Discussion:
[PATCH v28 21/22] x86/vdso: Implement a vDSO for Intel SGX enclave call
(too old to reply)
Jethro Beekman
2020-03-16 13:31:36 UTC
Permalink
On Sat, Mar 14, 2020 at 9:25 PM Jarkko Sakkinen
Currently, the selftest has a wrapper around
__vdso_sgx_enter_enclave() which preserves all x86-64 ABI callee-saved
registers (CSRs), though it uses none of them. Then it calls this
function which uses %rbx but preserves none of the CSRs. Then it jumps
into an enclave which zeroes all these registers before returning.
1. wrapper saves all CSRs
2. wrapper repositions stack arguments
3. __vdso_sgx_enter_enclave() modifies, but does not save %rbx
4. selftest zeros all CSRs
5. wrapper loads all CSRs
I'd like to propose instead that the enclave be responsible for saving
1. __vdso_sgx_enter_enclave() saves %rbx
2. enclave saves CSRs
3. enclave loads CSRs
4. __vdso_sgx_enter_enclave() loads %rbx
I know that lots of other stuff happens during enclave transitions,
but at the very least we could reduce the number of instructions
through this critical path.
What Jethro said and also that it is a good general principle to cut
down the semantics of any vdso as minimal as possible.
I.e. even if saving RBX would make somehow sense it *can* be left
out without loss in terms of what can be done with the vDSO.
Please read the rest of the thread. Sean and I have hammered out some
sensible and effective changes.
I'm not sure they're sensible? By departing from the ENCLU calling convention, both the VDSO and the wrapper become more complicated. The wrapper because now it needs to implement all kinds of logic for different behavior depending on whether the VDSO is or isn't available.

I agree with Jarkko that everything should be kept small and simple. Calling a couple extra instructions is going to have a negligible effect compared to the actual time EENTER/EEXIT take.

Can someone remind me why we're not passing TCS in RBX but on the stack?

--
Jethro Beekman | Fortanix
Jarkko Sakkinen
2020-03-16 13:56:30 UTC
Permalink
On Sat, Mar 14, 2020 at 9:25 PM Jarkko Sakkinen
Currently, the selftest has a wrapper around
__vdso_sgx_enter_enclave() which preserves all x86-64 ABI callee-saved
registers (CSRs), though it uses none of them. Then it calls this
function which uses %rbx but preserves none of the CSRs. Then it jumps
into an enclave which zeroes all these registers before returning.
1. wrapper saves all CSRs
2. wrapper repositions stack arguments
3. __vdso_sgx_enter_enclave() modifies, but does not save %rbx
4. selftest zeros all CSRs
5. wrapper loads all CSRs
I'd like to propose instead that the enclave be responsible for saving
1. __vdso_sgx_enter_enclave() saves %rbx
2. enclave saves CSRs
3. enclave loads CSRs
4. __vdso_sgx_enter_enclave() loads %rbx
I know that lots of other stuff happens during enclave transitions,
but at the very least we could reduce the number of instructions
through this critical path.
What Jethro said and also that it is a good general principle to cut
down the semantics of any vdso as minimal as possible.
I.e. even if saving RBX would make somehow sense it *can* be left
out without loss in terms of what can be done with the vDSO.
Please read the rest of the thread. Sean and I have hammered out some
sensible and effective changes.
Have skimmed through that discussion but it comes down how much you get
by obviously degrading some of the robustness. Complexity of the calling
pattern is not something that should be emphasized as that is something
that is anyway hidden inside the runtime.

/Jarkko
Nathaniel McCallum
2020-03-16 14:01:38 UTC
Permalink
On Mon, Mar 16, 2020 at 9:56 AM Jarkko Sakkinen
Post by Jarkko Sakkinen
On Sat, Mar 14, 2020 at 9:25 PM Jarkko Sakkinen
Currently, the selftest has a wrapper around
__vdso_sgx_enter_enclave() which preserves all x86-64 ABI callee-saved
registers (CSRs), though it uses none of them. Then it calls this
function which uses %rbx but preserves none of the CSRs. Then it jumps
into an enclave which zeroes all these registers before returning.
1. wrapper saves all CSRs
2. wrapper repositions stack arguments
3. __vdso_sgx_enter_enclave() modifies, but does not save %rbx
4. selftest zeros all CSRs
5. wrapper loads all CSRs
I'd like to propose instead that the enclave be responsible for saving
1. __vdso_sgx_enter_enclave() saves %rbx
2. enclave saves CSRs
3. enclave loads CSRs
4. __vdso_sgx_enter_enclave() loads %rbx
I know that lots of other stuff happens during enclave transitions,
but at the very least we could reduce the number of instructions
through this critical path.
What Jethro said and also that it is a good general principle to cut
down the semantics of any vdso as minimal as possible.
I.e. even if saving RBX would make somehow sense it *can* be left
out without loss in terms of what can be done with the vDSO.
Please read the rest of the thread. Sean and I have hammered out some
sensible and effective changes.
Have skimmed through that discussion but it comes down how much you get
by obviously degrading some of the robustness. Complexity of the calling
pattern is not something that should be emphasized as that is something
that is anyway hidden inside the runtime.
My suggestions explicitly maintained robustness, and in fact increased
it. If you think we've lost capability, please speak with specificity
rather than in vague generalities. Under my suggestions we can:
1. call the vDSO from C
2. pass context to the handler
3. have additional stack manipulation options in the handler

The cost for this is a net 2 additional instructions. No existing
capability is lost.
Jarkko Sakkinen
2020-03-16 21:38:24 UTC
Permalink
Post by Nathaniel McCallum
On Mon, Mar 16, 2020 at 9:56 AM Jarkko Sakkinen
Post by Jarkko Sakkinen
On Sat, Mar 14, 2020 at 9:25 PM Jarkko Sakkinen
Currently, the selftest has a wrapper around
__vdso_sgx_enter_enclave() which preserves all x86-64 ABI callee-saved
registers (CSRs), though it uses none of them. Then it calls this
function which uses %rbx but preserves none of the CSRs. Then it jumps
into an enclave which zeroes all these registers before returning.
1. wrapper saves all CSRs
2. wrapper repositions stack arguments
3. __vdso_sgx_enter_enclave() modifies, but does not save %rbx
4. selftest zeros all CSRs
5. wrapper loads all CSRs
I'd like to propose instead that the enclave be responsible for saving
1. __vdso_sgx_enter_enclave() saves %rbx
2. enclave saves CSRs
3. enclave loads CSRs
4. __vdso_sgx_enter_enclave() loads %rbx
I know that lots of other stuff happens during enclave transitions,
but at the very least we could reduce the number of instructions
through this critical path.
What Jethro said and also that it is a good general principle to cut
down the semantics of any vdso as minimal as possible.
I.e. even if saving RBX would make somehow sense it *can* be left
out without loss in terms of what can be done with the vDSO.
Please read the rest of the thread. Sean and I have hammered out some
sensible and effective changes.
Have skimmed through that discussion but it comes down how much you get
by obviously degrading some of the robustness. Complexity of the calling
pattern is not something that should be emphasized as that is something
that is anyway hidden inside the runtime.
My suggestions explicitly maintained robustness, and in fact increased
it. If you think we've lost capability, please speak with specificity
1. call the vDSO from C
2. pass context to the handler
3. have additional stack manipulation options in the handler
The cost for this is a net 2 additional instructions. No existing
capability is lost.
My vague generality in this case is just that the whole design
approach so far has been to minimize the amount of wrapping to
EENTER. And since this has been kind of agreed by most of the
stakeholders doing something against the chosen strategy is
something I do hold some resistance.

I get the idea technically what you are suggesting. Please
understand these are orthogonal axes that I have to care about.

In coummunity sense, it opens a possibility to unknown unknowns [1].

[1]


/Jarkko
Sean Christopherson
2020-03-16 22:53:22 UTC
Permalink
Post by Jarkko Sakkinen
Post by Nathaniel McCallum
On Mon, Mar 16, 2020 at 9:56 AM Jarkko Sakkinen
Post by Jarkko Sakkinen
On Sat, Mar 14, 2020 at 9:25 PM Jarkko Sakkinen
Currently, the selftest has a wrapper around
__vdso_sgx_enter_enclave() which preserves all x86-64 ABI callee-saved
registers (CSRs), though it uses none of them. Then it calls this
function which uses %rbx but preserves none of the CSRs. Then it jumps
into an enclave which zeroes all these registers before returning.
1. wrapper saves all CSRs
2. wrapper repositions stack arguments
3. __vdso_sgx_enter_enclave() modifies, but does not save %rbx
4. selftest zeros all CSRs
5. wrapper loads all CSRs
I'd like to propose instead that the enclave be responsible for saving
1. __vdso_sgx_enter_enclave() saves %rbx
2. enclave saves CSRs
3. enclave loads CSRs
4. __vdso_sgx_enter_enclave() loads %rbx
I know that lots of other stuff happens during enclave transitions,
but at the very least we could reduce the number of instructions
through this critical path.
What Jethro said and also that it is a good general principle to cut
down the semantics of any vdso as minimal as possible.
I.e. even if saving RBX would make somehow sense it *can* be left
out without loss in terms of what can be done with the vDSO.
Please read the rest of the thread. Sean and I have hammered out some
sensible and effective changes.
Have skimmed through that discussion but it comes down how much you get
by obviously degrading some of the robustness. Complexity of the calling
pattern is not something that should be emphasized as that is something
that is anyway hidden inside the runtime.
My suggestions explicitly maintained robustness, and in fact increased
it. If you think we've lost capability, please speak with specificity
1. call the vDSO from C
2. pass context to the handler
3. have additional stack manipulation options in the handler
The cost for this is a net 2 additional instructions. No existing
capability is lost.
My vague generality in this case is just that the whole design
approach so far has been to minimize the amount of wrapping to
EENTER.
Yes and no. If we wanted to minimize the amount of wrapping around the
vDSO's ENCLU then we wouldn't have the exit handler shenanigans in the
first place. The whole process has been about balancing the wants of each
use case against the overall quality of the API and code.
Post by Jarkko Sakkinen
And since this has been kind of agreed by most of the
stakeholders doing something against the chosen strategy is
something I do hold some resistance.
Up until Nathaniel joined the party, the only stakeholder in terms of the
exit handler was the Intel SDK. There was a general consensus to pass
registers as-is when there isn't a strong reason to do otherwise. Note
that Nathaniel has also expressed approval of that approach.

So I think the question that needs to be answered is whether the benefits
of using %rcx instead of %rax to pass @leaf justify the "pass registers
as-is" guideline. We've effectively already given this waiver for %rbx,
as the whole reason why the TCS is passed in on the stack instead of via
%rbx is so that it can be passed to the exit handler. E.g. the vDSO
could take the TCS in %rbx and save it on the stack, but we're throwing
the baby out with the bathwater at that point.

The major benefits being that the vDSO would be callable from C and that
the kernel could define a legitimate prototype instead of a frankenstein
prototype that's half assembly and half C. For me, those are significant
benefits and well worth the extra MOV, PUSH and POP. For some use cases
it would eliminate the need for an assembly wrapper. For runtimes that
need an assembly wrapper for whatever reason, it's probably still a win as
a well designed runtime can avoid register shuffling in the wrapper. And
if there is a runtime that isn't covered by the above, it's at worst an
extra MOV.
Xing, Cedric
2020-03-16 23:50:26 UTC
Permalink
Post by Sean Christopherson
Post by Jarkko Sakkinen
Post by Nathaniel McCallum
On Mon, Mar 16, 2020 at 9:56 AM Jarkko Sakkinen
Post by Jarkko Sakkinen
On Sat, Mar 14, 2020 at 9:25 PM Jarkko Sakkinen
Currently, the selftest has a wrapper around
__vdso_sgx_enter_enclave() which preserves all x86-64 ABI callee-saved
registers (CSRs), though it uses none of them. Then it calls this
function which uses %rbx but preserves none of the CSRs. Then it jumps
into an enclave which zeroes all these registers before returning.
1. wrapper saves all CSRs
2. wrapper repositions stack arguments
3. __vdso_sgx_enter_enclave() modifies, but does not save %rbx
4. selftest zeros all CSRs
5. wrapper loads all CSRs
I'd like to propose instead that the enclave be responsible for saving
1. __vdso_sgx_enter_enclave() saves %rbx
2. enclave saves CSRs
3. enclave loads CSRs
4. __vdso_sgx_enter_enclave() loads %rbx
I know that lots of other stuff happens during enclave transitions,
but at the very least we could reduce the number of instructions
through this critical path.
What Jethro said and also that it is a good general principle to cut
down the semantics of any vdso as minimal as possible.
I.e. even if saving RBX would make somehow sense it *can* be left
out without loss in terms of what can be done with the vDSO.
Please read the rest of the thread. Sean and I have hammered out some
sensible and effective changes.
Have skimmed through that discussion but it comes down how much you get
by obviously degrading some of the robustness. Complexity of the calling
pattern is not something that should be emphasized as that is something
that is anyway hidden inside the runtime.
My suggestions explicitly maintained robustness, and in fact increased
it. If you think we've lost capability, please speak with specificity
1. call the vDSO from C
2. pass context to the handler
3. have additional stack manipulation options in the handler
The cost for this is a net 2 additional instructions. No existing
capability is lost.
My vague generality in this case is just that the whole design
approach so far has been to minimize the amount of wrapping to
EENTER.
Yes and no. If we wanted to minimize the amount of wrapping around the
vDSO's ENCLU then we wouldn't have the exit handler shenanigans in the
first place. The whole process has been about balancing the wants of each
use case against the overall quality of the API and code.
The design of this vDSO API was NOT to minimize wrapping, but to allow
maximal flexibility. More specifically, we strove not to restrict how
info was exchanged between the enclave and its host process. After all,
calling convention is compiler specific - i.e. the enclave could be
built by a different compiler (e.g. MSVC) that doesn't share the same
list of CSRs as the host process. Therefore, the API has been
implemented to pass through virtually all registers except those used by
EENTER itself. Similarly, all registers are passed back from enclave to
the caller (or the exit handler) except those used by EEXIT. %rbp is an
exception because the vDSO API has to anchor the stack, using either
%rsp or %rbp. We picked %rbp to allow the enclave to allocate space on
the stack.
Sean Christopherson
2020-03-16 23:59:34 UTC
Permalink
Post by Xing, Cedric
Post by Sean Christopherson
Post by Jarkko Sakkinen
Post by Nathaniel McCallum
My suggestions explicitly maintained robustness, and in fact increased
it. If you think we've lost capability, please speak with specificity
1. call the vDSO from C
2. pass context to the handler
3. have additional stack manipulation options in the handler
The cost for this is a net 2 additional instructions. No existing
capability is lost.
My vague generality in this case is just that the whole design
approach so far has been to minimize the amount of wrapping to
EENTER.
Yes and no. If we wanted to minimize the amount of wrapping around the
vDSO's ENCLU then we wouldn't have the exit handler shenanigans in the
first place. The whole process has been about balancing the wants of each
use case against the overall quality of the API and code.
The design of this vDSO API was NOT to minimize wrapping, but to allow
maximal flexibility. More specifically, we strove not to restrict how info
was exchanged between the enclave and its host process. After all, calling
convention is compiler specific - i.e. the enclave could be built by a
different compiler (e.g. MSVC) that doesn't share the same list of CSRs as
the host process. Therefore, the API has been implemented to pass through
virtually all registers except those used by EENTER itself. Similarly, all
registers are passed back from enclave to the caller (or the exit handler)
except those used by EEXIT. %rbp is an exception because the vDSO API has to
anchor the stack, using either %rsp or %rbp. We picked %rbp to allow the
enclave to allocate space on the stack.
And unless I'm missing something, using %rcx to pass @leaf would still
satisfy the above, correct? Ditto for saving/restoring %rbx.

I.e. a runtime that's designed to work with enclave's using a different
calling convention wouldn't be able to take advantage of being able to call
the vDSO from C, but neither would it take on any meaningful burden.
Xing, Cedric
2020-03-17 00:18:14 UTC
Permalink
Post by Sean Christopherson
Post by Xing, Cedric
Post by Sean Christopherson
Post by Jarkko Sakkinen
Post by Nathaniel McCallum
My suggestions explicitly maintained robustness, and in fact increased
it. If you think we've lost capability, please speak with specificity
1. call the vDSO from C
2. pass context to the handler
3. have additional stack manipulation options in the handler
The cost for this is a net 2 additional instructions. No existing
capability is lost.
My vague generality in this case is just that the whole design
approach so far has been to minimize the amount of wrapping to
EENTER.
Yes and no. If we wanted to minimize the amount of wrapping around the
vDSO's ENCLU then we wouldn't have the exit handler shenanigans in the
first place. The whole process has been about balancing the wants of each
use case against the overall quality of the API and code.
The design of this vDSO API was NOT to minimize wrapping, but to allow
maximal flexibility. More specifically, we strove not to restrict how info
was exchanged between the enclave and its host process. After all, calling
convention is compiler specific - i.e. the enclave could be built by a
different compiler (e.g. MSVC) that doesn't share the same list of CSRs as
the host process. Therefore, the API has been implemented to pass through
virtually all registers except those used by EENTER itself. Similarly, all
registers are passed back from enclave to the caller (or the exit handler)
except those used by EEXIT. %rbp is an exception because the vDSO API has to
anchor the stack, using either %rsp or %rbp. We picked %rbp to allow the
enclave to allocate space on the stack.
satisfy the above, correct? Ditto for saving/restoring %rbx.
I.e. a runtime that's designed to work with enclave's using a different
calling convention wouldn't be able to take advantage of being able to call
the vDSO from C, but neither would it take on any meaningful burden.
Not exactly.

If called directly from C code, the caller would expect CSRs to be
preserved. Then who should preserve CSRs? It can't be the enclave
because it may not follow the same calling convention. Moreover, the
enclave may run into an exception, in which case it doesn't have the
ability to restore CSRs. So it has to be done by the vDSO API. That
means CSRs will be overwritten upon enclave exits, which violates the
goal of "passing all registers back to the caller except those used by
EEXIT".
Sean Christopherson
2020-03-17 00:27:06 UTC
Permalink
Post by Xing, Cedric
Post by Sean Christopherson
Post by Xing, Cedric
Post by Sean Christopherson
Post by Jarkko Sakkinen
Post by Nathaniel McCallum
My suggestions explicitly maintained robustness, and in fact increased
it. If you think we've lost capability, please speak with specificity
1. call the vDSO from C
2. pass context to the handler
3. have additional stack manipulation options in the handler
The cost for this is a net 2 additional instructions. No existing
capability is lost.
My vague generality in this case is just that the whole design
approach so far has been to minimize the amount of wrapping to
EENTER.
Yes and no. If we wanted to minimize the amount of wrapping around the
vDSO's ENCLU then we wouldn't have the exit handler shenanigans in the
first place. The whole process has been about balancing the wants of each
use case against the overall quality of the API and code.
The design of this vDSO API was NOT to minimize wrapping, but to allow
maximal flexibility. More specifically, we strove not to restrict how info
was exchanged between the enclave and its host process. After all, calling
convention is compiler specific - i.e. the enclave could be built by a
different compiler (e.g. MSVC) that doesn't share the same list of CSRs as
the host process. Therefore, the API has been implemented to pass through
virtually all registers except those used by EENTER itself. Similarly, all
registers are passed back from enclave to the caller (or the exit handler)
except those used by EEXIT. %rbp is an exception because the vDSO API has to
anchor the stack, using either %rsp or %rbp. We picked %rbp to allow the
enclave to allocate space on the stack.
satisfy the above, correct? Ditto for saving/restoring %rbx.
I.e. a runtime that's designed to work with enclave's using a different
calling convention wouldn't be able to take advantage of being able to call
the vDSO from C, but neither would it take on any meaningful burden.
Not exactly.
If called directly from C code, the caller would expect CSRs to be
preserved. Then who should preserve CSRs? It can't be the enclave because it
may not follow the same calling convention. Moreover, the enclave may run
into an exception, in which case it doesn't have the ability to restore
CSRs. So it has to be done by the vDSO API. That means CSRs will be
overwritten upon enclave exits, which violates the goal of "passing all
registers back to the caller except those used by EEXIT".
IIUC, Nathaniel's use case is to run only enclaves that are compatible
with Linux's calling convention and to handle enclave exceptions in the
exit handler.

As I qualified above, there would certainly be runtimes and use cases that
would find no advantage in passing @leaf via %rcx and preserving %rbx. I'm
well aware the Intel SDK falls into that bucket. But again, the cost to
such runtimes is precisely one reg->reg MOV instruction.
Nathaniel McCallum
2020-03-17 16:37:54 UTC
Permalink
On Mon, Mar 16, 2020 at 8:27 PM Sean Christopherson
Post by Sean Christopherson
Post by Xing, Cedric
Post by Sean Christopherson
Post by Xing, Cedric
Post by Sean Christopherson
Post by Jarkko Sakkinen
Post by Nathaniel McCallum
My suggestions explicitly maintained robustness, and in fact increased
it. If you think we've lost capability, please speak with specificity
1. call the vDSO from C
2. pass context to the handler
3. have additional stack manipulation options in the handler
The cost for this is a net 2 additional instructions. No existing
capability is lost.
My vague generality in this case is just that the whole design
approach so far has been to minimize the amount of wrapping to
EENTER.
Yes and no. If we wanted to minimize the amount of wrapping around the
vDSO's ENCLU then we wouldn't have the exit handler shenanigans in the
first place. The whole process has been about balancing the wants of each
use case against the overall quality of the API and code.
The design of this vDSO API was NOT to minimize wrapping, but to allow
maximal flexibility. More specifically, we strove not to restrict how info
was exchanged between the enclave and its host process. After all, calling
convention is compiler specific - i.e. the enclave could be built by a
different compiler (e.g. MSVC) that doesn't share the same list of CSRs as
the host process. Therefore, the API has been implemented to pass through
virtually all registers except those used by EENTER itself. Similarly, all
registers are passed back from enclave to the caller (or the exit handler)
except those used by EEXIT. %rbp is an exception because the vDSO API has to
anchor the stack, using either %rsp or %rbp. We picked %rbp to allow the
enclave to allocate space on the stack.
satisfy the above, correct? Ditto for saving/restoring %rbx.
I.e. a runtime that's designed to work with enclave's using a different
calling convention wouldn't be able to take advantage of being able to call
the vDSO from C, but neither would it take on any meaningful burden.
Not exactly.
If called directly from C code, the caller would expect CSRs to be
preserved. Then who should preserve CSRs? It can't be the enclave because it
may not follow the same calling convention. Moreover, the enclave may run
into an exception, in which case it doesn't have the ability to restore
CSRs. So it has to be done by the vDSO API. That means CSRs will be
overwritten upon enclave exits, which violates the goal of "passing all
registers back to the caller except those used by EEXIT".
IIUC, Nathaniel's use case is to run only enclaves that are compatible
with Linux's calling convention and to handle enclave exceptions in the
exit handler.
As I qualified above, there would certainly be runtimes and use cases that
well aware the Intel SDK falls into that bucket. But again, the cost to
such runtimes is precisely one reg->reg MOV instruction.
It seems to me that some think my proposal represents a shift in
strategic direction. I do not see it that way. I affirm the existing
strategic direction. My proposal only represents a specific
optimization of that strategic direction that benefits certain use
cases without significant cost to all other use cases.
Nathaniel McCallum
2020-03-17 16:50:09 UTC
Permalink
Post by Xing, Cedric
Post by Sean Christopherson
Post by Xing, Cedric
Post by Sean Christopherson
Post by Jarkko Sakkinen
Post by Nathaniel McCallum
My suggestions explicitly maintained robustness, and in fact increased
it. If you think we've lost capability, please speak with specificity
1. call the vDSO from C
2. pass context to the handler
3. have additional stack manipulation options in the handler
The cost for this is a net 2 additional instructions. No existing
capability is lost.
My vague generality in this case is just that the whole design
approach so far has been to minimize the amount of wrapping to
EENTER.
Yes and no. If we wanted to minimize the amount of wrapping around the
vDSO's ENCLU then we wouldn't have the exit handler shenanigans in the
first place. The whole process has been about balancing the wants of each
use case against the overall quality of the API and code.
The design of this vDSO API was NOT to minimize wrapping, but to allow
maximal flexibility. More specifically, we strove not to restrict how info
was exchanged between the enclave and its host process. After all, calling
convention is compiler specific - i.e. the enclave could be built by a
different compiler (e.g. MSVC) that doesn't share the same list of CSRs as
the host process. Therefore, the API has been implemented to pass through
virtually all registers except those used by EENTER itself. Similarly, all
registers are passed back from enclave to the caller (or the exit handler)
except those used by EEXIT. %rbp is an exception because the vDSO API has to
anchor the stack, using either %rsp or %rbp. We picked %rbp to allow the
enclave to allocate space on the stack.
satisfy the above, correct? Ditto for saving/restoring %rbx.
I.e. a runtime that's designed to work with enclave's using a different
calling convention wouldn't be able to take advantage of being able to call
the vDSO from C, but neither would it take on any meaningful burden.
Not exactly.
If called directly from C code, the caller would expect CSRs to be
preserved.
Correct. This requires collaboration between the caller of the vDSO
and the enclave.
Post by Xing, Cedric
Then who should preserve CSRs?
The enclave.
Post by Xing, Cedric
It can't be the enclave
because it may not follow the same calling convention.
This is incorrect. You are presuming there is not tight integration
between the caller of the vDSO and the enclave. In my case, the
integration is total and complete. We have working code today that
does this.
Post by Xing, Cedric
Moreover, the
enclave may run into an exception, in which case it doesn't have the
ability to restore CSRs.
There are two solutions to this:
1. Write the handler in assembly and don't return to C on AEX.
2. The caller can simply preserve the registers. Nothing stops that.

We have implemented #1.
Post by Xing, Cedric
So it has to be done by the vDSO API.
Nope. See above.
Post by Xing, Cedric
That
means CSRs will be overwritten upon enclave exits, which violates the
goal of "passing all registers back to the caller except those used by
EEXIT".
All registers get passed to the handler in this scenario, not the caller.

The approach is as follows: the vDSO is callable by C so long as the
enclave respects the ABI *OR* the handler patches up any enclave
deviation from the ABI.
Xing, Cedric
2020-03-17 21:40:34 UTC
Permalink
Hi Nathaniel,

I reread your email today and thought I might have misunderstood your
email earlier. What changes are you asking for exactly? Is that just
passing @leaf in %ecx rather than in %eax? If so, I wouldn't have any
problem. I agree with you that the resulted API would then be callable
from C, even though it wouldn't be able to return back to C due to
tampered %rbx. But I think the vDSO API can preserve %rbx too, given it
is used by both EENTER and EEXIT (so is unavailable for parameter
passing anyway). Alternatively, the C caller can setjmp() to be
longjmp()'d back from within the exit handler.

-Cedric
Sean Christopherson
2020-03-17 22:09:48 UTC
Permalink
Post by Xing, Cedric
Hi Nathaniel,
I reread your email today and thought I might have misunderstood your email
in %ecx rather than in %eax? If so, I wouldn't have any problem. I agree
with you that the resulted API would then be callable from C, even though it
wouldn't be able to return back to C due to tampered %rbx. But I think the
vDSO API can preserve %rbx too, given it is used by both EENTER and EEXIT
(so is unavailable for parameter passing anyway). Alternatively, the C
caller can setjmp() to be longjmp()'d back from within the exit handler.
Yep, exactly. The other proposed change that is fairly straightforward is
to make the save/restore of %rsp across the exit handler call relative
instead of absolute, i.e. allow the exit handler to modify %rsp. I don't
think this would conflict with the Intel SDK usage model?

diff --git a/arch/x86/entry/vdso/vsgx_enter_enclave.S b/arch/x86/entry/vdso/vsgx_enter_enclave.S
index 94a8e5f99961..05d54f79b557 100644
--- a/arch/x86/entry/vdso/vsgx_enter_enclave.S
+++ b/arch/x86/entry/vdso/vsgx_enter_enclave.S
@@ -139,8 +139,9 @@ SYM_FUNC_START(__vdso_sgx_enter_enclave)
/* Pass the untrusted RSP (at exit) to the callback via %rcx. */
mov %rsp, %rcx

- /* Save the untrusted RSP in %rbx (non-volatile register). */
+ /* Save the untrusted RSP offset in %rbx (non-volatile register). */
mov %rsp, %rbx
+ and $0xf, %rbx

/*
* Align stack per x86_64 ABI. Note, %rsp needs to be 16-byte aligned
@@ -161,8 +162,8 @@ SYM_FUNC_START(__vdso_sgx_enter_enclave)
mov 0x20(%rbp), %rax
call .Lretpoline

- /* Restore %rsp to its post-exit value. */
- mov %rbx, %rsp
+ /* Undo the post-exit %rsp adjustment. */
+ lea 0x20(%rsp,%rbx), %rsp
Xing, Cedric
2020-03-17 22:36:57 UTC
Permalink
Post by Sean Christopherson
Post by Xing, Cedric
Hi Nathaniel,
I reread your email today and thought I might have misunderstood your email
in %ecx rather than in %eax? If so, I wouldn't have any problem. I agree
with you that the resulted API would then be callable from C, even though it
wouldn't be able to return back to C due to tampered %rbx. But I think the
vDSO API can preserve %rbx too, given it is used by both EENTER and EEXIT
(so is unavailable for parameter passing anyway). Alternatively, the C
caller can setjmp() to be longjmp()'d back from within the exit handler.
Yep, exactly. The other proposed change that is fairly straightforward is
to make the save/restore of %rsp across the exit handler call relative
instead of absolute, i.e. allow the exit handler to modify %rsp. I don't
think this would conflict with the Intel SDK usage model?
diff --git a/arch/x86/entry/vdso/vsgx_enter_enclave.S b/arch/x86/entry/vdso/vsgx_enter_enclave.S
index 94a8e5f99961..05d54f79b557 100644
--- a/arch/x86/entry/vdso/vsgx_enter_enclave.S
+++ b/arch/x86/entry/vdso/vsgx_enter_enclave.S
@@ -139,8 +139,9 @@ SYM_FUNC_START(__vdso_sgx_enter_enclave)
/* Pass the untrusted RSP (at exit) to the callback via %rcx. */
mov %rsp, %rcx
- /* Save the untrusted RSP in %rbx (non-volatile register). */
+ /* Save the untrusted RSP offset in %rbx (non-volatile register). */
mov %rsp, %rbx
+ and $0xf, %rbx
/*
* Align stack per x86_64 ABI. Note, %rsp needs to be 16-byte aligned
@@ -161,8 +162,8 @@ SYM_FUNC_START(__vdso_sgx_enter_enclave)
mov 0x20(%rbp), %rax
call .Lretpoline
- /* Restore %rsp to its post-exit value. */
- mov %rbx, %rsp
+ /* Undo the post-exit %rsp adjustment. */
+ lea 0x20(%rsp,%rbx), %rsp
Yep. Though it looks a bit uncommon, I do think it will work.
Sean Christopherson
2020-03-17 23:57:11 UTC
Permalink
Post by Xing, Cedric
Post by Sean Christopherson
Post by Xing, Cedric
Hi Nathaniel,
I reread your email today and thought I might have misunderstood your email
in %ecx rather than in %eax? If so, I wouldn't have any problem. I agree
with you that the resulted API would then be callable from C, even though it
wouldn't be able to return back to C due to tampered %rbx. But I think the
vDSO API can preserve %rbx too, given it is used by both EENTER and EEXIT
(so is unavailable for parameter passing anyway). Alternatively, the C
caller can setjmp() to be longjmp()'d back from within the exit handler.
Yep, exactly. The other proposed change that is fairly straightforward is
to make the save/restore of %rsp across the exit handler call relative
instead of absolute, i.e. allow the exit handler to modify %rsp. I don't
think this would conflict with the Intel SDK usage model?
diff --git a/arch/x86/entry/vdso/vsgx_enter_enclave.S b/arch/x86/entry/vdso/vsgx_enter_enclave.S
index 94a8e5f99961..05d54f79b557 100644
--- a/arch/x86/entry/vdso/vsgx_enter_enclave.S
+++ b/arch/x86/entry/vdso/vsgx_enter_enclave.S
@@ -139,8 +139,9 @@ SYM_FUNC_START(__vdso_sgx_enter_enclave)
/* Pass the untrusted RSP (at exit) to the callback via %rcx. */
mov %rsp, %rcx
- /* Save the untrusted RSP in %rbx (non-volatile register). */
+ /* Save the untrusted RSP offset in %rbx (non-volatile register). */
mov %rsp, %rbx
+ and $0xf, %rbx
/*
* Align stack per x86_64 ABI. Note, %rsp needs to be 16-byte aligned
@@ -161,8 +162,8 @@ SYM_FUNC_START(__vdso_sgx_enter_enclave)
mov 0x20(%rbp), %rax
call .Lretpoline
- /* Restore %rsp to its post-exit value. */
- mov %rbx, %rsp
+ /* Undo the post-exit %rsp adjustment. */
+ lea 0x20(%rsp,%rbx), %rsp
Yep. Though it looks a bit uncommon, I do think it will work.
Heh, I had about the same level of confidence.

I'll put together a set of patches tomorrow and post them to linux-sgx (and
cc relevant parties). It'll be easier to continue the discussion with code
to look at and we can stop spamming LKML for a bit :-)

Xing, Cedric
2020-03-17 22:23:31 UTC
Permalink
Post by Nathaniel McCallum
Post by Xing, Cedric
Post by Sean Christopherson
Post by Xing, Cedric
Post by Sean Christopherson
Post by Jarkko Sakkinen
Post by Nathaniel McCallum
My suggestions explicitly maintained robustness, and in fact increased
it. If you think we've lost capability, please speak with specificity
1. call the vDSO from C
2. pass context to the handler
3. have additional stack manipulation options in the handler
The cost for this is a net 2 additional instructions. No existing
capability is lost.
My vague generality in this case is just that the whole design
approach so far has been to minimize the amount of wrapping to
EENTER.
Yes and no. If we wanted to minimize the amount of wrapping around the
vDSO's ENCLU then we wouldn't have the exit handler shenanigans in the
first place. The whole process has been about balancing the wants of each
use case against the overall quality of the API and code.
The design of this vDSO API was NOT to minimize wrapping, but to allow
maximal flexibility. More specifically, we strove not to restrict how info
was exchanged between the enclave and its host process. After all, calling
convention is compiler specific - i.e. the enclave could be built by a
different compiler (e.g. MSVC) that doesn't share the same list of CSRs as
the host process. Therefore, the API has been implemented to pass through
virtually all registers except those used by EENTER itself. Similarly, all
registers are passed back from enclave to the caller (or the exit handler)
except those used by EEXIT. %rbp is an exception because the vDSO API has to
anchor the stack, using either %rsp or %rbp. We picked %rbp to allow the
enclave to allocate space on the stack.
satisfy the above, correct? Ditto for saving/restoring %rbx.
I.e. a runtime that's designed to work with enclave's using a different
calling convention wouldn't be able to take advantage of being able to call
the vDSO from C, but neither would it take on any meaningful burden.
Not exactly.
If called directly from C code, the caller would expect CSRs to be
preserved.
Correct. This requires collaboration between the caller of the vDSO
and the enclave.
Post by Xing, Cedric
Then who should preserve CSRs?
The enclave.
Post by Xing, Cedric
It can't be the enclave
because it may not follow the same calling convention.
This is incorrect. You are presuming there is not tight integration
between the caller of the vDSO and the enclave. In my case, the
integration is total and complete. We have working code today that
does this.
Post by Xing, Cedric
Moreover, the
enclave may run into an exception, in which case it doesn't have the
ability to restore CSRs.
1. Write the handler in assembly and don't return to C on AEX.
2. The caller can simply preserve the registers. Nothing stops that.
We have implemented #1.
What if the enclave cannot proceed due to an unhandled exception so the
execution has to get back to the C caller of the vDSO API?

It seems to me the caller has to preserve CSRs by itself, otherwise it
cannot continue execution after any enclave exception. Passing @leaf in
%ecx will allow saving/restoring CSRs in C by setjmp()/longjmp(), with
the help of an exit handler. But if the C caller has already preserved
CSRs, why preserve CSRs again inside the enclave? It looks to me things
can be simplified only if the host process handles no enclave exceptions
(or exceptions inside the enclave will crash the calling thread). Thus
the only case of enclave EEXIT'ing back to its caller is considered
valid, hence the enclave will always be able to restore CSRs, so that
neither vDSO nor its caller has to preserve CSRs.

Is my understanding correct?
Nathaniel McCallum
2020-03-17 16:28:58 UTC
Permalink
On Mon, Mar 16, 2020 at 6:53 PM Sean Christopherson
Post by Sean Christopherson
Post by Jarkko Sakkinen
Post by Nathaniel McCallum
On Mon, Mar 16, 2020 at 9:56 AM Jarkko Sakkinen
Post by Jarkko Sakkinen
On Sat, Mar 14, 2020 at 9:25 PM Jarkko Sakkinen
Currently, the selftest has a wrapper around
__vdso_sgx_enter_enclave() which preserves all x86-64 ABI callee-saved
registers (CSRs), though it uses none of them. Then it calls this
function which uses %rbx but preserves none of the CSRs. Then it jumps
into an enclave which zeroes all these registers before returning.
1. wrapper saves all CSRs
2. wrapper repositions stack arguments
3. __vdso_sgx_enter_enclave() modifies, but does not save %rbx
4. selftest zeros all CSRs
5. wrapper loads all CSRs
I'd like to propose instead that the enclave be responsible for saving
1. __vdso_sgx_enter_enclave() saves %rbx
2. enclave saves CSRs
3. enclave loads CSRs
4. __vdso_sgx_enter_enclave() loads %rbx
I know that lots of other stuff happens during enclave transitions,
but at the very least we could reduce the number of instructions
through this critical path.
What Jethro said and also that it is a good general principle to cut
down the semantics of any vdso as minimal as possible.
I.e. even if saving RBX would make somehow sense it *can* be left
out without loss in terms of what can be done with the vDSO.
Please read the rest of the thread. Sean and I have hammered out some
sensible and effective changes.
Have skimmed through that discussion but it comes down how much you get
by obviously degrading some of the robustness. Complexity of the calling
pattern is not something that should be emphasized as that is something
that is anyway hidden inside the runtime.
My suggestions explicitly maintained robustness, and in fact increased
it. If you think we've lost capability, please speak with specificity
1. call the vDSO from C
2. pass context to the handler
3. have additional stack manipulation options in the handler
The cost for this is a net 2 additional instructions. No existing
capability is lost.
My vague generality in this case is just that the whole design
approach so far has been to minimize the amount of wrapping to
EENTER.
Yes and no. If we wanted to minimize the amount of wrapping around the
vDSO's ENCLU then we wouldn't have the exit handler shenanigans in the
first place. The whole process has been about balancing the wants of each
use case against the overall quality of the API and code.
Post by Jarkko Sakkinen
And since this has been kind of agreed by most of the
stakeholders doing something against the chosen strategy is
something I do hold some resistance.
Up until Nathaniel joined the party, the only stakeholder in terms of the
exit handler was the Intel SDK.
I would hope that having additional stakeholders would ease the path
to adoption.
Post by Sean Christopherson
There was a general consensus to pass
registers as-is when there isn't a strong reason to do otherwise. Note
that Nathaniel has also expressed approval of that approach.
I still approve that approach.
Post by Sean Christopherson
So I think the question that needs to be answered is whether the benefits
as-is" guideline. We've effectively already given this waiver for %rbx,
as the whole reason why the TCS is passed in on the stack instead of via
%rbx is so that it can be passed to the exit handler. E.g. the vDSO
could take the TCS in %rbx and save it on the stack, but we're throwing
the baby out with the bathwater at that point.
The major benefits being that the vDSO would be callable from C and that
the kernel could define a legitimate prototype instead of a frankenstein
prototype that's half assembly and half C. For me, those are significant
benefits and well worth the extra MOV, PUSH and POP. For some use cases
it would eliminate the need for an assembly wrapper. For runtimes that
need an assembly wrapper for whatever reason, it's probably still a win as
a well designed runtime can avoid register shuffling in the wrapper. And
if there is a runtime that isn't covered by the above, it's at worst an
extra MOV.
Nathaniel McCallum
2020-03-16 13:57:28 UTC
Permalink
Post by Jethro Beekman
On Sat, Mar 14, 2020 at 9:25 PM Jarkko Sakkinen
Currently, the selftest has a wrapper around
__vdso_sgx_enter_enclave() which preserves all x86-64 ABI callee-saved
registers (CSRs), though it uses none of them. Then it calls this
function which uses %rbx but preserves none of the CSRs. Then it jumps
into an enclave which zeroes all these registers before returning.
1. wrapper saves all CSRs
2. wrapper repositions stack arguments
3. __vdso_sgx_enter_enclave() modifies, but does not save %rbx
4. selftest zeros all CSRs
5. wrapper loads all CSRs
I'd like to propose instead that the enclave be responsible for saving
1. __vdso_sgx_enter_enclave() saves %rbx
2. enclave saves CSRs
3. enclave loads CSRs
4. __vdso_sgx_enter_enclave() loads %rbx
I know that lots of other stuff happens during enclave transitions,
but at the very least we could reduce the number of instructions
through this critical path.
What Jethro said and also that it is a good general principle to cut
down the semantics of any vdso as minimal as possible.
I.e. even if saving RBX would make somehow sense it *can* be left
out without loss in terms of what can be done with the vDSO.
Please read the rest of the thread. Sean and I have hammered out some
sensible and effective changes.
I'm not sure they're sensible? By departing from the ENCLU calling convention, both the VDSO
and the wrapper become more complicated.
For the vDSO, only marginally. I'm counting +4,-2 instructions in my
suggestions. For the wrapper, things become significantly simpler.
Post by Jethro Beekman
The wrapper because now it needs to implement all
kinds of logic for different behavior depending on whether the VDSO is or isn't available.
When isn't the vDSO available? Once the patches are merged it will
always be available. Then we also get to live with this interface
forever. I'd rather have a good, usable interface for the long term.
Post by Jethro Beekman
I agree with Jarkko that everything should be kept small and simple. Calling a couple extra instructions is going to have a negligible effect compared to the actual time EENTER/EEXIT take.
We all agree on small and simple. Nothing I've proposed fails either
of those criteria.
Post by Jethro Beekman
Can someone remind me why we're not passing TCS in RBX but on the stack?
If you do that, the vDSO will never be callable from C. And, as you've
stated above, calling a couple extra instructions is going to have a
negligible effect.
Jethro Beekman
2020-03-16 13:59:28 UTC
Permalink
Post by Nathaniel McCallum
Post by Jethro Beekman
On Sat, Mar 14, 2020 at 9:25 PM Jarkko Sakkinen
Currently, the selftest has a wrapper around
__vdso_sgx_enter_enclave() which preserves all x86-64 ABI callee-saved
registers (CSRs), though it uses none of them. Then it calls this
function which uses %rbx but preserves none of the CSRs. Then it jumps
into an enclave which zeroes all these registers before returning.
1. wrapper saves all CSRs
2. wrapper repositions stack arguments
3. __vdso_sgx_enter_enclave() modifies, but does not save %rbx
4. selftest zeros all CSRs
5. wrapper loads all CSRs
I'd like to propose instead that the enclave be responsible for saving
1. __vdso_sgx_enter_enclave() saves %rbx
2. enclave saves CSRs
3. enclave loads CSRs
4. __vdso_sgx_enter_enclave() loads %rbx
I know that lots of other stuff happens during enclave transitions,
but at the very least we could reduce the number of instructions
through this critical path.
What Jethro said and also that it is a good general principle to cut
down the semantics of any vdso as minimal as possible.
I.e. even if saving RBX would make somehow sense it *can* be left
out without loss in terms of what can be done with the vDSO.
Please read the rest of the thread. Sean and I have hammered out some
sensible and effective changes.
I'm not sure they're sensible? By departing from the ENCLU calling convention, both the VDSO
and the wrapper become more complicated.
For the vDSO, only marginally. I'm counting +4,-2 instructions in my
suggestions. For the wrapper, things become significantly simpler.
Post by Jethro Beekman
The wrapper because now it needs to implement all
kinds of logic for different behavior depending on whether the VDSO is or isn't available.
When isn't the vDSO available?
When you're not on Linux. Or when you're on an old kernel.

--
Jethro Beekman | Fortanix
Nathaniel McCallum
2020-03-16 14:03:31 UTC
Permalink
Post by Jethro Beekman
Post by Nathaniel McCallum
Post by Jethro Beekman
On Sat, Mar 14, 2020 at 9:25 PM Jarkko Sakkinen
Currently, the selftest has a wrapper around
__vdso_sgx_enter_enclave() which preserves all x86-64 ABI callee-saved
registers (CSRs), though it uses none of them. Then it calls this
function which uses %rbx but preserves none of the CSRs. Then it jumps
into an enclave which zeroes all these registers before returning.
1. wrapper saves all CSRs
2. wrapper repositions stack arguments
3. __vdso_sgx_enter_enclave() modifies, but does not save %rbx
4. selftest zeros all CSRs
5. wrapper loads all CSRs
I'd like to propose instead that the enclave be responsible for saving
1. __vdso_sgx_enter_enclave() saves %rbx
2. enclave saves CSRs
3. enclave loads CSRs
4. __vdso_sgx_enter_enclave() loads %rbx
I know that lots of other stuff happens during enclave transitions,
but at the very least we could reduce the number of instructions
through this critical path.
What Jethro said and also that it is a good general principle to cut
down the semantics of any vdso as minimal as possible.
I.e. even if saving RBX would make somehow sense it *can* be left
out without loss in terms of what can be done with the vDSO.
Please read the rest of the thread. Sean and I have hammered out some
sensible and effective changes.
I'm not sure they're sensible? By departing from the ENCLU calling convention, both the VDSO
and the wrapper become more complicated.
For the vDSO, only marginally. I'm counting +4,-2 instructions in my
suggestions. For the wrapper, things become significantly simpler.
Post by Jethro Beekman
The wrapper because now it needs to implement all
kinds of logic for different behavior depending on whether the VDSO is or isn't available.
When isn't the vDSO available?
When you're not on Linux. Or when you're on an old kernel.
I fail to see why the Linux kernel should degrade its new interfaces
for those use cases.
Sean Christopherson
2020-03-16 17:17:20 UTC
Permalink
Post by Jethro Beekman
Post by Nathaniel McCallum
Post by Jethro Beekman
On Sat, Mar 14, 2020 at 9:25 PM Jarkko Sakkinen
Currently, the selftest has a wrapper around
__vdso_sgx_enter_enclave() which preserves all x86-64 ABI callee-saved
registers (CSRs), though it uses none of them. Then it calls this
function which uses %rbx but preserves none of the CSRs. Then it jumps
into an enclave which zeroes all these registers before returning.
1. wrapper saves all CSRs
2. wrapper repositions stack arguments
3. __vdso_sgx_enter_enclave() modifies, but does not save %rbx
4. selftest zeros all CSRs
5. wrapper loads all CSRs
I'd like to propose instead that the enclave be responsible for saving
1. __vdso_sgx_enter_enclave() saves %rbx
2. enclave saves CSRs
3. enclave loads CSRs
4. __vdso_sgx_enter_enclave() loads %rbx
I know that lots of other stuff happens during enclave transitions,
but at the very least we could reduce the number of instructions
through this critical path.
What Jethro said and also that it is a good general principle to cut
down the semantics of any vdso as minimal as possible.
I.e. even if saving RBX would make somehow sense it *can* be left
out without loss in terms of what can be done with the vDSO.
Please read the rest of the thread. Sean and I have hammered out some
sensible and effective changes.
I'm not sure they're sensible? By departing from the ENCLU calling
convention, both the VDSO and the wrapper become more complicated.
For the vDSO, only marginally. I'm counting +4,-2 instructions in my
suggestions. For the wrapper, things become significantly simpler.
Post by Jethro Beekman
The wrapper because now it needs to implement all kinds of logic for
different behavior depending on whether the VDSO is or isn't available.
How so? The wrapper, if one is needed, will need to have dedicated logic
for the vDSO no matter what interface is defined by the vDSO. Taking the
leaf in %rcx instead of %rax would at worst add a single instruction. At
best, it would eliminate the wrapper entirely by making the vDSO callable
from C, e.g. for enclaves+runtimes that treat EENTER/ERESUME as glorified
function calls, i.e. more or less follow the x86-64 ABI.
Post by Jethro Beekman
Post by Nathaniel McCallum
When isn't the vDSO available?
When you're not on Linux. Or when you're on an old kernel.
I fail to see why the Linux kernel should degrade its new interfaces for
those use cases.
There are effectively four related, but independent, changes to consider:

1. Make the RSP fixup in the "return from handler" path relative instead
of absolute.

2. Preserve RBX in the vDSO.

3. Use %rcx instead of %rax to pass @leaf.

4. Allow the untrusted runtime to pass a parameter directly to its exit
handler.


For me, #1 is an easy "yes". It's arguably a bug fix, and the cost is one
uop.

My vote for #2 and #3 would also be a strong "yes". Although passing @leaf
in %rcx technically diverges from ENCLU, I actually think it will make it
easier to swap between the vDSO and a bare ENCLU. E.g. have the prototype
for the vDSO be the prototype for the assembly wrapper:

typedef void (*enter_enclave_fn)(unsigned long rdi, unsigned long rsi,
unsigned long rdx, unsigned int leaf,
unsigned long r8, unsigned long r9,
void *tcs,
struct sgx_enclave_exception *e,
sgx_enclave_exit_handler_t handler);

int run_enclave(...)
{
enter_enclave_fn enter_enclave;

if (vdso)
enter_enclave = vdso;
else
enter_enclave = my_wrapper;
return enter_enclave(...);
}


I don't have a strong opinion on #4. It seems superfluous, but if the
parameter is buried at the end of the prototype then it can be completely
ignored by runtimes that don't utilize a handler.
Jarkko Sakkinen
2020-03-16 21:27:03 UTC
Permalink
Post by Nathaniel McCallum
For the vDSO, only marginally. I'm counting +4,-2 instructions in my
suggestions. For the wrapper, things become significantly simpler.
Simpler is not a quality that has very high importance here except
when it comes to vDSO.

At least it is not enough to change to vDSO. What else?

Anyway, I think the documentation should fixed and streamlined 1st.

It is way too verbose prose in some places and in some it completely
lacks the information e.g.

"Debug Exceptions (#DB) and Breakpoints (#BP) are ever fixed up and are
always delivered via standard signals."

Never should state things like that without explaining the reasons.

On the other hand:

"Most exceptions reported on ENCLU, including those that occur within
the enclave, are fixed up and reported synchronously instead of being
delivered via a standard signal. Debug Exceptions (#DB) and Breakpoints
(#BP) are never fixed up and are always delivered via standard signals.
On synchrously reported exceptions, -EFAULT is returned and details
about the exception are recorded in @e, the optional
sgx_enclave_exception struct."

Duplicates information already elsewhere (e.g. return values) and is
just pain to read and comprehend in general.

/Jarkko
Jarkko Sakkinen
2020-03-16 21:29:51 UTC
Permalink
Post by Jarkko Sakkinen
Post by Nathaniel McCallum
For the vDSO, only marginally. I'm counting +4,-2 instructions in my
suggestions. For the wrapper, things become significantly simpler.
Simpler is not a quality that has very high importance here except
when it comes to vDSO.
At least it is not enough to change to vDSO. What else?
~~
the

In any case, where I stand is that the vDSO implementation itself is
exactly how it should be. The process to get it to this form was
tedious. Now we have a form that the known userbase can live with.

The documentation sucks, agreed. I think by fixing that this would
be a wholelot better.

/Jarkko
Sean Christopherson
2020-03-16 22:55:34 UTC
Permalink
Post by Jethro Beekman
Can someone remind me why we're not passing TCS in RBX but on the stack?
I finally remembered why. It's pulled off the stack and passed into the
exit handler. I'm pretty sure the vDSO could take it in %rbx and manually
save it on the stack, but I'd rather keep the current behavior so that the
vDSO is callable from C (assuming @leaf is changed to be passed via %rcx).
Xing, Cedric
2020-03-16 23:56:42 UTC
Permalink
Post by Sean Christopherson
Post by Jethro Beekman
Can someone remind me why we're not passing TCS in RBX but on the stack?
I finally remembered why. It's pulled off the stack and passed into the
exit handler. I'm pretty sure the vDSO could take it in %rbx and manually
save it on the stack, but I'd rather keep the current behavior so that the
The idea is that the caller of this vDSO API is C callable, hence it
cannot receive TCS in %rbx anyway. Then it has to either MOV to %rbx or
PUSH to stack. Either way the complexity is the same. The vDSO API
however has to always save it on stack for exit handler. So receiving it
via stack ends up in simplest code.
Dr. Greg
2020-03-17 01:07:18 UTC
Permalink
On Tue, Mar 10, 2020 at 02:29:41PM -0500, Haitao Huang wrote:

Good evening, I hope the week is going well for everyone.
Just as a clarification, are you testing the new driver against
signed production class enclaves in .so format that also include
metadata layout directives or is the driver just getting tested
against the two page toy enclave that copies a word of memory from
one memory location to another?
We (Intel SGX SDK/PSW team) tested this driver for enclaves in .so
format with metadata. Our 2.8 release supports v24 and 2.9 supports
v25+. Both production signed and debug signed enclaves worked.
*Note* we did make some code changes in our runtime for v24+, mainly
dealing with src & EPC page alignment for EADD, open one fd per
enclave, use -z noexecstack linker option, etc. You can see the
changes on GitHub.
Lots of knobs getting turned at the same time but we sorted out all
the issues and our runtime is now passing its regression tests with
the new driver, with an exception that we note below.

I suspect that we might have the only complete and architecturally
independent runtime implementation so if the new driver is working
against yours and ours it would seem to be a reasonable test spectrum
for the driver.
We see the same behavior from both our unit test enclaves and the
Quoting Enclave from the Intel SGX runtime.
We did not see any issue loading QE in our tests. Please directly
email me on this test if you have specific questions.
As it turns out the major problem we were running into with respect to
the QE test was the fact that generic use of atexit() handlers was
disabled by changes that went into the 2.8 SDK. Our runtime and SDK
assume that enclave atexit() handling works.

The enclave UNINIT ECALL is only allowed on runtimes that are
advertising EDMM support. That seems excessively restrictive since
atexit() handling is generically useful for enclaves that are not
using EDMM. Our runtime allows EDMM to be disabled and we have
enclaves that gate on that for security purposes.

On a quasi-related note, it appears that the 1.4 compatibility
metadata created by post 2.0 signing tools is leaking layout
descriptors that a version 1.4 runtime doesn't understand.

Do you want to exchange e-mail on this or should we direct
conversations about these issues with others on your SDK team.

Have a good remainder of the week.

Dr. Greg

As always,
Dr. Greg Wettstein, Ph.D, Worker SGX secured infrastructure and
Enjellic Systems Development, LLC autonomously self-defensive
4206 N. 19th Ave. platforms.
Fargo, ND 58102
PH: 701-281-1686 EMAIL: ***@enjellic.com
Jordan Hand
2020-03-17 16:00:15 UTC
Permalink
I tested with the Open Enclave SDK test suite (~200 test and sample
enclaves), no issues. Used Intel PSW version 2.8.

Tested-by: Jordan Hand <***@linux.microsoft.com>

Thanks,
Jordan
Intel(R) SGX is a set of CPU instructions that can be used by applications
to set aside private regions of code and data. The code outside the enclave
is disallowed to access the memory inside the enclave by the CPU access
control.
There is a new hardware unit in the processor called Memory Encryption
Engine (MEE) starting from the Skylake microacrhitecture. BIOS can define
one or many MEE regions that can hold enclave data by configuring them with
PRMRR registers.
The MEE automatically encrypts the data leaving the processor package to
the MEE regions. The data is encrypted using a random key whose life-time
is exactly one power cycle.
The current implementation requires that the firmware sets
IA32_SGXLEPUBKEYHASH* MSRs as writable so that ultimately the kernel can
decide what enclaves it wants run. The implementation does not create
any bottlenecks to support read-only MSRs later on.
cat /proc/cpuinfo | grep sgx
* Documented to Documentation/x86/sgx.rst how the kernel manages the
enclave ownership.
* Removed non-LC flow from sgx_einit().
* Removed struct sgx_einittoken since only the size of the corresponding
microarchitectural structure is used in the series ATM.
* Disallow RIE processes to use enclaves as there could a permission
conflict between VMA and enclave permissions.
* In the documentation, replace "grep /proc/cpuinfo" with
"grep sgx /proc/cpuinfo".
* Fixed the commit author in "x86/sgx: Linux Enclave Driver", which was
changed in v25 by mistake.
* Addressed a bunch of grammar mistakes in sgx.rst (thanks Randy once
again for such a detailed feedback).
* Added back the MAINTAINERS update commit, which was mistakenly removed
in v25.
* EREMOVE's for SECS cannot be done while sanitizing an EPC section. The
CPU does not allow to remove a SECS page before all of its children have
been removed, and a child page can be in some other section than the one
currently being processed. Thus, removed special SECS processing from
sgx_sanitize_page() and instead put sections through it twice. In the
2nd round the lists should only contain SECS pages.
* Fix a double-free issue when SGX_IOC_ENCLAVE_ADD_PAGES
fails on executing ENCLS[EADD]. The rollback path executed
radix_tree_delete() on the same address twice when this happened.
* Return -EINTR instead of -ERESTARTSYS in SGX_IOC_ENCLAVE_ADD_PAGES when
a signal is pending.
* As requested by Borislav, move the CPUID 0x12 features to their own word
in cpufeatures.
* Sean fixed a bug from sgx_reclaimer_write() where sgx_encl_put_backing()
was called with an uninitialized pointer when sgx_encl_get_backing()
fails.
* Migrated /dev/sgx/* to misc. This is future-proof as struct miscdevice
has 'groups' for setting up sysfs attributes for the device.
* Use device_initcall instead of subsys_initcall so that misc_class is
initialized before SGX is initialized.
* Return -EACCES in SGX_IOC_ENCLAVE_INIT when caller tries to select
enclave attributes that we the kernel does not allow it to set instead
of -EINVAL.
* Unless SGX public key MSRs are writable always deny the feature from
Linux. Previously this was only denied from driver. How VMs should be
supported is not really part of initial patch set, which makes this
an obvious choice.
* Cleaned up and refined documentation to be more approachable.
* Reclaim unmeasured and TCS pages (regression in v23).
* Replace usages of GFP_HIGHUSER with GFP_KERNEL.
* Return -EIO on when EADD or EEXTEND fails in %SGX_IOC_ENCLAVE_ADD_PAGES
and use the same rollback (destroy enclave). This can happen when host
suspends itself unknowingly to a VM running enclaves. From -EIO the user
space can deduce what happened.
of bytes processed instead of overwriting the input parameters for
clarity and more importantly that the API provides means for partial
with %SGX_PAGE_MEASURE flag.
* Return -EIO instead of -ECANCELED when ptrace() fails to read a TCS page.
* In the reclaimer, pin page before ENCLS[EBLOCK] because pinning can fail
(because of OOM) even in legit behaviour and after EBLOCK the reclaiming
flow can be only reverted by killing the whole enclave.
* Fixed SGX_ATTR_RESERVED_MASK. Bit 7 was marked as reserved while in fact
it should have been bit 6 (Table 37-3 in the SDM).
* Return -EPERM from SGX_IOC_ENCLAVE_INIT when ENCLS[EINIT] returns an SGX
error code.
* Refined bunch commit messages and added associated SDM references as
many of them were too exhausting and some outdated.
* Alignment checks have been removed from mmap() because it does not define the
ELRANGE. VMAs only act as windows to the enclave. The semantics compare
somewhat how mmap() works with regular files.
* We now require user space addresses given to SGX_IOC_ENCLAVE_ADD_PAGE to be
page aligned so that we can pass the page directly to EADD and do not have
to do an extra copy. This was made effectively possible by removing the
worker thread for adding pages.
* The selftest build files have been refined throughout of various glitches
and work properly in a cross compilation environment such as BuildRoot.
In addition, libcalls fail the build with an assertion in the linker
script, if they end up to the enclave binary.
* CONFIG_INTEL_SGX_DRIVER has been removed because you cannot use SGX core
for anything without having the driver. This could change when KVM support
is added.
* We require zero permissions in SECINFO for TCS pages because the CPU
overwrites SECINFO flags with zero permissions and measures the page
only after that. Allowing to pass TCS with non-zero permissions would
cause mismatching measurement between the one provided in SIGSTRUCT and
the one computed by the CPU.
* Obviously lots of small fixes and clean ups (does make sense to
document them all).
* Check on mmap() that the VMA does cover an area that does not have
enclave pages. Only mapping with PROT_NONE can do that to reserve
initial address space for an enclave.
* Check om mmap() and mprotect() that the VMA permissions do not
surpass the enclave permissions.
* Remove two refcounts from vma_close(): mm_list and encl->refcount.
Enclave refcount is only need for swapper/enclave sync and we can
remove mm_list refcount by destroying mm_struct when the process
is closed. By not having vm_close() the Linux MM can merge VMAs.
* Do not naturally align MAP_FIXED address.
* Numerous small fixes and clean ups.
* Use SRCU for synchronizing the list of mm_struct's.
* Move to stack based call convention in the vDSO.
* Fine-tune Kconfig messages and spacing and remove MMU_NOTIFIER
dependency as MMU notifiers are no longer used in the driver.
* Use mm_users instead of mm_count as refcount for mm_struct as mm_count
only protects from deleting mm_struct, not removing its contents.
* Sanitize EPC when the reclaimer thread starts by doing EREMOVE for all
of them. They could be in initialized state when the kernel starts
because it might be spawned by kexec().
* Documentation overhaul.
* Use a device /dev/sgx/provision for delivering the provision token
instead of securityfs.
* Create a reference to the enclave when already when opening
/dev/sgx/enclave. The file is then associated with this enclave only.
mmap() can be done at free at any point and always get a reference to
the enclave. To summarize the file now represents the enclave.
* Took 3-4 months but in some sense this was more like a rewrite of most
of the corners of the source code. If I've forgotten to deal with some
feedback, please don't shout me. Make a remark and I will fix it for
the next version. Hopefully there won't be this big turnovers anymore.
* Validate SECS attributes properly against CPUID given attributes and
against allowed attributes. SECS attributes are the ones that are
enforced whereas SIGSTRUCT attributes tell what is required to run
the enclave.
* Add KSS (Key Sharing Support) to the enclave attributes.
* Deny MAP_PRIVATE as an enclave is always a shared memory entity.
* Revert back to shmem backing storage so that it can be easily shared
by multiple processes.
* Split the recognization of an ENCLS leaf failure by using three
functions to detect it: encsl_faulted(), encls_returned_code() and
sgx_failed(). encls_failed() is only caused by a spurious expections that
should never happen. Thus, it is not defined as an inline function in
order to easily insert a kprobe to it.
* Move low-level enclave management routines, page fault handler and page
reclaiming routines from driver to the core. These cannot be separated
from each other as they are heavily interdependent. The rationale is that
the core does not call any code from the driver.
* Allow the driver to be compiled as a module now that it no code is using
its routines and it only uses exported symbols. Now the driver is
essentially just a thin ioctl layer.
* Reworked the driver to maintain a list of mm_struct's. The VMA callbacks
add new entries to this list as the process is forked. Each entry has
its own refcount because they have a different life-cycle as the enclave
and we allow forking by removing VM_DONTCOPY from vm flags.
* Generate a cpu mask in the reclaimer from the cpu mask's of all
mm_struct's. This will kick out the hardware threads out of the enclave
from multiple processes. It is not a local variable because it would
eat too much of the stack space but instead a field in struct
sgx_encl.
* Allow forking i.e. remove VM_DONTCOPY. I did not change the API
because the old API scaled to the workload that Andy described. The
codebase is now mostly API independent i.e. changing the API is a
small task. For me the proper trigger to chanage it is a as concrete
as possible workload that cannot be fulfilled. I hope you understand
my thinking here. I don't want to change anything w/o proper basis
but I'm ready to change anything if there is a proper basis. I do
not have any kind of attachment to any particular type of API.
* Add Sean's vDSO ENCLS(EENTER) patches and update selftest to use the
new vDSO.
* Update the ioctl-number.txt.
* Move the driver under arch/x86.
* Add SGX features (SGX, SGX1, SGX2) to the disabled-features.h.
* Rename the selftest as test_sgx (previously sgx-selftest).
* In order to enable process accounting, swap EPC pages and PCMD's to a VMA
instead of shmem.
* Allow only to initialize and run enclaves with a subset of
{DEBUG, MODE64BIT} set.
* Add SGX_IOC_ENCLAVE_SET_ATTRIBUTE to allow an enclave to have privileged
attributes e.g. PROVISIONKEY.
* Add a simple selftest.
* Fix a null pointer dereference to section->pages when its
allocation fails.
* Add Sean's description of the exception handling to the documentation.
* Fixed SOB's in the commits that were a bit corrupted in v15.
* Implemented exceptio handling properly to detect_sgx().
* Use GENMASK() to define SGX_CPUID_SUB_LEAF_TYPE_MASK.
* Updated the documentation to use rst definition lists.
* Added the missing Documentation/x86/index.rst, which has a link to
intel_sgx.rst. Now the SGX and uapi documentation is properly generated
with 'make htmldocs'.
* While enumerating EPC sections, if an undefined section is found, fail
the driver initialization instead of continuing the initialization.
* Issue a warning if there are more than %SGX_MAX_EPC_SECTIONS.
* Remove copyright notice from arch/x86/include/asm/sgx.h.
* Migrated from ioremap_cache() to memremap().
* Split into more digestable size patches.
* Lots of small fixes and clean ups.
* Signal a "plain" SIGSEGV on an EPCM violation.
* Change the comment about X86_FEATURE_SGX_LC from “SGX launch
configuration” to “SGX launch control”.
* Move the SGX-related CPU feature flags as part of the Linux defined
virtual leaf 8.
* Add SGX_ prefix to the constants defining the ENCLS leaf functions.
* Use GENMASK*() and BIT*() in sgx_arch.h instead of raw hex numbers.
* Refine the long description for CONFIG_INTEL_SGX_CORE.
* Do not use pr_*_ratelimited() in the driver. The use of the rate limited
versions is legacy cruft from the prototyping phase.
* Detect sleep with SGX_INVALID_EINIT_TOKEN instead of counting power
cycles.
* Manually prefix with “sgx:” in the core SGX code instead of redefining
pr_fmt.
* Report if IA32_SGXLEPUBKEYHASHx MSRs are not writable in the driver
instead of core because it is a driver requirement.
* Change prompt to bool in the entry for CONFIG_INTEL_SGX_CORE because the
default is ‘n’.
* Rename struct sgx_epc_bank as struct sgx_epc_section in order to match
the SDM.
* Allocate struct sgx_epc_page instances one at a time.
* Use “__iomem void *” pointers for the mapped EPC memory consistently.
* Retry once on SGX_INVALID_TOKEN in sgx_einit() instead of counting power
cycles.
* Call enclave swapping operations directly from the driver instead of
calling them .indirectly through struct sgx_epc_page_ops because indirect
calls are not required yet as the patch set does not contain the KVM
support.
* Added special signal SEGV_SGXERR to notify about SGX EPCM violation
errors.
* Always use SGX_CPUID constant instead of a hardcoded value.
* Simplified and documented the macros and functions for ENCLS leaves.
* Enable sgx_free_page() to free active enclave pages on demand
in order to allow sgx_invalidate() to delete enclave pages.
It no longer performs EREMOVE if a page is in the process of
being reclaimed.
* Use PM notifier per enclave so that we don't have to traverse
the global list of active EPC pages to find enclaves.
* Removed unused SGX_LE_ROLLBACK constant from uapi/asm/sgx.h
* Always use ioremap() to map EPC banks as we only support 64-bit kernel.
* Invalidate IA32_SGXLEPUBKEYHASH cache used by sgx_einit() when going
to sleep.
* Split to more narrow scoped commits in order to ease the review process and
use co-developed-by tag for co-authors of commits instead of listing them in
the source files.
* Removed cruft EXPORT_SYMBOL() declarations and converted to static variables.
* Removed in-kernel LE i.e. this version of the SGX software stack only
supports unlocked IA32_SGXLEPUBKEYHASHx MSRs.
* Refined documentation on launching enclaves, swapping and enclave
construction.
* Refined sgx_arch.h to include alignment information for every struct that
requires it and removed structs that are not needed without an LE.
* Got rid of SGX_CPUID.
* SGX detection now prints log messages about firmware configuration issues.
* Polished ENCLS wrappers with refined exception handling.
* ksgxswapd was not stopped (regression in v5) in
sgx_page_cache_teardown(), which causes a leaked kthread after driver
deinitialization.
* Shutdown sgx_le_proxy when going to suspend because its EPC pages will be
invalidated when resuming, which will cause it not function properly
anymore.
* Set EINITTOKEN.VALID to zero for a token that is passed when
SGXLEPUBKEYHASH matches MRSIGNER as alloc_page() does not give a zero
page.
* Fixed the check in sgx_edbgrd() for a TCS page. Allowed to read offsets
around the flags field, which causes a #GP. Only flags read is readable.
* On read access memcpy() call inside sgx_vma_access() had src and dest
parameters in wrong order.
* The build issue with CONFIG_KASAN is now fixed. Added undefined symbols
to LE even if “KASAN_SANITIZE := false” was set in the makefile.
* Fixed a regression in the #PF handler. If a page has
SGX_ENCL_PAGE_RESERVED flag the #PF handler should unconditionally fail.
It did not, which caused weird races when trying to change other parts of
swapping code.
* EPC management has been refactored to a flat LRU cache and moved to
arch/x86. The swapper thread reads a cluster of EPC pages and swaps all
of them. It can now swap from multiple enclaves in the same round.
* For the sake of consistency with SGX_IOC_ENCLAVE_ADD_PAGE, return -EINVAL
when an enclave is already initialized or dead instead of zero.
* Cleaned up anon inode based IPC between the ring-0 and ring-3 parts
of the driver.
* Unset the reserved flag from an enclave page if EDBGRD/WR fails
(regression in v6).
* Close the anon inode when LE is stopped (regression in v9).
* Update the documentation with a more detailed description of SGX.
* Replaced kernel-LE IPC based on pipes with an anonymous inode.
The driver does not require anymore new exports.
* Check that public key MSRs match the LE public key hash in the
driver initialization when the MSRs are read-only.
* Fix the race in VA slot allocation by checking the fullness
immediately after succeesful allocation.
* Fix the race in hash mrsigner calculation between the launch
enclave and user enclaves by having a separate lock for hash
calculation.
* Fixed offset calculation in sgx_edbgr/wr(). Address was masked with PAGE_MASK
when it should have been masked with ~PAGE_MASK.
* Fixed a memory leak in sgx_ioc_enclave_create().
* Simplified swapping code by using a pointer array for a cluster
instead of a linked list.
* Squeezed struct sgx_encl_page to 32 bytes.
* Fixed deferencing of an RSA key on OpenSSL 1.1.0.
* Modified TC's CMAC to use kernel AES-NI. Restructured the code
a bit in order to better align with kernel conventions.
* Fixed semaphore underrun when accessing /dev/sgx from the launch enclave.
* In sgx_encl_create() s/IS_ERR(secs)/IS_ERR(encl)/.
* Removed virtualization chapter from the documentation.
* Changed the default filename for the signing key as signing_key.pem.
* Reworked EPC management in a way that instead of a linked list of
struct sgx_epc_page instances there is an array of integers that
encodes address and bank of an EPC page (the same data as 'pa' field
earlier). The locking has been moved to the EPC bank level instead
of a global lock.
* Relaxed locking requirements for EPC management. EPC pages can be
released back to the EPC bank concurrently.
* Cleaned up ptrace() code.
* Refined commit messages for new architectural constants.
* Sorted includes in every source file.
* Sorted local variable declarations according to the line length in
every function.
* Style fixes based on Darren's comments to sgx_le.c.
* Described IPC between the Launch Enclave and kernel in the commit messages.
* Fixed all relevant checkpatch.pl issues that I have forgot fix in earlier
versions except those that exist in the imported TinyCrypt code.
* Fixed spelling mistakes in the documentation.
* Forgot to check the return value of sgx_drv_subsys_init().
* Encapsulated properly page cache init and teardown.
* Collect epc pages to a temp list in sgx_add_epc_bank
* Removed SGX_ENCLAVE_INIT_ARCH constant.
* Tied life-cycle of the sgx_le_proxy process to /dev/sgx.
* Removed __exit annotation from sgx_drv_subsys_exit().
* Fixed a leak of a backing page in sgx_process_add_page_req() in the
case when vm_insert_pfn() fails.
* Removed unused symbol exports for sgx_page_cache.c.
* Updated sgx_alloc_page() to require encl parameter and documented the
behavior (Sean Christopherson).
* Refactored a more lean API for sgx_encl_find() and documented the behavior.
* Moved #PF handler to sgx_fault.c.
* Replaced subsys_system_register() with plain bus_register().
* Retry EINIT 2nd time only if MSRs are not locked.
* Check that FEATURE_CONTROL_LOCKED and FEATURE_CONTROL_SGX_ENABLE are set.
* Return -ERESTARTSYS in __sgx_encl_add_page() when sgx_alloc_page() fails.
* Use unused bits in epc_page->pa to store the bank number.
* Removed #ifdef for WQ_NONREENTRANT.
* If mmu_notifier_register() fails with -EINTR, return -ERESTARTSYS.
* Added --remove-section=.got.plt to objcopy flags in order to prevent a
dummy .got.plt, which will cause an inconsistent size for the LE.
* Documented sgx_encl_* functions.
* Added remark about AES implementation used inside the LE.
* Removed redundant sgx_sys_exit() from le/main.c.
* Fixed struct sgx_secinfo alignment from 128 to 64 bytes.
* Validate miscselect in sgx_encl_create().
* Fixed SSA frame size calculation to take the misc region into account.
* Implemented consistent exception handling to __encls() and __encls_ret().
* Implemented a proper device model in order to allow sysfs attributes
and in-kernel API.
* Cleaned up various "find enclave" implementations to the unified
sgx_encl_find().
* Validate that vm_pgoff is zero.
* Discard backing pages with shmem_truncate_range() after EADD.
* Added missing EEXTEND operations to LE signing and launch.
* Fixed SSA size for GPRS region from 168 to 184 bytes.
* Fixed the checks for TCS flags. Now DBGOPTIN is allowed.
* Check that TCS addresses are in ELRANGE and not just page aligned.
* Require kernel to be compiled with X64_64 and CPU_SUP_INTEL.
* Fixed an incorrect value for SGX_ATTR_DEBUG from 0x01 to 0x02.
* get_rand_uint32() changed the value of the pointer instead of value
where it is pointing at.
* Launch enclave incorrectly used sigstruct attributes-field instead of
enclave attributes-field.
* Removed unused struct sgx_add_page_req from sgx_ioctl.c
* Removed unused sgx_has_sgx2.
* Updated arch/x86/include/asm/sgx.h so that it provides stub
implementations when sgx in not enabled.
* Removed cruft rdmsr-calls from sgx_set_pubkeyhash_msrs().
* return -ENOMEM in sgx_alloc_page() when VA pages consume too much space
* removed unused global sgx_nr_pids
* moved sgx_encl_release to sgx_encl.c
* return -ERESTARTSYS instead of -EINTR in sgx_encl_init()
x86/sgx: Update MAINTAINERS
x86/sgx: Add SGX microarchitectural data structures
x86/sgx: Add wrappers for ENCLS leaf functions
x86/sgx: Add functions to allocate and free EPC pages
x86/sgx: Linux Enclave Driver
docs: x86/sgx: Document SGX micro architecture and kernel internals
selftests/x86: Recurse into subdirectories
selftests/x86: Add a selftest for SGX
x86/sgx: Add provisioning
x86/sgx: Add a page reclaimer
x86/sgx: ptrace() support for the SGX driver
selftests/x86: Add vDSO selftest for SGX
x86/cpufeatures: x86/msr: Add Intel SGX hardware bits
x86/cpufeatures: x86/msr: Intel SGX Launch Control hardware bits
x86/mm: x86/sgx: Signal SIGSEGV with PF_SGX
x86/cpu/intel: Detect SGX supprt
x86/sgx: Enumerate and track EPC sections
mm: Introduce vm_ops->may_mprotect()
x86/vdso: Add support for exception fixup in vDSO functions
x86/fault: Add helper function to sanitize error code
x86/traps: Attempt to fixup exceptions in vDSO before signaling
x86/vdso: Implement a vDSO for Intel SGX enclave call
.../userspace-api/ioctl/ioctl-number.rst | 1 +
Documentation/x86/index.rst | 1 +
Documentation/x86/sgx.rst | 192 +++++
MAINTAINERS | 11 +
arch/x86/Kconfig | 14 +
arch/x86/entry/vdso/Makefile | 8 +-
arch/x86/entry/vdso/extable.c | 46 +
arch/x86/entry/vdso/extable.h | 29 +
arch/x86/entry/vdso/vdso-layout.lds.S | 9 +-
arch/x86/entry/vdso/vdso.lds.S | 1 +
arch/x86/entry/vdso/vdso2c.h | 58 +-
arch/x86/entry/vdso/vsgx_enter_enclave.S | 187 ++++
arch/x86/include/asm/cpufeature.h | 5 +-
arch/x86/include/asm/cpufeatures.h | 8 +-
arch/x86/include/asm/disabled-features.h | 18 +-
arch/x86/include/asm/msr-index.h | 8 +
arch/x86/include/asm/required-features.h | 2 +-
arch/x86/include/asm/traps.h | 1 +
arch/x86/include/asm/vdso.h | 5 +
arch/x86/include/uapi/asm/sgx.h | 114 +++
arch/x86/kernel/cpu/Makefile | 1 +
arch/x86/kernel/cpu/common.c | 4 +
arch/x86/kernel/cpu/feat_ctl.c | 29 +-
arch/x86/kernel/cpu/sgx/Makefile | 6 +
arch/x86/kernel/cpu/sgx/arch.h | 343 ++++++++
arch/x86/kernel/cpu/sgx/driver.c | 209 +++++
arch/x86/kernel/cpu/sgx/driver.h | 32 +
arch/x86/kernel/cpu/sgx/encl.c | 757 ++++++++++++++++
arch/x86/kernel/cpu/sgx/encl.h | 127 +++
arch/x86/kernel/cpu/sgx/encls.h | 238 ++++++
arch/x86/kernel/cpu/sgx/ioctl.c | 805 ++++++++++++++++++
arch/x86/kernel/cpu/sgx/main.c | 280 ++++++
arch/x86/kernel/cpu/sgx/reclaim.c | 458 ++++++++++
arch/x86/kernel/cpu/sgx/sgx.h | 108 +++
arch/x86/kernel/traps.c | 14 +
arch/x86/mm/fault.c | 45 +-
include/linux/mm.h | 2 +
mm/mprotect.c | 14 +-
tools/arch/x86/include/asm/cpufeatures.h | 7 +-
tools/testing/selftests/x86/Makefile | 44 +
tools/testing/selftests/x86/sgx/.gitignore | 3 +
tools/testing/selftests/x86/sgx/Makefile | 48 ++
tools/testing/selftests/x86/sgx/defines.h | 17 +
tools/testing/selftests/x86/sgx/encl.c | 20 +
tools/testing/selftests/x86/sgx/encl.lds | 34 +
.../selftests/x86/sgx/encl_bootstrap.S | 94 ++
tools/testing/selftests/x86/sgx/main.c | 379 +++++++++
tools/testing/selftests/x86/sgx/sgx_call.S | 66 ++
tools/testing/selftests/x86/sgx/sgx_call.h | 14 +
tools/testing/selftests/x86/sgx/sgxsign.c | 493 +++++++++++
.../testing/selftests/x86/sgx/signing_key.pem | 39 +
51 files changed, 5417 insertions(+), 31 deletions(-)
create mode 100644 Documentation/x86/sgx.rst
create mode 100644 arch/x86/entry/vdso/extable.c
create mode 100644 arch/x86/entry/vdso/extable.h
create mode 100644 arch/x86/entry/vdso/vsgx_enter_enclave.S
create mode 100644 arch/x86/include/uapi/asm/sgx.h
create mode 100644 arch/x86/kernel/cpu/sgx/Makefile
create mode 100644 arch/x86/kernel/cpu/sgx/arch.h
create mode 100644 arch/x86/kernel/cpu/sgx/driver.c
create mode 100644 arch/x86/kernel/cpu/sgx/driver.h
create mode 100644 arch/x86/kernel/cpu/sgx/encl.c
create mode 100644 arch/x86/kernel/cpu/sgx/encl.h
create mode 100644 arch/x86/kernel/cpu/sgx/encls.h
create mode 100644 arch/x86/kernel/cpu/sgx/ioctl.c
create mode 100644 arch/x86/kernel/cpu/sgx/main.c
create mode 100644 arch/x86/kernel/cpu/sgx/reclaim.c
create mode 100644 arch/x86/kernel/cpu/sgx/sgx.h
create mode 100644 tools/testing/selftests/x86/sgx/.gitignore
create mode 100644 tools/testing/selftests/x86/sgx/Makefile
create mode 100644 tools/testing/selftests/x86/sgx/defines.h
create mode 100644 tools/testing/selftests/x86/sgx/encl.c
create mode 100644 tools/testing/selftests/x86/sgx/encl.lds
create mode 100644 tools/testing/selftests/x86/sgx/encl_bootstrap.S
create mode 100644 tools/testing/selftests/x86/sgx/main.c
create mode 100644 tools/testing/selftests/x86/sgx/sgx_call.S
create mode 100644 tools/testing/selftests/x86/sgx/sgx_call.h
create mode 100644 tools/testing/selftests/x86/sgx/sgxsign.c
create mode 100644 tools/testing/selftests/x86/sgx/signing_key.pem
Loading...