SGX feature extensions patch.

SGX feature extensions patch.

[Dr. Greg]

Good morning, I hope the week is starting well for everyone.

With the SGX driver having been mainlined in the 5.11 release we will
be maintaining and releasing our out-of-tree SGX feature extension
patch for each kernel release.

The patches will be available using the following URL format:

ftp://ftp.enjellic.com/pub/sgx/kernel/SFLC-MAJOR.MINOR.patch

With the detached signature available via the following URL:

ftp://ftp.enjellic.com/pub/sgx/kernel/SFLC-MAJOR.MINOR.patch.asc

The 5.11 patch and signature can thus be retrieved via the following
URL's:

ftp://ftp.enjellic.com/pub/sgx/kernel/SFLC-5.11.patch

ftp://ftp.enjellic.com/pub/sgx/kernel/SFLC-5.11.patch.asc

I've included the public signing key that is being used for the
signatures at the end of this e-mail.

In addition to implementing cryptographic access control policies, the
feature extension patch allows the mainline driver to work on
platforms that do not have Flexible Launch Control.

The changelog for the patch contains documentation for how to use the
cryptographic access control policies, along with the rationale for
enabling support for non-FLC platforms, which is basically the fact
that with the mainline Linux driver there is very little hardware
available to developers who would be interested in working with SGX on
Linux.

The driver extensions are unit tested on both FLC and non-FLC
hardware.

We would, of course, be interested in any productive suggestions,
security issues or enhancement requests.  Depending on the trajectory
of mainline development, we may add support for partial page
initialization if that doesn't look like it is headed for mainline
inclusion.

Best wishes for a productive week.

Dr. Greg

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBF8dmycBCADXgZ6HCPySuo8vgp3rieiC3BmifUIwV2m/j0nPCmB7Y7+nw478
2ukY6NTCNjGFpkGner3ie4ZYVriP6G2LevW0oG+QYl+wKRY+1OajtrNvzRZMSf1p
M6Z68Gi8nf8X4dsO9fvjK2s3BQUwBy4NnqmNQBbFvM07PMzo1hmcFxHlEHiUsCfg
LIyhZn4BSD9aS3hLiCwoLG8vYjZEwttTQJHDrijlBph5SCD28M97NA1GZrgalH3X
u1wOy3ka+AwqqaUL5dv4VPOoCQZ0JmhGs5yQ6hAsswxfE0blN86UAKd6KgQo22B+
ZKkyoqdVvp957SoEWkxtCBlP/mk+J3FgRD25ABEBAAG0LkVTRCBzaWduaW5nIGtl
eSAoRHIuIEdyZWcpIDxncmVnQGVuamVsbGljLmNvbT6JATgEEwECACIFAl+LHqgC
GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEIVKlBhNXzHzSy8H/25hFzCX
t53HwDaldNGZAjlnnSyxPjRm5t4ssDs5HL58Y6RhqWbMSO7sk/b7ybmVELbcynHP
m3AMEF3xpnCjy/1KlpW1iLwhXqgfEAV66Fhk7IQxNWuePM7PKmRKTvAQMa4ghjaW
1ZHtPSpFN7JY45IcZn6IuUPai8qD4FzMjr2Ig6flRVbK5CJQR0DCJrHluakks4UA
id8h+S54D+uEu4czlgAbStJFgolWCHEzMFOirujel518sBEt3euACRoibatcQfHB
hur45j/5nGq6lhyktul7PRlGmIg2GRWAf3757sM1jK3rkpbTeyoXG+lZ1YpcXTnr
Zk6Cg+qn2TKwnby5AQ0EXx2bJwEIAO4zkEhVH17CBpxfhaRlgEjgc4XdcVrCIT9j
SOq2eTA2ZC19Vtd9L+ZUNQ8I5bSt/B6Si03jcTqsIZeDhfMTLAmhGvhZEy4nHoKu
KtxKuEZ0CjkEcs+J6pF2P+yqXe85RhQ43HPZckmQL65cVjCLczLXFvA+qrUJUfYO
4YnyLueDSeDwpGXtIHCS7t4jTvEmu067PaUCuemYRGrpkDHpb82qtB38fXof6oPc
jImYPFk09HamsxfV4fLVf3wRMWiYjgSnEHpwzHaqZ5mVBfNzhd+RPUjZ4N7SoFtC
G6hRAH2erzxz8SlOuEyjlvEW9fKghN6bIx/7juLpgNqVLJO5QEMAEQEAAYkBHwQY
AQIACQUCXx2bJwIbDAAKCRCFSpQYTV8x806WB/4tuueIWMZemeocOlbBI7IBTrrl
D4tTny1TT2c/hH4LRYqlWaCY9KyKt2g66HeFJGXSsr8j8Sy86N5jBtiZ355i4FxS
as5q1smDGJ9aWKpYRrrgfKcn8pHYj1PqXKriHg+mvt9knqpouyFeCMoxl/waMNPM
fwWTS+Q8GV3hPpQOtnk6JwennznYgMLGPbbavY+mtDCMbHcZ02seJyhc3do/sgeO
Dd5Lp9OXy65tu1LDktuvd3H8nwrdpTFngVN0/3OxUREy1Iazma3TjZYY7HyPMC5Y
Xa+3GhT5UsybSb0VF/5/xDJFAPi/utFUOJsEZ1ZawLRuDNoUFWJx/rOpMUY6uQEN
BF8doDEBCACom+4EKfeYzBJEw6vfacePPr1avY/ZRBhknMQ1IKmTqFh9bO7sDwZH
Uzm/h9xXMRTFtHWCpCrfxYfCw1lJ0hFNPFs2fETjfBU5CSxhookvFXBW8RwexKcs
eOVtdot9abhhLKhFmDpfKephuPfP4xq/wEwB8BH5hVr6KXZUjIqQgssQpmbJqj0O
n+1RZAzo4puRWLSOrmI+AwAZS2gE8XPWFxOETXLUwZ1JybxLCgvtJ15ZybdIydph
A+Hd5NyYFVizjNJQFIiZAg/P2XK1swre2yLymwXlj/QwIyKK5qbNWEV7bwwI/kac
G+A2FjUB50jRQ4lHVSGaOC5RJfjW/eqVABEBAAGJAkQEGAECAA8FAl8doDECGwIF
CQPCZwABKQkQhUqUGE1fMfPAXSAEGQECAAYFAl8doDEACgkQHIEunSZmRDBtuggA
g7K7d41GNYtQ7lWMUm3utEliWePT+RxVW+sDcYEnmyv7Y8Nf6cuUlJjONISkIsdZ
9rXtRYLtYL82I49/27B7QyinMYg0G/gpAjr4QYfoOwS+gIEMCcu/ubBfESaOj483
p7nIHpjLvctsoqA4ZIMQwcRySkQ/msGoSVziYOo5DnoCi8IGaGwB0g81dZJO18Tn
qvnzVm+mSgrzz+yg/chggGrODfTM8d3wVX6JMBaFH7mB/6BBn1rN0lvHWCmzgys4
IrK7nO7zk66OmFNdIXmuWPtn1sg1+HoYU5qiuuUXH8PHxeQuAgOXmR3JLg1GSwUc
CMZbz+eMLifIvFghgO/edFeRCAC+Cho/QL+1ggzeMSAkQlzeQnQv+8tDXcKHMaTl
XCnlj3hNA1t1rVEdVQS+F5rRIWKhnvirn9N3H2LgjPlvyjOTSUYaU3LDvTJr+wX4
RzoGiH6x1wnVnTtbSYISkVCbih8R2/stXeZQr6PRtjpQPPYb13Miy4fSowQP13K2
aQ5xGxCGRPguGHWSBY21bUBMzrAdtRTWXI0ttKZyvChGTTwJBiZ4cdQAvfYDuXxc
8BqNcx/jtx9HCfKrHfVPA9A/q/72m7XFN6MtmcutZYXUZIxjz7jT05OsT2x+4/lg
xFlUqrvnNFc0E5XAT2eTFEBv+S+NbTP+LWaum77u93QrwcxquQENBF+e5BcBCADC
JOafzH4vo8TNz3h24K7Tm7AlF+VZwDdD/LZhEQ8q2t3Ck7b12oZdvU9DPvaI+bNg
sb8A0wN26jeFaSxZnL/EuRde0vZlcuFSNxsTLfQyc89hWBNUY4bToI72jvzlnpAB
Q6487ANtXwRbvuypmJtNwyVDCRXTyhrJtgo4oEXsrRcPmd7JLtQDxm8QPFigOb80
6W/ujwTv1/BvsbQwxNzNrx4BYnMO9Ds4Cr6scRFDbdAfbWGaFpar/G81wsNTwte8
0mbNVO2RViOdVpqrDgfOBmfzjZPM309hts9RLcvuYVLlUaOzo4c/30ZmDKgfC+bA
JpKq+NTcil4BH9pXG2tzABEBAAGJASUEGAECAA8FAl+e5BcCGyAFCQJX2oAACgkQ
hUqUGE1fMfNaDAf/S0zj8unyo+GVaNhN5q4FzYAwZMVCHY6V0LQXwUuF4EUCRHp4
gTZ5i81+t2lqHIuScOtAE2Z7XRIImnoFFLI0dNxQqlQ78abpeiOMTOCWQQa7JpJE
JumnPOkRWiqdvCjy494N+SHvKHirhi9JQzRV+ZdE2rifjQXfhXFDGHd4tntzjB7V
9A2C95/Imtzh3K9uPxi2lzCMAu4hL59vR9xzTnp1lqlj7BbwqSUzMzdURTjEmPeL
sZQkVZI23mS5LRxmZA+c0THogdi1cUZ/qyH+S41iY3KIMYWmkTG19s2l8MsRkhio
unEH7sy5Alwk3lu03EE2iJzcAsQ4jq3xYSt0nw==
=WFeh
-----END PGP PUBLIC KEY BLOCK-----

As always,
Dr. Greg Wettstein, Ph.D, Worker      Autonomously self-defensive
Enjellic Systems Development, LLC     IOT platforms and edge devices.
4206 N. 19th Ave.
Fargo, ND  58102
PH: 701-281-1686                      EMAIL: greg@enjellic.com
------------------------------------------------------------------------------
"Heaven goes by favor.  If it went by merit, you would stay out and your
 dog would go in."
                                -- Mark Twain

Re: SGX feature extensions patch.

[Jia Zhang]

Hi Dr.Greg,

Thanks for your great job! I have a question about how do you work out
psw for
non-flc platforms?

The background is that we (inclavare containers project:
https://github.com/alibaba/inclavare-containers)
also attempt to resolve the conflict between non-flc platform and sgx
in-tree driver.
Our work is available at
https://github.com/alibaba/inclavare-containers/tree/master/hack/no-sgx-flc

In addition, I compare the different parts between us for non-flc
support part:
- Use different ioctl cmd to support init-token ioctl with token
supplied by caller
- Use different init-token ioctl structure (w/ vs w/o address parameter
in ELRANGE)

We did the testing on sgx1 machine and found it is required to modify
psw. See
https://github.com/alibaba/inclavare-containers/blob/master/hack/no-sgx-flc/Linux-SGX-PSW-2.13-Support-SGX1-machine-with-SGX-in-tree-driver.patch

So we are interested how do you avoid to modify PSW to work out.

Cheers,
Jia
On 2021/4/26 下午5:45, Dr. Greg wrote:
> Good morning, I hope the week is starting well for everyone.
>
> With the SGX driver having been mainlined in the 5.11 release we will
> be maintaining and releasing our out-of-tree SGX feature extension
> patch for each kernel release.
>
> The patches will be available using the following URL format:
>
> ftp://ftp.enjellic.com/pub/sgx/kernel/SFLC-MAJOR.MINOR.patch
>
> With the detached signature available via the following URL:
>
> ftp://ftp.enjellic.com/pub/sgx/kernel/SFLC-MAJOR.MINOR.patch.asc
>
> The 5.11 patch and signature can thus be retrieved via the following
> URL's:
>
> ftp://ftp.enjellic.com/pub/sgx/kernel/SFLC-5.11.patch
>
> ftp://ftp.enjellic.com/pub/sgx/kernel/SFLC-5.11.patch.asc
>
> I've included the public signing key that is being used for the
> signatures at the end of this e-mail.
>
> In addition to implementing cryptographic access control policies, the
> feature extension patch allows the mainline driver to work on
> platforms that do not have Flexible Launch Control.
>
> The changelog for the patch contains documentation for how to use the
> cryptographic access control policies, along with the rationale for
> enabling support for non-FLC platforms, which is basically the fact
> that with the mainline Linux driver there is very little hardware
> available to developers who would be interested in working with SGX on
> Linux.
>
> The driver extensions are unit tested on both FLC and non-FLC
> hardware.
>
> We would, of course, be interested in any productive suggestions,
> security issues or enhancement requests.  Depending on the trajectory
> of mainline development, we may add support for partial page
> initialization if that doesn't look like it is headed for mainline
> inclusion.
>
> Best wishes for a productive week.
>
> Dr. Greg
>
> -----BEGIN PGP PUBLIC KEY BLOCK-----
>
> mQENBF8dmycBCADXgZ6HCPySuo8vgp3rieiC3BmifUIwV2m/j0nPCmB7Y7+nw478
> 2ukY6NTCNjGFpkGner3ie4ZYVriP6G2LevW0oG+QYl+wKRY+1OajtrNvzRZMSf1p
> M6Z68Gi8nf8X4dsO9fvjK2s3BQUwBy4NnqmNQBbFvM07PMzo1hmcFxHlEHiUsCfg
> LIyhZn4BSD9aS3hLiCwoLG8vYjZEwttTQJHDrijlBph5SCD28M97NA1GZrgalH3X
> u1wOy3ka+AwqqaUL5dv4VPOoCQZ0JmhGs5yQ6hAsswxfE0blN86UAKd6KgQo22B+
> ZKkyoqdVvp957SoEWkxtCBlP/mk+J3FgRD25ABEBAAG0LkVTRCBzaWduaW5nIGtl
> eSAoRHIuIEdyZWcpIDxncmVnQGVuamVsbGljLmNvbT6JATgEEwECACIFAl+LHqgC
> GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEIVKlBhNXzHzSy8H/25hFzCX
> t53HwDaldNGZAjlnnSyxPjRm5t4ssDs5HL58Y6RhqWbMSO7sk/b7ybmVELbcynHP
> m3AMEF3xpnCjy/1KlpW1iLwhXqgfEAV66Fhk7IQxNWuePM7PKmRKTvAQMa4ghjaW
> 1ZHtPSpFN7JY45IcZn6IuUPai8qD4FzMjr2Ig6flRVbK5CJQR0DCJrHluakks4UA
> id8h+S54D+uEu4czlgAbStJFgolWCHEzMFOirujel518sBEt3euACRoibatcQfHB
> hur45j/5nGq6lhyktul7PRlGmIg2GRWAf3757sM1jK3rkpbTeyoXG+lZ1YpcXTnr
> Zk6Cg+qn2TKwnby5AQ0EXx2bJwEIAO4zkEhVH17CBpxfhaRlgEjgc4XdcVrCIT9j
> SOq2eTA2ZC19Vtd9L+ZUNQ8I5bSt/B6Si03jcTqsIZeDhfMTLAmhGvhZEy4nHoKu
> KtxKuEZ0CjkEcs+J6pF2P+yqXe85RhQ43HPZckmQL65cVjCLczLXFvA+qrUJUfYO
> 4YnyLueDSeDwpGXtIHCS7t4jTvEmu067PaUCuemYRGrpkDHpb82qtB38fXof6oPc
> jImYPFk09HamsxfV4fLVf3wRMWiYjgSnEHpwzHaqZ5mVBfNzhd+RPUjZ4N7SoFtC
> G6hRAH2erzxz8SlOuEyjlvEW9fKghN6bIx/7juLpgNqVLJO5QEMAEQEAAYkBHwQY
> AQIACQUCXx2bJwIbDAAKCRCFSpQYTV8x806WB/4tuueIWMZemeocOlbBI7IBTrrl
> D4tTny1TT2c/hH4LRYqlWaCY9KyKt2g66HeFJGXSsr8j8Sy86N5jBtiZ355i4FxS
> as5q1smDGJ9aWKpYRrrgfKcn8pHYj1PqXKriHg+mvt9knqpouyFeCMoxl/waMNPM
> fwWTS+Q8GV3hPpQOtnk6JwennznYgMLGPbbavY+mtDCMbHcZ02seJyhc3do/sgeO
> Dd5Lp9OXy65tu1LDktuvd3H8nwrdpTFngVN0/3OxUREy1Iazma3TjZYY7HyPMC5Y
> Xa+3GhT5UsybSb0VF/5/xDJFAPi/utFUOJsEZ1ZawLRuDNoUFWJx/rOpMUY6uQEN
> BF8doDEBCACom+4EKfeYzBJEw6vfacePPr1avY/ZRBhknMQ1IKmTqFh9bO7sDwZH
> Uzm/h9xXMRTFtHWCpCrfxYfCw1lJ0hFNPFs2fETjfBU5CSxhookvFXBW8RwexKcs
> eOVtdot9abhhLKhFmDpfKephuPfP4xq/wEwB8BH5hVr6KXZUjIqQgssQpmbJqj0O
> n+1RZAzo4puRWLSOrmI+AwAZS2gE8XPWFxOETXLUwZ1JybxLCgvtJ15ZybdIydph
> A+Hd5NyYFVizjNJQFIiZAg/P2XK1swre2yLymwXlj/QwIyKK5qbNWEV7bwwI/kac
> G+A2FjUB50jRQ4lHVSGaOC5RJfjW/eqVABEBAAGJAkQEGAECAA8FAl8doDECGwIF
> CQPCZwABKQkQhUqUGE1fMfPAXSAEGQECAAYFAl8doDEACgkQHIEunSZmRDBtuggA
> g7K7d41GNYtQ7lWMUm3utEliWePT+RxVW+sDcYEnmyv7Y8Nf6cuUlJjONISkIsdZ
> 9rXtRYLtYL82I49/27B7QyinMYg0G/gpAjr4QYfoOwS+gIEMCcu/ubBfESaOj483
> p7nIHpjLvctsoqA4ZIMQwcRySkQ/msGoSVziYOo5DnoCi8IGaGwB0g81dZJO18Tn
> qvnzVm+mSgrzz+yg/chggGrODfTM8d3wVX6JMBaFH7mB/6BBn1rN0lvHWCmzgys4
> IrK7nO7zk66OmFNdIXmuWPtn1sg1+HoYU5qiuuUXH8PHxeQuAgOXmR3JLg1GSwUc
> CMZbz+eMLifIvFghgO/edFeRCAC+Cho/QL+1ggzeMSAkQlzeQnQv+8tDXcKHMaTl
> XCnlj3hNA1t1rVEdVQS+F5rRIWKhnvirn9N3H2LgjPlvyjOTSUYaU3LDvTJr+wX4
> RzoGiH6x1wnVnTtbSYISkVCbih8R2/stXeZQr6PRtjpQPPYb13Miy4fSowQP13K2
> aQ5xGxCGRPguGHWSBY21bUBMzrAdtRTWXI0ttKZyvChGTTwJBiZ4cdQAvfYDuXxc
> 8BqNcx/jtx9HCfKrHfVPA9A/q/72m7XFN6MtmcutZYXUZIxjz7jT05OsT2x+4/lg
> xFlUqrvnNFc0E5XAT2eTFEBv+S+NbTP+LWaum77u93QrwcxquQENBF+e5BcBCADC
> JOafzH4vo8TNz3h24K7Tm7AlF+VZwDdD/LZhEQ8q2t3Ck7b12oZdvU9DPvaI+bNg
> sb8A0wN26jeFaSxZnL/EuRde0vZlcuFSNxsTLfQyc89hWBNUY4bToI72jvzlnpAB
> Q6487ANtXwRbvuypmJtNwyVDCRXTyhrJtgo4oEXsrRcPmd7JLtQDxm8QPFigOb80
> 6W/ujwTv1/BvsbQwxNzNrx4BYnMO9Ds4Cr6scRFDbdAfbWGaFpar/G81wsNTwte8
> 0mbNVO2RViOdVpqrDgfOBmfzjZPM309hts9RLcvuYVLlUaOzo4c/30ZmDKgfC+bA
> JpKq+NTcil4BH9pXG2tzABEBAAGJASUEGAECAA8FAl+e5BcCGyAFCQJX2oAACgkQ
> hUqUGE1fMfNaDAf/S0zj8unyo+GVaNhN5q4FzYAwZMVCHY6V0LQXwUuF4EUCRHp4
> gTZ5i81+t2lqHIuScOtAE2Z7XRIImnoFFLI0dNxQqlQ78abpeiOMTOCWQQa7JpJE
> JumnPOkRWiqdvCjy494N+SHvKHirhi9JQzRV+ZdE2rifjQXfhXFDGHd4tntzjB7V
> 9A2C95/Imtzh3K9uPxi2lzCMAu4hL59vR9xzTnp1lqlj7BbwqSUzMzdURTjEmPeL
> sZQkVZI23mS5LRxmZA+c0THogdi1cUZ/qyH+S41iY3KIMYWmkTG19s2l8MsRkhio
> unEH7sy5Alwk3lu03EE2iJzcAsQ4jq3xYSt0nw==
> =WFeh
> -----END PGP PUBLIC KEY BLOCK-----
>
> As always,
> Dr. Greg Wettstein, Ph.D, Worker      Autonomously self-defensive
> Enjellic Systems Development, LLC     IOT platforms and edge devices.
> 4206 N. 19th Ave.
> Fargo, ND  58102
> PH: 701-281-1686                      EMAIL: greg@enjellic.com
> ------------------------------------------------------------------------------
> "Heaven goes by favor.  If it went by merit, you would stay out and your
>  dog would go in."
>                                 -- Mark Twain

Re: SGX feature extensions patch.

[Dr. Greg]

On Wed, Apr 28, 2021 at 11:07:34AM +0800, Jia Zhang wrote:

> Hi Dr.Greg,

Good morning Jia, I hope this note finds your day going well.

> Thanks for your great job! I have a question about how do you work
> out psw for non-flc platforms?
>
> The background is that we (inclavare containers project:
> https://github.com/alibaba/inclavare-containers)
>
> also attempt to resolve the conflict between non-flc platform and sgx
> in-tree driver.
>
> Our work is available at
> https://github.com/alibaba/inclavare-containers/tree/master/hack/no-sgx-flc

Thank you, I'm pleased that, as a major SGX user, you see utility in
the work.

We just finished unit testing of the feature patch against the
recently released 5.12 kernel and we will be making that available in
the next day or so.

Please feel free to include our patch in your work or provide a
reference to it if it facilitates your initiatives.  Our approaches
are similar but non-FLC platforms will need the cryptographic policy
controls that we implement in order to get full functionality.

> In addition, I compare the different parts between us for non-flc
> support part:
>
> - Use different ioctl cmd to support init-token ioctl with token
> supplied by caller
>
> - Use different init-token ioctl structure (w/ vs w/o address parameter
> in ELRANGE)

We deliberated at significant length on how to approach this problem,
in the end, using a separate ioctl with its own index number, seemed
to be the approach that would offer the best path forward with respect
to those of us developing SGX runtimes.

The separate ioctl call we implemented acts in a manner identical to
the standard ioctl, if a NULL pointer value is passed as the address
of the EINITTOKEN block.  Thus the ioctl will work on both FLC and
non-FLC platforms and can be used exclusively by runtimes that support
both types of hardware.

A review of the kernel archives will show that I advocated rather
aggressively for the mainline driver to include the pointer in its
EINIT ioctl structure and have the in-kernel ioctl ignore that
pointer.  Unfortunately, the design of the driver was driven by
politics, and not by technology and the needs of the individuals that
will be actually using the driver.

> We did the testing on sgx1 machine and found it is required to modify
> psw. See https://github.com/alibaba/inclavare-containers/blob/master/hack/no-sgx-flc/Linux-SGX-PSW-2.13-Support-SGX1-machine-with-SGX-in-tree-driver.patch
>
> So we are interested how do you avoid to modify PSW to work out.

By definition, the SGX runtimes will need to be modified in order to
make all of work for the user community.  I believe the approach that
we ended up using, with a separate ioctl index, will minimize the
changes that are needed and allow the runtimes to work on both FLC and
non-FLC hardware with minimal changes.

I'm quite familiar with the Intel SDK/PSW, since we did a complete
C-only re-implementation of the PSW, however, I don't have a platform
right now that will build the Intel stack.  I'm assuming you do, so if
you are interested we could collaborate on making the necessary
changes.

The basic strategy would be as follows:

Modify the sgx_enclave_init_in_kernel structure definition in the
following file:

psw/urts/linux/isgx.h

To include a __u64 token structure element.

Modify the following function

psw/enclave_common/sgx_common_enclave.cpp:enclave_initialize()

So that the terminal 'else' clause that ends up handling the
SGX_DRIVER_IN_KERNEL path initializes both pointer values to NULL.

I would lift the code in the first 'if' clause, that loads the launch
token for the out-of-tree driver, into a separate function to avoid
code replication.

In the SGX_DRIVER_IN_KERNEL path use the call that you implemented in
your initial PSW modification, to check on the status of FLC support,
to gate calling the token generation code on a non-FLC platform and
set the token value of the sgx_enclave_init_in_kernel structure to the
address of the token block that the function returns.

That should produce a PSW that initializes enclaves on both non-FLC
and FLC platforms.

If you are interested I can work up a basic outline patch that you can
work from if you are interested.

Obviously, for completeness, the PSW should probe for the existence of
the new ioctl if the in-kernel driver is detected, but that type of
functionality can be added after the basics are working.

> Cheers,
> Jia

Let me know your thoughts and we will go from there.

Best wishes for a productive remainder of the week.

Dr. Greg

As always,
Dr. Greg Wettstein, Ph.D, Worker      Autonomously self-defensive
Enjellic Systems Development, LLC     IOT platforms and edge devices.
4206 N. 19th Ave.
Fargo, ND  58102
PH: 701-281-1686                      EMAIL: greg@enjellic.com
------------------------------------------------------------------------------
"Man, despite his artistic pretensions, his sophistication and many
 accomplishments, owes the fact of his existence to a six-inch layer of
 topsoil and the fact that it rains."
                                -- Anonymous writer on perspective.
                                   GAUSSIAN quote.