linux-sgx.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
To: Jarkko Sakkinen <jarkko@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	Sean Christopherson <seanjc@google.com>,
	Shuah Khan <shuah@kernel.org>,
	x86@kernel.org, linux-sgx@vger.kernel.org,
	linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org,
	Jia Zhang <zhang.jia@linux.alibaba.com>
Subject: Re: [PATCH] selftests/sgx: fix EINIT failure dueto SGX_INVALID_SIGNATURE
Date: Wed, 3 Mar 2021 20:12:41 +0800	[thread overview]
Message-ID: <c3c336f4-31d1-4cd0-7e7e-a014f7cf8a83@linux.alibaba.com> (raw)
In-Reply-To: <YD40viWEQVBPU4LW@kernel.org>



On 3/2/21 8:51 PM, Jarkko Sakkinen wrote:
> Nit: "due to"
> 
> Start with capital letter "Fix"
> 

Will do in the next patch.

> On Tue, Mar 02, 2021 at 01:06:52PM +0800, Tianjia Zhang wrote:
>>
>>
>> On 3/1/21 5:54 PM, Jarkko Sakkinen wrote:
>>> On Mon, Mar 01, 2021 at 01:18:36PM +0800, Tianjia Zhang wrote:
>>>> q2 is not always 384-byte length. Sometimes it only has 383-byte.
>>>
>>> What does determine this?
>>>
>>>> In this case, the valid portion of q2 is reordered reversely for
>>>> little endian order, and the remaining portion is filled with zero.
>>>
>>> I'm presuming that you want to say "In this case, q2 needs to be reversed because...".
>>>
>>> I'm lacking these details:
>>>
>>> 1. Why the length of Q2 can vary?
>>> 2. Why reversing the bytes is the correct measure to counter-measure
>>>      this variation?
>>>
>>> /Jarkko
>>>
>>
>> When use openssl to generate a key instead of using the built-in
>> sign_key.pem, there is a probability that will encounter this problem.
>>
>> Here is a problematic key I encountered. The calculated q1 and q2 of this
>> key are both 383 bytes, If the length is not processed, the hardware
>> signature will fail.
> 
> Why is reversing bytes the correct way to fix the issue?
> 

This is caused by the incorrect length of the reversed data. If the 
length of q2 is 383 bytes, the inversion will cause the first byte to be 
zero. For this, please refer to the signature tool in sgx sdk:

https://github.com/intel/linux-sgx/blob/master/sdk/sign_tool/SignTool/sign_tool.cpp#L381

If it can be repaired, it may be possible to use to generate 
sign_key.pem key on fly instead of using the static key.

Best regards,
Tianjia

      reply	other threads:[~2021-03-04  0:49 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-01  5:18 Tianjia Zhang
2021-03-01  9:54 ` Jarkko Sakkinen
2021-03-02  5:06   ` Tianjia Zhang
2021-03-02  5:54     ` Andy Lutomirski
2021-03-02 13:47       ` Jarkko Sakkinen
2021-03-10 12:44         ` Jia Zhang
2021-03-10 21:39           ` Jarkko Sakkinen
2021-03-11  2:47             ` Jia Zhang
2021-03-11  3:42               ` Jarkko Sakkinen
2021-03-11  4:53                 ` Tianjia Zhang
2021-03-12 16:53                   ` Jarkko Sakkinen
2021-03-11  5:55                 ` Jia Zhang
2021-03-03 12:03       ` Tianjia Zhang
2021-03-02 12:51     ` Jarkko Sakkinen
2021-03-03 12:12       ` Tianjia Zhang [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c3c336f4-31d1-4cd0-7e7e-a014f7cf8a83@linux.alibaba.com \
    --to=tianjia.zhang@linux.alibaba.com \
    --cc=bp@alien8.de \
    --cc=hpa@zytor.com \
    --cc=jarkko@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=linux-sgx@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=seanjc@google.com \
    --cc=shuah@kernel.org \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    --cc=zhang.jia@linux.alibaba.com \
    --subject='Re: [PATCH] selftests/sgx: fix EINIT failure dueto SGX_INVALID_SIGNATURE' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).