From: "Haitao Huang" <email@example.com>
To: "firstname.lastname@example.org" <email@example.com>,
"Huang, Kai" <firstname.lastname@example.org>
Cc: "email@example.com" <firstname.lastname@example.org>,
"Chatre, Reinette" <email@example.com>,
"Dhanraj, Vijay" <firstname.lastname@example.org>,
Subject: Re: [RFC PATCH v4 2/4] x86/sgx: Implement support for MADV_WILLNEED
Date: Tue, 14 Mar 2023 09:54:30 -0500 [thread overview]
Message-ID: <email@example.com> (raw)
On Thu, 09 Mar 2023 05:31:29 -0600, Huang, Kai <firstname.lastname@example.org> wrote:
>> Then in v29, PROT_NONE mapping was disallowed for encl_fd before pages
>> EADDed so user space has to mmap anonymously to reserve the range.The
>> intent was still not to allow mmap before pages EADDed (the !page check
>> was still there up to v38)
> Do you know the reason of disallowing PROT_NONE mapping against encl_fd?
I think it was to allow user space to do anonymous mapping to reserve
address space for enclave.
Before this point, you have to use PROT_NONE to reserve with encl_fd.
There might be an issue with how #PF and EPC swapping was handled or the
elegance of those flows that motivated the move but I can't remember. ABI
was not fixed at that time so it was OK to change.
> I dig v28 roughly but didn't find any clue.
> Basically no comments related to this were made to:
> [PATCH v28 11/22] x86/sgx: Linux Enclave Driver
>> Later version (around v39?) we switched to enforce the permissions in PF
>> handler and mmap with any permissions before EADD is allowed, but may
>> cause failure later on PF. I'm not sure it was intentional but pretty
>> no meaningful usage for doing mmap before ECREATE due to PF handler
> IIUC this change around v39 re-allows mmap() against encl_fd before
I don't think so. There is no meaningful usage for that as I said.
> IIUC the only enforcement is VMA's permission must be more restricted
> enclave page's permission.
> So, theoretically, we can mmap() encl_fd with
> and then mprotect() the address range based on the actual enclave pages
> EADD) before actually doing EADD those pages?
>> I think that's the history behind it. Others more knowledgeable can
>> correct me as needed.
> Thanks for the information.
>> Again, even if we redesign the whole thing to be less "weird", then
>> requiring pgoff for each mmap would break existing user space code. And
>> think explicitly block mmap before ECREATE make the API more consistent
>> with the PF handler enforcement and original intent of sgx_encl_may_map.
> I think permission check in sgx_encl_may_map() isn't restricted related
> to the
> vma->pgoff issue here. They are basically two different topics, IIUC.
They are related because the intention was not allowing user space to do
arbitrary mmaping before EADD.
So in the context of the gap you identified for this patch series, i.e,
mmap before ECREATE, it is relevant. My view is that we never intended and
there is no use case for allowing that to happen. So it naturally follows
that we fix that gap by not allowing those scenarios explicitly.
> So I am still a little bit confused about where does "SGX driver uses
> MAP_ANONYMOUS semantics for fd-based mmap()" come from.
> Anyway, we certainly don't want to break userspace. However, IIUC, even
> now on we change the driver to depend on userspace to pass the correct
> pgoff in
> mmap(), this won't break userspace, because old userspace which doesn't
> fadvice() and pgoff actually doesn't matter. For new userspace which
> fadvice(), it needs to pass the correct pgoff.
> I am not saying we should do this, but it doesn't seem we can break
I'll leave it for others to chime in on this.
With my user space developer hat on, I would not like this because in one
place (mmap before madvise call) I have to pass pgoff and not in another
place (mmap after EADD). If you see really big issues on the current
MAP_ANONYMOUS + enclave_fd semantics, then we should fix the design. But
it should be in separate patches.
next prev parent reply other threads:[~2023-03-14 14:54 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-28 4:55 [RFC PATCH v4 0/4] x86/sgx: implement support for MADV_WILLNEED Haitao Huang
2023-01-28 4:55 ` [RFC PATCH v4 1/4] x86/sgx: Export sgx_encl_eaug_page Haitao Huang
2023-01-28 4:55 ` [RFC PATCH v4 2/4] x86/sgx: Implement support for MADV_WILLNEED Haitao Huang
2023-01-28 4:55 ` [RFC PATCH v4 3/4] selftests/sgx: add len field for EACCEPT op Haitao Huang
2023-01-28 4:55 ` [RFC PATCH v4 4/4] selftests/sgx: Add test for madvise(..., WILLNEED) Haitao Huang
2023-02-07 23:30 ` Jarkko Sakkinen
2023-02-15 2:38 ` Huang, Kai
2023-02-15 4:42 ` Haitao Huang
2023-02-15 8:46 ` Huang, Kai
2023-02-17 22:29 ` jarkko
2023-02-07 23:29 ` [RFC PATCH v4 3/4] selftests/sgx: add len field for EACCEPT op Jarkko Sakkinen
2023-02-07 23:28 ` [RFC PATCH v4 2/4] x86/sgx: Implement support for MADV_WILLNEED Jarkko Sakkinen
2023-02-14 9:47 ` Huang, Kai
2023-02-14 19:18 ` Haitao Huang
2023-02-14 20:54 ` Huang, Kai
2023-02-14 21:42 ` Haitao Huang
2023-02-14 22:36 ` Huang, Kai
2023-02-15 3:59 ` Haitao Huang
2023-02-15 8:51 ` Huang, Kai
2023-02-15 15:42 ` Haitao Huang
2023-02-16 7:53 ` Huang, Kai
2023-02-16 17:12 ` Haitao Huang
2023-02-17 22:32 ` jarkko
2023-02-17 23:03 ` Haitao Huang
2023-02-21 22:10 ` jarkko
2023-02-22 1:37 ` Haitao Huang
2023-03-07 23:32 ` Huang, Kai
2023-03-09 0:50 ` Haitao Huang
2023-03-09 11:31 ` Huang, Kai
2023-03-14 14:54 ` Haitao Huang [this message]
2023-03-19 13:26 ` jarkko
2023-03-20 9:36 ` Huang, Kai
2023-03-20 14:04 ` jarkko
2023-05-27 0:32 ` Haitao Huang
2023-06-06 4:11 ` Huang, Kai
2023-06-07 16:59 ` Haitao Huang
2023-06-16 3:49 ` Huang, Kai
2023-06-16 22:05 ` Sean Christopherson
2023-06-19 11:17 ` Huang, Kai
2023-06-22 22:01 ` Sean Christopherson
2023-06-22 23:21 ` Huang, Kai
2023-06-26 22:28 ` Sean Christopherson
2023-06-27 11:43 ` Huang, Kai
2023-06-27 14:50 ` Sean Christopherson
2023-06-28 9:37 ` Huang, Kai
2023-06-28 14:57 ` Sean Christopherson
2023-06-29 3:10 ` Huang, Kai
2023-06-29 14:23 ` Sean Christopherson
2023-06-29 23:29 ` Huang, Kai
2023-06-30 0:14 ` Sean Christopherson
2023-06-30 0:56 ` Huang, Kai
2023-06-30 1:54 ` Jarkko Sakkinen
2023-06-30 1:57 ` Jarkko Sakkinen
2023-06-30 4:26 ` Huang, Kai
2023-06-30 9:35 ` Jarkko Sakkinen
2023-03-12 1:25 ` jarkko
2023-03-12 22:25 ` Huang, Kai
2023-02-17 22:07 ` jarkko
2023-02-17 21:50 ` jarkko
2023-02-07 23:26 ` [RFC PATCH v4 1/4] x86/sgx: Export sgx_encl_eaug_page Jarkko Sakkinen
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).