE_CONTROL cannot be set until SGX
is activated, e.g. by firmware. SGX activation is triggered by
setting bit 0 in MSR 0x7a. Until SGX is activated, the LE hash
MSRs are writable, e.g. to allow firmware to lock down the LE
root key with a non-Intel value.
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Co-developed-by: Kai Huang <kai.huang@intel.com>
Signed-off-by: Kai Huang <kai.huang@intel.com>
---
arch/x86/kvm/vmx/sgx.c | 35 +++++++++++++++++++++++++++++++++++
arch/x86/kvm/vmx/sgx.h | 6 ++++++
arch/x86/kvm/vmx/vmx.c | 20 ++++++++++++++++++++
arch/x86/kvm/vmx/vmx.h | 2 ++
4 files changed, 63 insertions(+)
diff --git a/arch/x86/kvm/vmx/sgx.c b/arch/x86/kvm/vmx/sgx.c
index 7bdb125325ef..177ee1c826a8 100644
--- a/arch/x86/kvm/vmx/sgx.c
+++ b/arch/x86/kvm/vmx/sgx.c
@@ -12,6 +12,9 @@
bool __read_mostly enable_sgx;
+/* Initial value of guest's virtual SGX_LEPUBKEYHASHn MSRs */
+static u64 sgx_pubkey_hash[4] __ro_after_init;
+
/*
* ENCLS's memory operands use a fixed segment (DS) and a fixed
* address size based on the mode. Related prefixes are ignored.
@@ -296,3 +299,35 @@ int handle_encls(struct kvm_vcpu *vcpu)
}
return 1;
}
+
+void setup_default_sgx_lepubkeyhash(void)
+{
+ /*
+ * Use Intel's default value for Skylake hardware if Launch Control is
+ * not supported, i.e. Intel's hash is hardcoded into silicon, or if
+ * Launch Control is supported and enabled, i.e. mimic the reset value
+ * and let the guest write the MSRs at will. If Launch Control is
+ * supported but disabled, then use the current MSR values as the hash
+ * MSRs exist but are read-only (locked and not writable).
+ */
+ if (!enable_sgx || !boot_cpu_has(X86_FEATURE_SGX_LC) ||
+ rdmsrl_safe(MSR_IA32_SGXLEPUBKEYHASH0, &sgx_pubkey_hash[0])) {
+ sgx_pubkey_hash[0] = 0xa6053e051270b7acULL;
+ sgx_pubkey_hash[1] = 0x6cfbe8ba8b3b413dULL;
+ sgx_pubkey_hash[2] = 0xc4916d99f2b3735dULL;
+ sgx_pubkey_hash[3] = 0xd4f8c05909f9bb3bULL;
+ } else {
+ /* MSR_IA32_SGXLEPUBKEYHASH0 is read above */
+ rdmsrl(MSR_IA32_SGXLEPUBKEYHASH1, sgx_pubkey_hash[1]);
+ rdmsrl(MSR_IA32_SGXLEPUBKEYHASH2, sgx_pubkey_hash[2]);
+ rdmsrl(MSR_IA32_SGXLEPUBKEYHASH3, sgx_pubkey_hash[3]);
+ }
+}
+
+void vcpu_setup_sgx_lepubkeyhash(struct kvm_vcpu *vcpu)
+{
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+
+ memcpy(vmx->msr_ia32_sgxlepubkeyhash, sgx_pubkey_hash,
+ sizeof(sgx_pubkey_hash));
+}
diff --git a/arch/x86/kvm/vmx/sgx.h b/arch/x86/kvm/vmx/sgx.h
index 6e17ecd4aca3..6502fa52c7e9 100644
--- a/arch/x86/kvm/vmx/sgx.h
+++ b/arch/x86/kvm/vmx/sgx.h
@@ -8,8 +8,14 @@
extern bool __read_mostly enable_sgx;
int handle_encls(struct kvm_vcpu *vcpu);
+
+void setup_default_sgx_lepubkeyhash(void);
+void vcpu_setup_sgx_lepubkeyhash(struct kvm_vcpu *vcpu);
#else
#define enable_sgx 0
+
+static inline void setup_default_sgx_lepubkeyhash(void) { }
+static inline void vcpu_setup_sgx_lepubkeyhash(struct kvm_vcpu *vcpu) { }
#endif
#endif /* __KVM_X86_SGX_H */
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index dbe585329842..349585f63c4d 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -1888,6 +1888,13 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
case MSR_IA32_FEAT_CTL:
msr_info->data = vmx->msr_ia32_feature_control;
break;
+ case MSR_IA32_SGXLEPUBKEYHASH0 ... MSR_IA32_SGXLEPUBKEYHASH3:
+ if (!msr_info->host_initiated &&
+ !guest_cpuid_has(vcpu, X86_FEATURE_SGX_LC))
+ return 1;
+ msr_info->data = to_vmx(vcpu)->msr_ia32_sgxlepubkeyhash
+ [msr_info->index - MSR_IA32_SGXLEPUBKEYHASH0];
+ break;
case MSR_IA32_VMX_BASIC ... MSR_IA32_VMX_VMFUNC:
if (!nested_vmx_allowed(vcpu))
return 1;
@@ -2154,6 +2161,15 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
if (msr_info->host_initiated && data == 0)
vmx_leave_nested(vcpu);
break;
+ case MSR_IA32_SGXLEPUBKEYHASH0 ... MSR_IA32_SGXLEPUBKEYHASH3:
+ if (!msr_info->host_initiated &&
+ (!guest_cpuid_has(vcpu, X86_FEATURE_SGX_LC) ||
+ ((vmx->msr_ia32_feature_control & FEAT_CTL_LOCKED) &&
+ !(vmx->msr_ia32_feature_control & FEAT_CTL_SGX_LC_ENABLED))))
+ return 1;
+ vmx->msr_ia32_sgxlepubkeyhash
+ [msr_index - MSR_IA32_SGXLEPUBKEYHASH0] = data;
+ break;
case MSR_IA32_VMX_BASIC ... MSR_IA32_VMX_VMFUNC:
if (!msr_info->host_initiated)
return 1; /* they are read-only */
@@ -6957,6 +6973,8 @@ static int vmx_create_vcpu(struct kvm_vcpu *vcpu)
else
memset(&vmx->nested.msrs, 0, sizeof(vmx->nested.msrs));
+ vcpu_setup_sgx_lepubkeyhash(vcpu);
+
vmx->nested.posted_intr_nv = -1;
vmx->nested.current_vmptr = -1ull;
@@ -7907,6 +7925,8 @@ static __init int hardware_setup(void)
if (!enable_ept || !cpu_has_vmx_intel_pt())
pt_mode = PT_MODE_SYSTEM;
+ setup_default_sgx_lepubkeyhash();
+
if (nested) {
nested_vmx_setup_ctls_msrs(&vmcs_config.nested,
vmx_capability.ept);
diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h
index 903f246b5abd..af4bced6c84b 100644
--- a/arch/x86/kvm/vmx/vmx.h
+++ b/arch/x86/kvm/vmx/vmx.h
@@ -299,6 +299,8 @@ struct vcpu_vmx {
*/
u64 msr_ia32_feature_control;
u64 msr_ia32_feature_control_valid_bits;
+ /* SGX Launch Control public key hash */
+ u64 msr_ia32_sgxlepubkeyhash[4];
u64 ept_pointer;
struct pt_desc pt_desc;
--
2.29.2
next prev parent reply other threads:[~2021-02-08 11:05 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-08 10:53 [RFC PATCH v4 00/26] KVM SGX virtualization support Kai Huang
2021-02-08 10:54 ` [RFC PATCH v4 01/26] x86/cpufeatures: Make SGX_LC feature bit depend on SGX bit Kai Huang
2021-02-08 10:54 ` [RFC PATCH v4 02/26] x86/cpufeatures: Add SGX1 and SGX2 sub-features Kai Huang
2021-02-09 16:11 ` Dave Hansen
2021-02-08 10:54 ` [RFC PATCH v4 03/26] x86/sgx: Wipe out EREMOVE from sgx_free_epc_page() Kai Huang
2021-02-09 16:18 ` Dave Hansen
2021-02-09 18:26 ` Kai Huang
2021-02-08 10:54 ` [RFC PATCH v4 04/26] x86/sgx: Add SGX_CHILD_PRESENT hardware error code Kai Huang
2021-02-09 16:24 ` Dave Hansen
2021-02-09 16:48 ` Sean Christopherson
2021-02-09 16:52 ` Dave Hansen
2021-02-09 17:07 ` Sean Christopherson
2021-02-09 21:03 ` Kai Huang
2021-02-08 10:54 ` [RFC PATCH v4 05/26] x86/sgx: Introduce virtual EPC for use by KVM guests Kai Huang
2021-02-09 21:18 ` Jarkko Sakkinen
2021-02-09 21:19 ` Jarkko Sakkinen
2021-02-09 21:36 ` Dave Hansen
2021-02-10 0:20 ` Kai Huang
2021-02-10 16:52 ` Sean Christopherson
2021-02-10 23:12 ` Kai Huang
2021-02-12 12:17 ` [RFC PATCH v4 05/26] x86/sgx: Introduce virtual EPC for use by KVM guests' Jarkko Sakkinen
2021-02-13 13:33 ` Kai Huang
2021-02-12 12:15 ` [RFC PATCH v4 05/26] x86/sgx: Introduce virtual EPC for use by KVM guests Jarkko Sakkinen
2021-02-12 12:14 ` Jarkko Sakkinen
2021-02-08 10:54 ` [RFC PATCH v4 06/26] x86/cpu/intel: Allow SGX virtualization without Launch Control support Kai Huang
2021-02-08 10:54 ` [RFC PATCH v4 07/26] x86/sgx: Initialize virtual EPC driver even when SGX driver is disabled Kai Huang
2021-02-08 10:54 ` [RFC PATCH v4 08/26] x86/sgx: Expose SGX architectural definitions to the kernel Kai Huang
2021-02-08 10:54 ` [RFC PATCH v4 09/26] x86/sgx: Move ENCLS leaf definitions to sgx_arch.h Kai Huang
2021-02-08 10:54 ` [RFC PATCH v4 10/26] x86/sgx: Add SGX2 ENCLS leaf definitions (EAUG, EMODPR and EMODT) Kai Huang
2021-02-08 10:54 ` [RFC PATCH v4 11/26] x86/sgx: Add encls_faulted() helper Kai Huang
2021-02-08 10:54 ` [RFC PATCH v4 12/26] x86/sgx: Add helper to update SGX_LEPUBKEYHASHn MSRs Kai Huang
2021-02-08 10:54 ` [RFC PATCH v4 13/26] x86/sgx: Add helpers to expose ECREATE and EINIT to KVM Kai Huang
2021-02-08 10:54 ` [RFC PATCH v4 14/26] x86/sgx: Move provisioning device creation out of SGX driver Kai Huang
2021-02-08 10:55 ` [RFC PATCH v4 15/26] KVM: VMX: Convert vcpu_vmx.exit_reason to a union Kai Huang
2021-02-08 11:11 ` Kai Huang
2021-02-08 14:39 ` Xiaoyao Li
2021-02-09 0:09 ` Kai Huang
2021-02-08 10:55 ` [RFC PATCH v4 16/26] KVM: x86: Export kvm_mmu_gva_to_gpa_{read,write}() for SGX (VMX) Kai Huang
2021-02-08 10:55 ` [RFC PATCH v4 17/26] KVM: x86: Define new #PF SGX error code bit Kai Huang
2021-02-08 10:55 ` [RFC PATCH v4 18/26] KVM: x86: Add support for reverse CPUID lookup of scattered features Kai Huang
2021-02-08 11:05 ` Kai Huang
2021-02-08 10:55 ` [RFC PATCH v4 19/26] KVM: x86: Add reverse-CPUID lookup support for scattered SGX features Kai Huang
2021-02-08 10:55 ` [RFC PATCH v4 20/26] KVM: VMX: Add basic handling of VM-Exit from SGX enclave Kai Huang
2021-02-08 10:55 ` [RFC PATCH v4 21/26] KVM: VMX: Frame in ENCLS handler for SGX virtualization Kai Huang
2021-02-08 10:55 ` [RFC PATCH v4 22/26] KVM: VMX: Add SGX ENCLS[ECREATE] handler to enforce CPUID restrictions Kai Huang
2021-02-08 10:55 ` Kai Huang [this message]
2021-02-08 10:55 ` [RFC PATCH v4 24/26] KVM: VMX: Add ENCLS[EINIT] handler to support SGX Launch Control (LC) Kai Huang
2021-02-08 10:55 ` [RFC PATCH v4 25/26] KVM: VMX: Enable SGX virtualization for SGX1, SGX2 and LC Kai Huang
2021-02-08 10:56 ` [RFC PATCH v4 26/26] KVM: x86: Add capability to grant VM access to privileged SGX attribute Kai Huang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=76b580c72541b17a7ee1f8cd3038329d9ad6023d.1612777752.git.kai.huang@intel.com \
--to=kai.huang@intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=haitao.huang@intel.com \
--cc=hpa@zytor.com \
--cc=jarkko@kernel.org \
--cc=jmattson@google.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=rick.p.edgecombe@intel.com \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).