From: Jarkko Sakkinen <jarkko@kernel.org>
To: Reinette Chatre <reinette.chatre@intel.com>,
linux-sgx@vger.kernel.org, shuah@kernel.org
Cc: seanjc@google.com, bp@alien8.de, dave.hansen@linux.intel.com,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 12/14] selftests/sgx: Add page permission and exception test
Date: Thu, 16 Sep 2021 18:21:37 +0300 [thread overview]
Message-ID: <d04d83a679f026ae2aa28535bdc826b8cf95e887.camel@kernel.org> (raw)
In-Reply-To: <a6e69ea22a2694d252302af283ee3e3f023d3577.1631731214.git.reinette.chatre@intel.com>
On Wed, 2021-09-15 at 13:31 -0700, Reinette Chatre wrote:
> The Enclave Page Cache Map (EPCM) is a secure structure used by the
> processor to track the contents of the enclave page cache. The EPCM
> contains permissions with which enclave pages can be accessed. SGX
> support allows EPCM and PTE page permissions to differ - as long as
> the PTE permissions do not exceed the EPCM permissions.
>
> Add a test to ensure that (1) PTE permissions can be changed as long as
> they do not exceed EPCM permissions, and (2) even if EPCM permissions
> allow a page to be written to, if the PTE permissions do not then a #PF
> should be generated when attempting to write to a (from PTE perspective)
> read-only page.
>
> This introduces the first test of SGX exception handling. In this test
> the issue that caused the exception (PTE page permissions) can be fixed
> from outside the enclave and after doing so it is possible to re-enter
> enclave at original entrypoint with ERESUME.
>
> Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
> ---
> tools/testing/selftests/sgx/defines.h | 14 +++
> tools/testing/selftests/sgx/main.c | 134 ++++++++++++++++++++++++
> tools/testing/selftests/sgx/test_encl.c | 21 ++++
> 3 files changed, 169 insertions(+)
>
> diff --git a/tools/testing/selftests/sgx/defines.h b/tools/testing/selftests/sgx/defines.h
> index 9ea0c7882dfb..0bbda6f0c7d3 100644
> --- a/tools/testing/selftests/sgx/defines.h
> +++ b/tools/testing/selftests/sgx/defines.h
> @@ -21,6 +21,8 @@
> enum encl_op_type {
> ENCL_OP_PUT_TO_BUFFER,
> ENCL_OP_GET_FROM_BUFFER,
> + ENCL_OP_PUT_TO_ADDRESS,
> + ENCL_OP_GET_FROM_ADDRESS,
> ENCL_OP_MAX,
> };
>
> @@ -38,4 +40,16 @@ struct encl_op_get_from_buf {
> uint64_t value;
> };
>
> +struct encl_op_put_to_addr {
> + struct encl_op_header header;
> + uint64_t value;
> + uint64_t addr;
> +};
> +
> +struct encl_op_get_from_addr {
> + struct encl_op_header header;
> + uint64_t value;
> + uint64_t addr;
> +};
> +
> #endif /* DEFINES_H */
> diff --git a/tools/testing/selftests/sgx/main.c b/tools/testing/selftests/sgx/main.c
> index 3eb9b89ece5f..308cf09ab02a 100644
> --- a/tools/testing/selftests/sgx/main.c
> +++ b/tools/testing/selftests/sgx/main.c
> @@ -21,6 +21,7 @@
> #include "main.h"
>
> static const uint64_t MAGIC = 0x1122334455667788ULL;
> +static const uint64_t MAGIC2 = 0x8877665544332211ULL;
> vdso_sgx_enter_enclave_t vdso_sgx_enter_enclave;
>
> struct vdso_symtab {
> @@ -107,6 +108,25 @@ static Elf64_Sym *vdso_symtab_get(struct vdso_symtab *symtab, const char *name)
> return NULL;
> }
>
> +/*
> + * Return the offset in the enclave where the data segment can be found.
> + * The first RW segment loaded is the TCS, skip that to get info on the
> + * data segment.
> + */
> +static off_t encl_get_data_offset(struct encl *encl)
> +{
> + int i;
> +
> + for (i = 0; i < encl->nr_segments; i++) {
> + struct encl_segment *seg = &encl->segment_tbl[i];
> +
> + if (i != 0 && seg->prot == (PROT_READ | PROT_WRITE))
> + return seg->offset;
So, why not
for (i = 1; i < encl->nr_segments; i++)
?
> + }
> +
> + return -1;
> +}
> +
> FIXTURE(enclave) {
> struct encl encl;
> struct sgx_enclave_run run;
> @@ -373,4 +393,118 @@ TEST_F(enclave, clobbered_vdso_and_user_function)
> EXPECT_EQ(self->run.user_data, 0);
> }
>
> +/*
> + * Second page of .data segment is used to test changing PTE permissions.
> + * This spans the local encl_buffer within the test enclave.
> + *
> + * 1) Start with a sanity check: a value is written to the target page within
> + * the enclave and read back to ensure target page can be written to.
> + * 2) Change PTE permissions (RW -> RO) of target page within enclave.
> + * 3) Repeat (1) - this time expecting a regular #PF communicated via the
> + * vDSO.
> + * 4) Change PTE permissions of target page within enclave back to be RW.
> + * 5) Repeat (1) by resuming enclave, now expected to be possible to write to
> + * and read from target page within enclave.
> + */
> +TEST_F(enclave, pte_permissions)
> +{
> + struct encl_op_get_from_addr get_addr_op;
> + struct encl_op_put_to_addr put_addr_op;
> + unsigned long data_start;
> + int ret;
> +
> + ASSERT_TRUE(setup_test_encl(ENCL_HEAP_SIZE_DEFAULT, &self->encl, _metadata));
> +
> + memset(&self->run, 0, sizeof(self->run));
> + self->run.tcs = self->encl.encl_base;
> +
> + data_start = self->encl.encl_base +
> + encl_get_data_offset(&self->encl) +
> + PAGE_SIZE;
> +
> + /*
> + * Sanity check to ensure it is possible to write to page that will
> + * have its permissions manipulated.
> + */
> +
> + /* Write MAGIC to page */
> + put_addr_op.value = MAGIC;
> + put_addr_op.addr = data_start;
> + put_addr_op.header.type = ENCL_OP_PUT_TO_ADDRESS;
> +
> + EXPECT_EQ(ENCL_CALL(&put_addr_op, &self->run, true), 0);
> +
> + EXPECT_EEXIT(&self->run);
> + EXPECT_EQ(self->run.exception_vector, 0);
> + EXPECT_EQ(self->run.exception_error_code, 0);
> + EXPECT_EQ(self->run.exception_addr, 0);
> +
> + /*
> + * Read memory that was just written to, confirming that it is the
> + * value previously written (MAGIC).
> + */
> + get_addr_op.value = 0;
> + get_addr_op.addr = data_start;
> + get_addr_op.header.type = ENCL_OP_GET_FROM_ADDRESS;
> +
> + EXPECT_EQ(ENCL_CALL(&get_addr_op, &self->run, true), 0);
> +
> + EXPECT_EQ(get_addr_op.value, MAGIC);
> + EXPECT_EEXIT(&self->run);
> + EXPECT_EQ(self->run.exception_vector, 0);
> + EXPECT_EQ(self->run.exception_error_code, 0);
> + EXPECT_EQ(self->run.exception_addr, 0);
> +
> + /* Change PTE permissions of target page within the enclave */
> + ret = mprotect((void *)data_start, PAGE_SIZE, PROT_READ);
> + if (ret)
> + perror("mprotect");
> +
> + /*
> + * PTE permissions of target page changed to read-only, EPCM
> + * permissions unchanged (EPCM permissions are RW), attempt to
> + * write to the page, expecting a regular #PF.
> + */
> +
> + put_addr_op.value = MAGIC2;
> +
> + EXPECT_EQ(ENCL_CALL(&put_addr_op, &self->run, true), 0);
> +
> + EXPECT_EQ(self->run.exception_vector, 14);
> + EXPECT_EQ(self->run.exception_error_code, 0x7);
> + EXPECT_EQ(self->run.exception_addr, data_start);
> +
> + self->run.exception_vector = 0;
> + self->run.exception_error_code = 0;
> + self->run.exception_addr = 0;
> +
> + /*
> + * Change PTE permissions back to enable enclave to write to the
> + * target page and resume enclave - do not expect any exceptions this
> + * time.
> + */
> + ret = mprotect((void *)data_start, PAGE_SIZE, PROT_READ | PROT_WRITE);
> + if (ret)
> + perror("mprotect");
> +
> + EXPECT_EQ(vdso_sgx_enter_enclave((unsigned long)&put_addr_op, 0,
> + 0, ERESUME, 0, 0, &self->run),
> + 0);
> +
> + EXPECT_EEXIT(&self->run);
> + EXPECT_EQ(self->run.exception_vector, 0);
> + EXPECT_EQ(self->run.exception_error_code, 0);
> + EXPECT_EQ(self->run.exception_addr, 0);
> +
> + get_addr_op.value = 0;
> +
> + EXPECT_EQ(ENCL_CALL(&get_addr_op, &self->run, true), 0);
> +
> + EXPECT_EQ(get_addr_op.value, MAGIC2);
> + EXPECT_EEXIT(&self->run);
> + EXPECT_EQ(self->run.exception_vector, 0);
> + EXPECT_EQ(self->run.exception_error_code, 0);
> + EXPECT_EQ(self->run.exception_addr, 0);
> +}
> +
> TEST_HARNESS_MAIN
> diff --git a/tools/testing/selftests/sgx/test_encl.c b/tools/testing/selftests/sgx/test_encl.c
> index 4e8da738173f..5d86e3e6456a 100644
> --- a/tools/testing/selftests/sgx/test_encl.c
> +++ b/tools/testing/selftests/sgx/test_encl.c
> @@ -4,6 +4,11 @@
> #include <stddef.h>
> #include "defines.h"
>
> +/*
> + * Data buffer spanning two pages that will be placed first in .data
> + * segment. Even if not used internally the second page is needed by
> + * external test manipulating page permissions.
> + */
> static uint8_t encl_buffer[8192] = { 1 };
>
> static void *memcpy(void *dest, const void *src, size_t n)
> @@ -30,11 +35,27 @@ static void do_encl_op_get_from_buf(void *op)
> memcpy(&op2->value, &encl_buffer[0], 8);
> }
>
> +static void do_encl_op_put_to_addr(void *_op)
> +{
> + struct encl_op_put_to_addr *op = _op;
> +
> + memcpy((void *)op->addr, &op->value, 8);
> +}
> +
> +static void do_encl_op_get_from_addr(void *_op)
> +{
> + struct encl_op_get_from_addr *op = _op;
> +
> + memcpy(&op->value, (void *)op->addr, 8);
> +}
> +
> void encl_body(void *rdi, void *rsi)
> {
> const void (*encl_op_array[ENCL_OP_MAX])(void *) = {
> do_encl_op_put_to_buf,
> do_encl_op_get_from_buf,
> + do_encl_op_put_to_addr,
> + do_encl_op_get_from_addr,
> };
>
> struct encl_op_header *op = (struct encl_op_header *)rdi;
/Jarkko
next prev parent reply other threads:[~2021-09-16 15:21 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-15 20:30 [PATCH 00/14] selftests/sgx: Oversubscription, page permission, thread entry Reinette Chatre
2021-09-15 20:30 ` [PATCH 01/14] selftests/x86/sgx: Fix a benign linker warning Reinette Chatre
2021-09-16 14:38 ` Jarkko Sakkinen
2021-09-16 14:39 ` Jarkko Sakkinen
2021-09-16 17:31 ` Reinette Chatre
2021-09-15 20:30 ` [PATCH 02/14] x86/sgx: Add /sys/kernel/debug/x86/sgx_total_mem Reinette Chatre
2021-09-16 14:09 ` Jarkko Sakkinen
2021-09-16 15:35 ` Reinette Chatre
2021-09-15 20:30 ` [PATCH 03/14] selftests/sgx: Assign source for each segment Reinette Chatre
2021-09-15 20:30 ` [PATCH 04/14] selftests/sgx: Make data measurement for an enclave segment optional Reinette Chatre
2021-09-15 20:30 ` [PATCH 05/14] selftests/sgx: Create a heap for the test enclave Reinette Chatre
2021-09-15 20:30 ` [PATCH 06/14] selftests/sgx: Dump segments and /proc/self/maps only on failure Reinette Chatre
2021-09-15 20:30 ` [PATCH 07/14] selftests/sgx: Encpsulate the test enclave creation Reinette Chatre
2021-09-15 20:30 ` [PATCH 08/14] selftests/sgx: Move setup_test_encl() to each TEST_F() Reinette Chatre
2021-09-15 20:30 ` [PATCH 09/14] selftests/sgx: Add a new kselftest: unclobbered_vdso_oversubscribed Reinette Chatre
2021-09-15 20:31 ` [PATCH 10/14] selftests/sgx: Provide per-op parameter structs for the test enclave Reinette Chatre
2021-09-15 20:31 ` [PATCH 11/14] selftests/sgx: Rename test properties in preparation for more enclave tests Reinette Chatre
2021-09-16 15:20 ` Jarkko Sakkinen
2021-09-15 20:31 ` [PATCH 12/14] selftests/sgx: Add page permission and exception test Reinette Chatre
2021-09-16 15:21 ` Jarkko Sakkinen [this message]
2021-09-16 15:37 ` Reinette Chatre
2021-09-16 15:30 ` Dave Hansen
2021-09-16 15:50 ` Reinette Chatre
2021-09-15 20:31 ` [PATCH 13/14] selftests/sgx: Enable multiple thread support Reinette Chatre
2021-09-16 15:23 ` Jarkko Sakkinen
2021-09-15 20:31 ` [PATCH 14/14] selftests/sgx: Add test for multiple TCS entry Reinette Chatre
2021-09-16 15:24 ` Jarkko Sakkinen
2021-09-16 14:13 ` [PATCH 00/14] selftests/sgx: Oversubscription, page permission, thread entry Jarkko Sakkinen
2021-09-16 15:37 ` Dave Hansen
2021-09-16 16:14 ` Reinette Chatre
2021-09-16 16:15 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d04d83a679f026ae2aa28535bdc826b8cf95e887.camel@kernel.org \
--to=jarkko@kernel.org \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=reinette.chatre@intel.com \
--cc=seanjc@google.com \
--cc=shuah@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).