From: Dave Hansen <dave.hansen@intel.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: x86@kernel.org, linux-sgx@vger.kernel.org,
linux-kernel@vger.kernel.org,
Jethro Beekman <jethro@fortanix.com>,
Haitao Huang <haitao.huang@linux.intel.com>,
Chunyang Hui <sanqian.hcy@antfin.com>,
Jordan Hand <jorhand@linux.microsoft.com>,
Nathaniel McCallum <npmccallum@redhat.com>,
Seth Moore <sethmo@google.com>,
Darren Kenny <darren.kenny@oracle.com>,
Sean Christopherson <sean.j.christopherson@intel.com>,
Suresh Siddha <suresh.b.siddha@intel.com>,
akpm@linux-foundation.org, andriy.shevchenko@linux.intel.com,
asapek@google.com, bp@alien8.de, cedric.xing@intel.com,
chenalexchen@google.com, conradparker@google.com,
cyhanish@google.com, haitao.huang@intel.com, kai.huang@intel.com,
kai.svahn@intel.com, kmoy@google.com, ludloff@google.com,
luto@kernel.org, nhorman@redhat.com, puiterwijk@redhat.com,
rientjes@google.com, tglx@linutronix.de, yaozhangx@google.com,
mikko.ylinen@intel.com
Subject: Re: [PATCH v39 12/24] x86/sgx: Add SGX_IOC_ENCLAVE_CREATE
Date: Mon, 19 Oct 2020 13:21:09 -0700 [thread overview]
Message-ID: <f6fe37ee-7b5c-15b6-6823-2500582e7921@intel.com> (raw)
In-Reply-To: <20201018042633.GI68722@linux.intel.com>
On 10/17/20 9:26 PM, Jarkko Sakkinen wrote:
...
>>> +static int sgx_validate_secs(const struct sgx_secs *secs)
>>> +{
>>
>> What's the overall point of this function? Does it avoid a #GP from an
>> instruction later?
>>
>> Does all of the 'secs' content come from userspace?
>
> Yes it does avoid #GP, and all the data comes from the user space.
Please comment the function to indicate this.
But, in general, why do we care to avoid a #GP? Is it just because we
don't have infrastructure in-kernel to suppress the resulting panic()?
>>> + u64 max_size = (secs->attributes & SGX_ATTR_MODE64BIT) ?
>>> + sgx_encl_size_max_64 : sgx_encl_size_max_32;
>>> +
>>> + if (secs->size < (2 * PAGE_SIZE) || !is_power_of_2(secs->size))
>>> + return -EINVAL;
>>> +
>>> + if (secs->base & (secs->size - 1))
>>> + return -EINVAL;
>>> +
>>> + if (secs->miscselect & sgx_misc_reserved_mask ||
>>> + secs->attributes & sgx_attributes_reserved_mask ||
>>> + secs->xfrm & sgx_xfrm_reserved_mask)
>>> + return -EINVAL;
>>> +
>>> + if (secs->size > max_size)
>>> + return -EINVAL;
>>> +
>>> + if (!(secs->xfrm & XFEATURE_MASK_FP) ||
>>> + !(secs->xfrm & XFEATURE_MASK_SSE) ||
>>> + (((secs->xfrm >> XFEATURE_BNDREGS) & 1) != ((secs->xfrm >> XFEATURE_BNDCSR) & 1)))
>>> + return -EINVAL;
>>> +
>>> + if (!secs->ssa_frame_size)
>>> + return -EINVAL;
>>> +
>>> + if (sgx_calc_ssa_frame_size(secs->miscselect, secs->xfrm) > secs->ssa_frame_size)
>>> + return -EINVAL;
>>> +
>>> + if (memchr_inv(secs->reserved1, 0, sizeof(secs->reserved1)) ||
>>> + memchr_inv(secs->reserved2, 0, sizeof(secs->reserved2)) ||
>>> + memchr_inv(secs->reserved3, 0, sizeof(secs->reserved3)) ||
>>> + memchr_inv(secs->reserved4, 0, sizeof(secs->reserved4)))
>>> + return -EINVAL;
>>> +
>>> + return 0;
>>> +}
>>
>> I think it would be nice to at least have one comment per condition to
>> explain what's going on there.
...
>>> +static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs)
>>> +{
>>> + struct sgx_epc_page *secs_epc;
>>> + struct sgx_pageinfo pginfo;
>>> + struct sgx_secinfo secinfo;
>>> + unsigned long encl_size;
>>> + struct file *backing;
>>> + long ret;
>>> +
>>> + if (sgx_validate_secs(secs)) {
>>> + pr_debug("invalid SECS\n");
>>> + return -EINVAL;
>>> + }
>>> +
>>> + /* The extra page goes to SECS. */
>>> + encl_size = secs->size + PAGE_SIZE;
>>> +
>>> + backing = shmem_file_setup("SGX backing", encl_size + (encl_size >> 5),
>>> + VM_NORESERVE);
>>
>> What's the >>5 adjustment for?
>
> The backing storage stores not only the swapped page but also
> Paging Crypto MetaData (PCMD) structure. It essentially contains
> a CPU encrypted MAC for a page.
>
> The MAC is over page version and data. The version is stored in
> a EPC page called Version Array (VA) page.
>
> Both of these are needed by ENCLS[ELDU].
/*
* SGX backing storage needs to contain space for both the
* EPC data and some metadata called the Paging Crypto
* MetaData (PCMD). The PCMD needs 128b of storage for each
* page.
*/
Also, the MAC is a fixed size, right? Let's say that x86 got a larger
page size in the future. Would this number be 128b or PAGE_SIZE/32?
If it's a fixed size, I'd write:
size = encl_size;
size += (encl_size / PAGE_SIZE) * SGX_PCPD_PER_PAGE;
If it really is 1/32nd, I'd write
size += encl_size / SGX_PCPD_RATIO;
or something.
Either way, the >>5 is total magic and needs comments and fixing.
>>> +long sgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
>>> +{
>>> + struct sgx_encl *encl = filep->private_data;
>>> + int ret, encl_flags;
>>> +
>>> + encl_flags = atomic_fetch_or(SGX_ENCL_IOCTL, &encl->flags);
>>> + if (encl_flags & SGX_ENCL_IOCTL)
>>> + return -EBUSY;
>>
>> Is the SGX_ENCL_IOCTL bit essentially just a lock to single-thread
>> ioctl()s? Should we name it as such?
>
> Yes. It makes the concurrency overally easier if we can assume that
> only a single ioctl is in progress. There is no good reason to do
> them in parallel.
>
> E.g. when you add pages you want to do that serially because the
> order changes the MRENCLAVE.
There are also hardware concurrency requirements, right? A bunch of the
SGX functions seem not not even support being called in parallel.
> So should I rename it as SGX_ENCL_IOCTL_LOCKED?
I'd rather not see hand-rolled locking primitives frankly.
next prev parent reply other threads:[~2020-10-19 20:21 UTC|newest]
Thread overview: 117+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-03 4:50 [PATCH v39 00/24] Intel SGX foundations Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 01/24] x86/cpufeatures: x86/msr: Add Intel SGX hardware bits Jarkko Sakkinen
2020-10-19 14:10 ` Dave Hansen
2020-10-19 17:49 ` Sean Christopherson
2020-10-03 4:50 ` [PATCH v39 02/24] x86/cpufeatures: x86/msr: Add Intel SGX Launch Control " Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 03/24] x86/mm: x86/sgx: Signal SIGSEGV with PF_SGX Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 04/24] x86/sgx: Add SGX microarchitectural data structures Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 05/24] x86/sgx: Add wrappers for ENCLS leaf functions Jarkko Sakkinen
2020-10-19 14:30 ` Dave Hansen
2020-10-19 17:38 ` Sean Christopherson
2020-10-19 17:48 ` Dave Hansen
2020-10-19 17:53 ` Sean Christopherson
2020-10-19 17:58 ` Dave Hansen
2020-10-03 4:50 ` [PATCH v39 06/24] x86/cpu/intel: Detect SGX support Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 07/24] x86/cpu/intel: Add nosgx kernel parameter Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 08/24] x86/sgx: Initialize metadata for Enclave Page Cache (EPC) sections Jarkko Sakkinen
2020-10-19 8:45 ` Jarkko Sakkinen
2020-10-19 12:39 ` Borislav Petkov
2020-10-23 9:01 ` Jarkko Sakkinen
2020-10-19 13:40 ` Dave Hansen
2020-10-23 9:03 ` Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 09/24] x86/sgx: Add __sgx_alloc_epc_page() and sgx_free_epc_page() Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 11/24] x86/sgx: Add SGX enclave driver Jarkko Sakkinen
2020-10-03 14:39 ` Greg KH
2020-10-04 14:32 ` Jarkko Sakkinen
2020-10-04 15:01 ` Jarkko Sakkinen
2020-10-05 9:42 ` Greg KH
2020-10-05 12:42 ` Jarkko Sakkinen
2020-10-07 18:09 ` Haitao Huang
2020-10-07 19:26 ` Greg KH
2020-10-09 6:44 ` Jarkko Sakkinen
2020-10-14 20:16 ` Dave Hansen
2020-10-05 8:45 ` Christoph Hellwig
2020-10-05 11:42 ` Jarkko Sakkinen
2020-10-05 11:50 ` Greg KH
2020-10-05 14:23 ` Jarkko Sakkinen
2020-10-05 15:02 ` Greg KH
2020-10-05 16:40 ` Dave Hansen
2020-10-05 20:02 ` Jarkko Sakkinen
2020-10-09 7:10 ` Pavel Machek
2020-10-09 7:21 ` Greg KH
2020-10-09 8:21 ` Pavel Machek
2020-10-03 19:54 ` Matthew Wilcox
2020-10-04 21:50 ` Jarkko Sakkinen
2020-10-04 22:02 ` Jarkko Sakkinen
2020-10-04 22:27 ` Matthew Wilcox
2020-10-04 23:41 ` Jarkko Sakkinen
2020-10-05 1:30 ` Matthew Wilcox
2020-10-05 3:06 ` Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 12/24] x86/sgx: Add SGX_IOC_ENCLAVE_CREATE Jarkko Sakkinen
2020-10-16 17:07 ` Dave Hansen
2020-10-18 4:26 ` Jarkko Sakkinen
2020-10-19 20:21 ` Dave Hansen [this message]
2020-10-19 20:48 ` Sean Christopherson
2020-10-03 4:50 ` [PATCH v39 13/24] x86/sgx: Add SGX_IOC_ENCLAVE_ADD_PAGES Jarkko Sakkinen
2020-10-16 21:25 ` Dave Hansen
2020-10-18 5:03 ` Jarkko Sakkinen
2020-10-19 7:03 ` Jarkko Sakkinen
2020-10-19 20:48 ` Dave Hansen
2020-10-19 21:15 ` Sean Christopherson
2020-10-19 21:44 ` Dave Hansen
2020-10-23 10:11 ` Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 14/24] x86/sgx: Add SGX_IOC_ENCLAVE_INIT Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 15/24] x86/sgx: Add SGX_IOC_ENCLAVE_PROVISION Jarkko Sakkinen
2020-10-20 15:48 ` Dave Hansen
2020-10-23 10:14 ` Jarkko Sakkinen
2020-10-20 21:19 ` Dave Hansen
2020-10-23 10:17 ` Jarkko Sakkinen
2020-10-23 14:19 ` Dave Hansen
2020-10-24 11:34 ` Jarkko Sakkinen
2020-10-24 15:47 ` Andy Lutomirski
2020-10-24 20:23 ` Jarkko Sakkinen
2020-10-27 10:38 ` Dr. Greg
2020-10-23 14:23 ` Jethro Beekman
2020-10-24 11:40 ` Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 16/24] x86/sgx: Add a page reclaimer Jarkko Sakkinen
2020-10-03 5:22 ` Haitao Huang
2020-10-03 13:32 ` Jarkko Sakkinen
2020-10-03 18:23 ` Haitao Huang
2020-10-04 22:39 ` Jarkko Sakkinen
2020-10-07 17:25 ` Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 17/24] x86/sgx: Add ptrace() support for the SGX driver Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 18/24] x86/vdso: Add support for exception fixup in vDSO functions Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 19/24] x86/fault: Add helper function to sanitize error code Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 20/24] x86/traps: Attempt to fixup exceptions in vDSO before signaling Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 21/24] x86/vdso: Implement a vDSO for Intel SGX enclave call Jarkko Sakkinen
2020-10-06 2:57 ` Sean Christopherson
2020-10-06 8:30 ` Jethro Beekman
2020-10-06 15:15 ` Sean Christopherson
2020-10-06 17:28 ` Jarkko Sakkinen
2020-10-06 23:21 ` Sean Christopherson
2020-10-07 0:22 ` Jarkko Sakkinen
2020-10-07 1:17 ` Sean Christopherson
2020-10-07 3:14 ` Jarkko Sakkinen
2020-10-07 4:34 ` Sean Christopherson
2020-10-07 7:39 ` Jarkko Sakkinen
2020-10-07 8:04 ` Jarkko Sakkinen
2020-10-07 15:25 ` Sean Christopherson
2020-10-07 17:08 ` Jarkko Sakkinen
2020-10-07 17:13 ` Jarkko Sakkinen
2020-10-06 15:49 ` Jarkko Sakkinen
2020-10-06 15:36 ` Jarkko Sakkinen
2020-10-06 21:39 ` Jarkko Sakkinen
2020-10-07 0:23 ` Jarkko Sakkinen
2020-10-17 1:48 ` Andy Lutomirski
2020-10-17 21:02 ` Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 22/24] selftests/x86: Add a selftest for SGX Jarkko Sakkinen
2020-10-12 16:50 ` Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 23/24] docs: x86/sgx: Document SGX micro architecture and kernel internals Jarkko Sakkinen
2020-10-03 4:50 ` [PATCH v39 24/24] x86/sgx: Update MAINTAINERS Jarkko Sakkinen
2020-10-16 21:04 ` Dave Hansen
2020-10-18 4:27 ` Jarkko Sakkinen
2020-10-03 14:32 ` [PATCH v39 00/24] Intel SGX foundations Greg KH
2020-10-03 14:53 ` Jarkko Sakkinen
2020-10-15 19:06 ` Dave Hansen
2020-10-17 20:43 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f6fe37ee-7b5c-15b6-6823-2500582e7921@intel.com \
--to=dave.hansen@intel.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=asapek@google.com \
--cc=bp@alien8.de \
--cc=cedric.xing@intel.com \
--cc=chenalexchen@google.com \
--cc=conradparker@google.com \
--cc=cyhanish@google.com \
--cc=darren.kenny@oracle.com \
--cc=haitao.huang@intel.com \
--cc=haitao.huang@linux.intel.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jethro@fortanix.com \
--cc=jorhand@linux.microsoft.com \
--cc=kai.huang@intel.com \
--cc=kai.svahn@intel.com \
--cc=kmoy@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=ludloff@google.com \
--cc=luto@kernel.org \
--cc=mikko.ylinen@intel.com \
--cc=nhorman@redhat.com \
--cc=npmccallum@redhat.com \
--cc=puiterwijk@redhat.com \
--cc=rientjes@google.com \
--cc=sanqian.hcy@antfin.com \
--cc=sean.j.christopherson@intel.com \
--cc=sethmo@google.com \
--cc=suresh.b.siddha@intel.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=yaozhangx@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).