[intel-sgx-kernel-dev,v4,3/8] intel_sgx: fix error resolution in SGX_IOC_ENCLAVE_INIT

Commit Message

Jarkko Sakkinen Dec. 1, 2016, 8:56 p.m. UTC

From: Sean Christopherson <sean.j.christopherson@intel.com>

The ioctl now always return -EBUSY when something fails. This is not a
good idea because it advices the user space always to retry.

This commit changes the error resolution in a way that the default error
code is instead -EFAULT. Only in the case of SGX_UNMASKED_EVENT (after
several retries of EINIT) we will return -EBUSY. We also change the
ioctl to return -EPERM when the sigstruct is not properly authenticated.

[jarkko.sakkinen@linux.intel.com: updated patch to return EPERM and
 rewrote the commit message to properly explain the problem statement
 and the solution.]

Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
---
 drivers/platform/x86/intel_sgx_ioctl.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

Comments

Jarkko Sakkinen Dec. 2, 2016, 10:28 a.m. UTC | #1

On Thu, Dec 01, 2016 at 10:56:27PM +0200, Jarkko Sakkinen wrote:
> From: Sean Christopherson <sean.j.christopherson@intel.com>
> 
> The ioctl now always return -EBUSY when something fails. This is not a
> good idea because it advices the user space always to retry.
> 
> This commit changes the error resolution in a way that the default error
> code is instead -EFAULT. Only in the case of SGX_UNMASKED_EVENT (after
> several retries of EINIT) we will return -EBUSY. We also change the
> ioctl to return -EPERM when the sigstruct is not properly authenticated.
> 
> [jarkko.sakkinen@linux.intel.com: updated patch to return EPERM and
>  rewrote the commit message to properly explain the problem statement
>  and the solution.]
> 
> Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

/Jarkko

Jarkko Sakkinen Dec. 2, 2016, 10:45 a.m. UTC | #2

On Fri, Dec 02, 2016 at 12:28:57PM +0200, Jarkko Sakkinen wrote:
> On Thu, Dec 01, 2016 at 10:56:27PM +0200, Jarkko Sakkinen wrote:
> > From: Sean Christopherson <sean.j.christopherson@intel.com>
> > 
> > The ioctl now always return -EBUSY when something fails. This is not a
> > good idea because it advices the user space always to retry.
> > 
> > This commit changes the error resolution in a way that the default error
> > code is instead -EFAULT. Only in the case of SGX_UNMASKED_EVENT (after
> > several retries of EINIT) we will return -EBUSY. We also change the
> > ioctl to return -EPERM when the sigstruct is not properly authenticated.
> > 
> > [jarkko.sakkinen@linux.intel.com: updated patch to return EPERM and
> >  rewrote the commit message to properly explain the problem statement
> >  and the solution.]
> > 
> > Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> 
> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

The patches where I'm the author are still lacking test and review.
As soons as they get tested we can apply all these patches to the
code base.

/Jarkko

Patch

diff --git a/drivers/platform/x86/intel_sgx_ioctl.c b/drivers/platform/x86/intel_sgx_ioctl.c
index db17b9f..b377200 100644
--- a/drivers/platform/x86/intel_sgx_ioctl.c
+++ b/drivers/platform/x86/intel_sgx_ioctl.c
@@ -824,7 +824,22 @@  static int __sgx_encl_init(struct sgx_encl *encl, char *sigstruct,
 out:
 	if (ret) {
 		sgx_dbg(encl, "EINIT returned %d\n", ret);
-		ret = -EBUSY;
+		switch (ret) {
+		case SGX_UNMASKED_EVENT:
+			ret = -EBUSY;
+			break;
+		case SGX_INVALID_SIG_STRUCT:
+		case SGX_INVALID_ATTRIBUTE:
+		case SGX_INVALID_MEASUREMENT:
+		case SGX_INVALID_SIGNATURE:
+		case SGX_INVALID_LICENSE:
+		case SGX_INVALID_CPUSVN:
+			ret = -EPERM;
+			break;
+		default:
+			ret = -EFAULT;
+			break;
+		}
 	} else {
 		encl->flags |= SGX_ENCL_INITIALIZED;