Message ID | 20181102231320.29164-24-jarkko.sakkinen@linux.intel.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | Intel SGX1 | expand |
On Sat, Nov 03, 2018 at 01:11:22AM +0200, Jarkko Sakkinen wrote: > Documentation of the features of the Software Guard eXtensions used > by the Linux kernel and basic design choices for the core and driver > and functionality. > > Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > --- > Documentation/index.rst | 1 + > Documentation/x86/intel_sgx.rst | 185 ++++++++++++++++++++++++++++++++ > 2 files changed, 186 insertions(+) > create mode 100644 Documentation/x86/intel_sgx.rst > > diff --git a/Documentation/index.rst b/Documentation/index.rst > index 5db7e87c7cb1..1cdc139adb40 100644 > --- a/Documentation/index.rst > +++ b/Documentation/index.rst > @@ -104,6 +104,7 @@ implementation. > :maxdepth: 2 > > sh/index > + x86/index It seems there is no Documentation/x86/index.rst, probably you'd want to create one and link intel_sgx.rst there > > Filesystem Documentation > ------------------------ > diff --git a/Documentation/x86/intel_sgx.rst b/Documentation/x86/intel_sgx.rst > new file mode 100644 > index 000000000000..f6b7979c41f2 > --- /dev/null > +++ b/Documentation/x86/intel_sgx.rst > @@ -0,0 +1,185 @@ > +=================== > +Intel(R) SGX driver > +=================== > + > +Introduction > +============ > + > +Intel(R) SGX is a set of CPU instructions that can be used by applications to > +set aside private regions of code and data. The code outside the enclave is > +disallowed to access the memory inside the enclave by the CPU access control. > +In a way you can think that SGX provides inverted sandbox. It protects the > +application from a malicious host. > + > +You can tell if your CPU supports SGX by looking into ``/proc/cpuinfo``: > + > + ``cat /proc/cpuinfo | grep sgx`` > + > +Overview of SGX > +=============== > + > +SGX has a set of data structures to maintain information about the enclaves and > +their security properties. BIOS reserves a fixed size region of physical memory > +for these structures by setting Processor Reserved Memory Range Registers > +(PRMRR). > + > +This memory range is protected from outside access by the CPU and all the data > +coming in and out of the CPU package is encrypted by a key that is generated for > +each boot cycle. > + > +Enclaves execute in ring-3 in a special enclave submode using pages from the > +reserved memory range. A fixed logical address range for the enclave is reserved > +by ENCLS(ECREATE), a leaf instruction used to create enclaves. It is referred in > +the documentation commonly as the ELRANGE. > + > +Every memory access to the ELRANGE is asserted by the CPU. If the CPU is not > +executing in the enclave mode inside the enclave, #GP is raised. On the other > +hand enclave code can make memory accesses both inside and outside of the comma ^ > +ELRANGE. > + > +Enclave can only execute code inside the ELRANGE. Instructions that may cause > +VMEXIT, IO instructions and instructions that require a privilege change are > +prohibited inside the enclave. Interrupts and exceptions always cause enclave > +to exit and jump to an address outside the enclave given when the enclave is > +entered by using the leaf instruction ENCLS(EENTER). > + > +Data types > +---------- > + > +The protected memory range contains the following data: > + > +* **Enclave Page Cache (EPC):** protected pages > +* **Enclave Page Cache Map (EPCM):** a database that describes the state of the > + pages and link them to an enclave. I think it's better to use "definition list" here http://docutils.sourceforge.net/docs/ref/rst/restructuredtext.html#definition-lists > +EPC has a number of different types of pages: > + > +* **SGX Enclave Control Structure (SECS)**: describes the global > + properties of an enclave. > +* **Regular (REG):** code and data pages in the ELRANGE. > +* **Thread Control Structure (TCS):** pages that define entry points inside an > + enclave. The enclave can only be entered through these entry points and each > + can host a single hardware thread at a time. > +* **Version Array (VA)**: 64-bit version numbers for pages that have been > + swapped outside the enclave. Each page contains 512 version numbers. ditto > +Launch control > +-------------- > + > +To launch an enclave, two structures must be provided for ENCLS(EINIT): > + > +1. **SIGSTRUCT:** signed measurement of the enclave binary. > +2. **EINITTOKEN:** a cryptographic token CMAC-signed with a AES256-key called > + *launch key*, which is re-generated for each boot cycle. ditto > +The CPU holds a SHA256 hash of a 3072-bit RSA public key inside > +IA32_SGXLEPUBKEYHASHn MSRs. Enclaves with a SIGSTRUCT that is signed with this > +key do not require a valid EINITTOKEN and can be authorized with special > +privileges. One of those privileges is ability to acquire the launch key with > +ENCLS(EGETKEY). > + > +**IA32_FEATURE_CONTROL[17]** is used by the BIOS configure whether > +IA32_SGXLEPUBKEYHASH MSRs are read-only or read-write before locking the > +feature control register and handing over control to the operating system. > + > +Enclave construction > +-------------------- > + > +The construction is started by filling out the SECS that contains enclave > +address range, privileged attributes and measurement of TCS and REG pages (pages > +that will be mapped to the address range) among the other things. This structure > +is passed out to the ENCLS(ECREATE) together with a physical address of a page > +in EPC that will hold the SECS. > + > +The pages are added with ENCLS(EADD) and measured with ENCLS(EEXTEND) i.e. > +SHA256 hash MRENCLAVE residing in the SECS is extended with the page data. > + > +After all of the pages have been added, the enclave is initialized with > +ENCLS(EINIT). ENCLS(INIT) checks that the SIGSTRUCT is signed with the contained EINIT? > +public key. If the given EINITTOKEN has the valid bit set, the CPU checks that > +the token is valid (CMAC'd with the launch key). If the token is not valid, > +the CPU will check whether the enclave is signed with a key matching to the > +IA32_SGXLEPUBKEYHASHn MSRs. > + > +Swapping pages > +-------------- > + > +Enclave pages can be swapped out with ENCLS(EWB) to the unprotected memory. In > +addition to the EPC page, ENCLS(EWB) takes in a VA page and address for PCMD > +structure (Page Crypto MetaData) as input. The VA page will seal a version > +number for the page. PCMD is 128 byte structure that contains tracking > +information for the page, most importantly its MAC. With these structures the > +enclave is sealed and rollback protected while it resides in the unprotected > +memory. > + > +Before the page can be swapped out it must not have any active TLB references. > +ENCLS(EBLOCK) instruction moves a page to the *blocked* state, which means > +that no new TLB entries can be created to it by the hardware threads. > + > +After this a shootdown sequence is started with ENCLS(ETRACK), which sets an > +increased counter value to the entering hardware threads. ENCLS(EWB) will > +return SGX_NOT_TRACKED error while there are still threads with the earlier > +couner value because that means that there might be hardware thread inside > +the enclave with TLB entries to pages that are to be swapped. > + > +Kernel internals > +================ > + > +Requirements > +------------ > + > +Because SGX has an ever evolving and expanding feature set, it's possible for > +a BIOS or VMM to configure a system in such a way that not all CPUs are equal, > +e.g. where Launch Control is only enabled on a subset of CPUs. Linux does > +*not* support such a heterogeneous system configuration, nor does it even > +attempt to play nice in the face of a misconfigured system. With the exception > +of Launch Control's hash MSRs, which can vary per CPU, Linux assumes that all > +CPUs have a configuration that is identical to the boot CPU. > + > + > +Roles and responsibilities > +-------------------------- > + > +SGX introduces system resources, e.g. EPC memory, that must be accessible to > +multiple entities, e.g. the native kernel driver (to expose SGX to userspace) > +and KVM (to expose SGX to VMs), ideally without introducing any dependencies > +between each SGX entity. To that end, the kernel owns and manages the shared > +system resources, i.e. the EPC and Launch Control MSRs, and defines functions > +that provide appropriate access to the shared resources. SGX support for > +user space and VMs is left to the SGX platform driver and KVM respectively. > + > +Launching enclaves > +------------------ > + > +The current kernel implementation supports only unlocked MSRs i.e. > +FEATURE_CONTROL_SGX_LE_WR must be set. The launch is performed by setting the > +MSRs to the hash of the public key modulus of the enclave signer, which is one > +f the fields in the SIGSTRUCT. of > + > +EPC management > +-------------- > + > +Due to the unique requirements for swapping EPC pages, and because EPC pages > +(currently) do not have associated page structures, management of the EPC is > +not handled by the standard Linux swapper. SGX directly handles swapping > +of EPC pages, including a kthread to initiate reclaim and a rudimentary LRU > +mechanism. The consumers of EPC pages, e.g. the SGX driver, are required to > +implement function callbacks that can be invoked by the kernel to age, > +swap, and/or forcefully reclaim a target EPC page. In effect, the kernel > +controls what happens and when, while the consumers (driver, KVM, etc..) do > +the actual work. > + > +SGX uapi > +======== > + > +.. kernel-doc:: drivers/platform/x86/intel_sgx/sgx_ioctl.c > + :functions: sgx_ioc_enclave_create > + sgx_ioc_enclave_add_page > + sgx_ioc_enclave_init > + > +.. kernel-doc:: arch/x86/include/uapi/asm/sgx.h > + > +References > +========== > + > +* System Programming Manual: 39.1.4 Intel® SGX Launch Control Configuration > -- > 2.19.1 >
On Sun, Nov 04, 2018 at 10:15:13AM +0200, Mike Rapoport wrote: > On Sat, Nov 03, 2018 at 01:11:22AM +0200, Jarkko Sakkinen wrote: > > Documentation of the features of the Software Guard eXtensions used > > by the Linux kernel and basic design choices for the core and driver > > and functionality. > > > > Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > > --- > > Documentation/index.rst | 1 + > > Documentation/x86/intel_sgx.rst | 185 ++++++++++++++++++++++++++++++++ > > 2 files changed, 186 insertions(+) > > create mode 100644 Documentation/x86/intel_sgx.rst > > > > diff --git a/Documentation/index.rst b/Documentation/index.rst > > index 5db7e87c7cb1..1cdc139adb40 100644 > > --- a/Documentation/index.rst > > +++ b/Documentation/index.rst > > @@ -104,6 +104,7 @@ implementation. > > :maxdepth: 2 > > > > sh/index > > + x86/index > > It seems there is no Documentation/x86/index.rst, probably you'd want to > create one and link intel_sgx.rst there Thanks I'll update this! > > > > > Filesystem Documentation > > ------------------------ > > diff --git a/Documentation/x86/intel_sgx.rst b/Documentation/x86/intel_sgx.rst > > new file mode 100644 > > index 000000000000..f6b7979c41f2 > > --- /dev/null > > +++ b/Documentation/x86/intel_sgx.rst > > @@ -0,0 +1,185 @@ > > +=================== > > +Intel(R) SGX driver > > +=================== > > + > > +Introduction > > +============ > > + > > +Intel(R) SGX is a set of CPU instructions that can be used by applications to > > +set aside private regions of code and data. The code outside the enclave is > > +disallowed to access the memory inside the enclave by the CPU access control. > > +In a way you can think that SGX provides inverted sandbox. It protects the > > +application from a malicious host. > > + > > +You can tell if your CPU supports SGX by looking into ``/proc/cpuinfo``: > > + > > + ``cat /proc/cpuinfo | grep sgx`` > > + > > +Overview of SGX > > +=============== > > + > > +SGX has a set of data structures to maintain information about the enclaves and > > +their security properties. BIOS reserves a fixed size region of physical memory > > +for these structures by setting Processor Reserved Memory Range Registers > > +(PRMRR). > > + > > +This memory range is protected from outside access by the CPU and all the data > > +coming in and out of the CPU package is encrypted by a key that is generated for > > +each boot cycle. > > + > > +Enclaves execute in ring-3 in a special enclave submode using pages from the > > +reserved memory range. A fixed logical address range for the enclave is reserved > > +by ENCLS(ECREATE), a leaf instruction used to create enclaves. It is referred in > > +the documentation commonly as the ELRANGE. > > + > > +Every memory access to the ELRANGE is asserted by the CPU. If the CPU is not > > +executing in the enclave mode inside the enclave, #GP is raised. On the other > > +hand enclave code can make memory accesses both inside and outside of the > > comma ^ > > > +ELRANGE. > > + > > +Enclave can only execute code inside the ELRANGE. Instructions that may cause > > +VMEXIT, IO instructions and instructions that require a privilege change are > > +prohibited inside the enclave. Interrupts and exceptions always cause enclave > > +to exit and jump to an address outside the enclave given when the enclave is > > +entered by using the leaf instruction ENCLS(EENTER). > > + > > +Data types > > +---------- > > + > > +The protected memory range contains the following data: > > + > > +* **Enclave Page Cache (EPC):** protected pages > > +* **Enclave Page Cache Map (EPCM):** a database that describes the state of the > > + pages and link them to an enclave. > > I think it's better to use "definition list" here > > http://docutils.sourceforge.net/docs/ref/rst/restructuredtext.html#definition-lists Ack. > > > +EPC has a number of different types of pages: > > + > > +* **SGX Enclave Control Structure (SECS)**: describes the global > > + properties of an enclave. > > +* **Regular (REG):** code and data pages in the ELRANGE. > > +* **Thread Control Structure (TCS):** pages that define entry points inside an > > + enclave. The enclave can only be entered through these entry points and each > > + can host a single hardware thread at a time. > > +* **Version Array (VA)**: 64-bit version numbers for pages that have been > > + swapped outside the enclave. Each page contains 512 version numbers. > > ditto > > > +Launch control > > +-------------- > > + > > +To launch an enclave, two structures must be provided for ENCLS(EINIT): > > + > > +1. **SIGSTRUCT:** signed measurement of the enclave binary. > > +2. **EINITTOKEN:** a cryptographic token CMAC-signed with a AES256-key called > > + *launch key*, which is re-generated for each boot cycle. > > ditto > > > +The CPU holds a SHA256 hash of a 3072-bit RSA public key inside > > +IA32_SGXLEPUBKEYHASHn MSRs. Enclaves with a SIGSTRUCT that is signed with this > > +key do not require a valid EINITTOKEN and can be authorized with special > > +privileges. One of those privileges is ability to acquire the launch key with > > +ENCLS(EGETKEY). > > + > > +**IA32_FEATURE_CONTROL[17]** is used by the BIOS configure whether > > +IA32_SGXLEPUBKEYHASH MSRs are read-only or read-write before locking the > > +feature control register and handing over control to the operating system. > > + > > +Enclave construction > > +-------------------- > > + > > +The construction is started by filling out the SECS that contains enclave > > +address range, privileged attributes and measurement of TCS and REG pages (pages > > +that will be mapped to the address range) among the other things. This structure > > +is passed out to the ENCLS(ECREATE) together with a physical address of a page > > +in EPC that will hold the SECS. > > + > > +The pages are added with ENCLS(EADD) and measured with ENCLS(EEXTEND) i.e. > > +SHA256 hash MRENCLAVE residing in the SECS is extended with the page data. > > + > > +After all of the pages have been added, the enclave is initialized with > > +ENCLS(EINIT). ENCLS(INIT) checks that the SIGSTRUCT is signed with the contained > > EINIT? Yep. > > > +public key. If the given EINITTOKEN has the valid bit set, the CPU checks that > > +the token is valid (CMAC'd with the launch key). If the token is not valid, > > +the CPU will check whether the enclave is signed with a key matching to the > > +IA32_SGXLEPUBKEYHASHn MSRs. > > + > > +Swapping pages > > +-------------- > > + > > +Enclave pages can be swapped out with ENCLS(EWB) to the unprotected memory. In > > +addition to the EPC page, ENCLS(EWB) takes in a VA page and address for PCMD > > +structure (Page Crypto MetaData) as input. The VA page will seal a version > > +number for the page. PCMD is 128 byte structure that contains tracking > > +information for the page, most importantly its MAC. With these structures the > > +enclave is sealed and rollback protected while it resides in the unprotected > > +memory. > > + > > +Before the page can be swapped out it must not have any active TLB references. > > +ENCLS(EBLOCK) instruction moves a page to the *blocked* state, which means > > +that no new TLB entries can be created to it by the hardware threads. > > + > > +After this a shootdown sequence is started with ENCLS(ETRACK), which sets an > > +increased counter value to the entering hardware threads. ENCLS(EWB) will > > +return SGX_NOT_TRACKED error while there are still threads with the earlier > > +couner value because that means that there might be hardware thread inside > > +the enclave with TLB entries to pages that are to be swapped. > > + > > +Kernel internals > > +================ > > + > > +Requirements > > +------------ > > + > > +Because SGX has an ever evolving and expanding feature set, it's possible for > > +a BIOS or VMM to configure a system in such a way that not all CPUs are equal, > > +e.g. where Launch Control is only enabled on a subset of CPUs. Linux does > > +*not* support such a heterogeneous system configuration, nor does it even > > +attempt to play nice in the face of a misconfigured system. With the exception > > +of Launch Control's hash MSRs, which can vary per CPU, Linux assumes that all > > +CPUs have a configuration that is identical to the boot CPU. > > + > > + > > +Roles and responsibilities > > +-------------------------- > > + > > +SGX introduces system resources, e.g. EPC memory, that must be accessible to > > +multiple entities, e.g. the native kernel driver (to expose SGX to userspace) > > +and KVM (to expose SGX to VMs), ideally without introducing any dependencies > > +between each SGX entity. To that end, the kernel owns and manages the shared > > +system resources, i.e. the EPC and Launch Control MSRs, and defines functions > > +that provide appropriate access to the shared resources. SGX support for > > +user space and VMs is left to the SGX platform driver and KVM respectively. > > + > > +Launching enclaves > > +------------------ > > + > > +The current kernel implementation supports only unlocked MSRs i.e. > > +FEATURE_CONTROL_SGX_LE_WR must be set. The launch is performed by setting the > > +MSRs to the hash of the public key modulus of the enclave signer, which is one > > +f the fields in the SIGSTRUCT. > > of > > > + > > +EPC management > > +-------------- > > + > > +Due to the unique requirements for swapping EPC pages, and because EPC pages > > +(currently) do not have associated page structures, management of the EPC is > > +not handled by the standard Linux swapper. SGX directly handles swapping > > +of EPC pages, including a kthread to initiate reclaim and a rudimentary LRU > > +mechanism. The consumers of EPC pages, e.g. the SGX driver, are required to > > +implement function callbacks that can be invoked by the kernel to age, > > +swap, and/or forcefully reclaim a target EPC page. In effect, the kernel > > +controls what happens and when, while the consumers (driver, KVM, etc..) do > > +the actual work. > > + > > +SGX uapi > > +======== > > + > > +.. kernel-doc:: drivers/platform/x86/intel_sgx/sgx_ioctl.c > > + :functions: sgx_ioc_enclave_create > > + sgx_ioc_enclave_add_page > > + sgx_ioc_enclave_init > > + > > +.. kernel-doc:: arch/x86/include/uapi/asm/sgx.h > > + > > +References > > +========== > > + > > +* System Programming Manual: 39.1.4 Intel® SGX Launch Control Configuration > > -- > > 2.19.1 > > > > -- > Sincerely yours, > Mike. > Thank for your remarks! /Jarkko
On 11/2/18 4:11 PM, Jarkko Sakkinen wrote: > Documentation/index.rst | 1 + > Documentation/x86/intel_sgx.rst | 185 ++++++++++++++++++++++++++++++++ > 2 files changed, 186 insertions(+) > create mode 100644 Documentation/x86/intel_sgx.rst This patch set establishes an ABI. It basically sets in stone a bunch of behaviors that the enclave, the kernel, and the out-of-enclave code must follow. There are a bunch of things that the enclave can do to %rsp or %rip, for instance, that it is capable and/or permitted to do. The ABI seems entirely undocumented and rather lightly designed, which seems like something we should fix before this is merged. Also, for a feature as massive and complicated as this one, it seems irresponsible to not have a selftest. Is that not feasible for some reason?
On Mon, Nov 05, 2018 at 12:27:11PM -0800, Dave Hansen wrote: > The ABI seems entirely undocumented and rather lightly designed, which > seems like something we should fix before this is merged. ABI is documented in arch/x86/include/uapi/asm/sgx.h that from which the documentation is included to intel_sgx.rst. I'm not saying that there is no space refine it but it is neither undocumented. > Also, for a feature as massive and complicated as this one, it seems > irresponsible to not have a selftest. Is that not feasible for some reason? I do have the in-kernel launch enclave stuff backed up here: https://github.com/jsakkine-intel/sgx-le-host https://github.com/jsakkine-intel/sgx-le This is about as simple as it gets without any type of run-time. /Jarkko
On Tue, Nov 06, 2018 at 07:49:11AM +0200, Jarkko Sakkinen wrote: > On Mon, Nov 05, 2018 at 12:27:11PM -0800, Dave Hansen wrote: > > The ABI seems entirely undocumented and rather lightly designed, which > > seems like something we should fix before this is merged. > > ABI is documented in arch/x86/include/uapi/asm/sgx.h that from which the > documentation is included to intel_sgx.rst. I'm not saying that there is > no space refine it but it is neither undocumented. > > > Also, for a feature as massive and complicated as this one, it seems > > irresponsible to not have a selftest. Is that not feasible for some reason? > > I do have the in-kernel launch enclave stuff backed up here: > > https://github.com/jsakkine-intel/sgx-le-host > https://github.com/jsakkine-intel/sgx-le > > This is about as simple as it gets without any type of run-time. Of course the enclave could be simplified considerably since now it has full code for EINITTOKEN generation, which is probably an overkill for a selftest. It could be simple as just enter and return to and from enclave or something in-between in terms of complexity. Even for the simplest enclave you need a signing tool (see sgxsign.c in my sgx-le repository), a custom linker script and a sophisticated makefile. /Jarkko
On Mon, Nov 05, 2018 at 12:27:11PM -0800, Dave Hansen wrote: > This patch set establishes an ABI. It basically sets in stone a bunch > of behaviors that the enclave, the kernel, and the out-of-enclave code > must follow. > > There are a bunch of things that the enclave can do to %rsp or %rip, for > instance, that it is capable and/or permitted to do. Just want to ask a follow-up from this so that I understand you better. Now we are talking abou ioctl API, right? I'm not exactly sure how EENTER/EEXIT/ERESUME behavior connects to that. I understand the tail of your message but this paragraph left me a bit puzzled... /Jarkko
On 11/5/18 9:49 PM, Jarkko Sakkinen wrote: > On Mon, Nov 05, 2018 at 12:27:11PM -0800, Dave Hansen wrote: >> The ABI seems entirely undocumented and rather lightly designed, which >> seems like something we should fix before this is merged. > > ABI is documented in arch/x86/include/uapi/asm/sgx.h that from which the > documentation is included to intel_sgx.rst. I'm not saying that there is > no space refine it but it is neither undocumented. I specifically mean the instruction flow around asynchronous exits or explicit enclave exit calls via EEXIT. Signals are part of the ABI but go unmentioned in the documentation. It's also worth noting that EENTER *can* act (from the kernel's perspective) like an instruction that both jumps and sets a bunch of registers (including %rsp). It's certainly abnormal in that regard. In fact, in the docs: > +Enclave can only execute code inside the ELRANGE. Instructions that may cause > +VMEXIT, IO instructions and instructions that require a privilege change are > +prohibited inside the enclave. Interrupts and exceptions always cause enclave > +to exit and jump to an address outside the enclave given when the enclave is > +entered by using the leaf instruction ENCLS(EENTER). it's probably a really good idea to explain that the address outside of the enclave is enclave-provided, and is not, for instance, just the next instruction after EENTER. >> Also, for a feature as massive and complicated as this one, it seems >> irresponsible to not have a selftest. Is that not feasible for some reason? > > I do have the in-kernel launch enclave stuff backed up here: > > https://github.com/jsakkine-intel/sgx-le-host > https://github.com/jsakkine-intel/sgx-le > > This is about as simple as it gets without any type of run-time. Does this code run when I type "make kselftest"? If not, I think we should rectify that.
On Tue, Nov 06, 2018 at 08:45:37AM -0800, Dave Hansen wrote: > On 11/5/18 9:49 PM, Jarkko Sakkinen wrote: > > On Mon, Nov 05, 2018 at 12:27:11PM -0800, Dave Hansen wrote: > >> The ABI seems entirely undocumented and rather lightly designed, which > >> seems like something we should fix before this is merged. > > > > ABI is documented in arch/x86/include/uapi/asm/sgx.h that from which the > > documentation is included to intel_sgx.rst. I'm not saying that there is > > no space refine it but it is neither undocumented. > > I specifically mean the instruction flow around asynchronous exits or > explicit enclave exit calls via EEXIT. Signals are part of the ABI but > go unmentioned in the documentation. Ok, thanks for clarification. We will document it. > > It's also worth noting that EENTER *can* act (from the kernel's > perspective) like an instruction that both jumps and sets a bunch of > registers (including %rsp). It's certainly abnormal in that regard. Agreed. > In fact, in the docs: > > > +Enclave can only execute code inside the ELRANGE. Instructions that may cause > > +VMEXIT, IO instructions and instructions that require a privilege change are > > +prohibited inside the enclave. Interrupts and exceptions always cause enclave > > +to exit and jump to an address outside the enclave given when the enclave is > > +entered by using the leaf instruction ENCLS(EENTER). > > it's probably a really good idea to explain that the address outside of > the enclave is enclave-provided, and is not, for instance, just the next > instruction after EENTER. > > >> Also, for a feature as massive and complicated as this one, it seems > >> irresponsible to not have a selftest. Is that not feasible for some reason? > > > > I do have the in-kernel launch enclave stuff backed up here: > > > > https://github.com/jsakkine-intel/sgx-le-host > > https://github.com/jsakkine-intel/sgx-le > > > > This is about as simple as it gets without any type of run-time. > > Does this code run when I type "make kselftest"? If not, I think we > should rectify that. No, it doesn't. It is just my backup for the non-SDK user space code that I've made that I will use to fork my user space SGX projects in the future. I can work-out a selftest (and provide a new patch in the series) but I'm still wondering what the enclave should do. I would suggest that we start with an enclave that does just EEXIT and nothing else. /Jarkko
On 11/7/18 8:30 AM, Jarkko Sakkinen wrote: >> Does this code run when I type "make kselftest"? If not, I think we >> should rectify that. > No, it doesn't. It is just my backup for the non-SDK user space code > that I've made that I will use to fork my user space SGX projects in > the future. > > I can work-out a selftest (and provide a new patch in the series) but > I'm still wondering what the enclave should do. I would suggest that > we start with an enclave that does just EEXIT and nothing else. Yeah, that's a start. But, a good selftest would include things like faults and error conditions.
On Wed, Nov 07, 2018 at 09:09:37AM -0800, Dave Hansen wrote: > On 11/7/18 8:30 AM, Jarkko Sakkinen wrote: > >> Does this code run when I type "make kselftest"? If not, I think we > >> should rectify that. > > No, it doesn't. It is just my backup for the non-SDK user space code > > that I've made that I will use to fork my user space SGX projects in > > the future. > > > > I can work-out a selftest (and provide a new patch in the series) but > > I'm still wondering what the enclave should do. I would suggest that > > we start with an enclave that does just EEXIT and nothing else. > > Yeah, that's a start. But, a good selftest would include things like > faults and error conditions. Great. We can add more entry points to the enclave for different tests but I'll start with a bare minimum. And yeah but ever goes into next version I'll document the fault handling. /Jarkko
On Thu, Nov 08, 2018 at 04:39:42PM +0200, Jarkko Sakkinen wrote: > On Wed, Nov 07, 2018 at 09:09:37AM -0800, Dave Hansen wrote: > > On 11/7/18 8:30 AM, Jarkko Sakkinen wrote: > > >> Does this code run when I type "make kselftest"? If not, I think we > > >> should rectify that. > > > No, it doesn't. It is just my backup for the non-SDK user space code > > > that I've made that I will use to fork my user space SGX projects in > > > the future. > > > > > > I can work-out a selftest (and provide a new patch in the series) but > > > I'm still wondering what the enclave should do. I would suggest that > > > we start with an enclave that does just EEXIT and nothing else. > > > > Yeah, that's a start. But, a good selftest would include things like > > faults and error conditions. > > Great. We can add more entry points to the enclave for different tests > but I'll start with a bare minimum. And yeah but ever goes into next > version I'll document the fault handling. For the v17 I'll add exactly two test cases: 1. EENTER/EEXIT 2. EENTER/exception So that it will easier to evaluate and demonstrate exception handling. /Jarkko
On Thu, Nov 08, 2018 at 09:20:40PM +0200, Jarkko Sakkinen wrote: > On Thu, Nov 08, 2018 at 04:39:42PM +0200, Jarkko Sakkinen wrote: > > On Wed, Nov 07, 2018 at 09:09:37AM -0800, Dave Hansen wrote: > > > On 11/7/18 8:30 AM, Jarkko Sakkinen wrote: > > > >> Does this code run when I type "make kselftest"? If not, I think we > > > >> should rectify that. > > > > No, it doesn't. It is just my backup for the non-SDK user space code > > > > that I've made that I will use to fork my user space SGX projects in > > > > the future. > > > > > > > > I can work-out a selftest (and provide a new patch in the series) but > > > > I'm still wondering what the enclave should do. I would suggest that > > > > we start with an enclave that does just EEXIT and nothing else. > > > > > > Yeah, that's a start. But, a good selftest would include things like > > > faults and error conditions. > > > > Great. We can add more entry points to the enclave for different tests > > but I'll start with a bare minimum. And yeah but ever goes into next > > version I'll document the fault handling. > > For the v17 I'll add exactly two test cases: > > 1. EENTER/EEXIT > 2. EENTER/exception > > So that it will easier to evaluate and demonstrate exception handling. > > /Jarkko Here is my test program now: https://github.com/jsakkine-intel/sgx-selftest It is ~1100 lines ATM. Next I'll deploy it to the kernel tree. It has only (1) now but I'll add (2) too when I convert this to a kernel patch (probably by doing sgx_call() with a NULL pointer). /Jarkko
diff --git a/Documentation/index.rst b/Documentation/index.rst index 5db7e87c7cb1..1cdc139adb40 100644 --- a/Documentation/index.rst +++ b/Documentation/index.rst @@ -104,6 +104,7 @@ implementation. :maxdepth: 2 sh/index + x86/index Filesystem Documentation ------------------------ diff --git a/Documentation/x86/intel_sgx.rst b/Documentation/x86/intel_sgx.rst new file mode 100644 index 000000000000..f6b7979c41f2 --- /dev/null +++ b/Documentation/x86/intel_sgx.rst @@ -0,0 +1,185 @@ +=================== +Intel(R) SGX driver +=================== + +Introduction +============ + +Intel(R) SGX is a set of CPU instructions that can be used by applications to +set aside private regions of code and data. The code outside the enclave is +disallowed to access the memory inside the enclave by the CPU access control. +In a way you can think that SGX provides inverted sandbox. It protects the +application from a malicious host. + +You can tell if your CPU supports SGX by looking into ``/proc/cpuinfo``: + + ``cat /proc/cpuinfo | grep sgx`` + +Overview of SGX +=============== + +SGX has a set of data structures to maintain information about the enclaves and +their security properties. BIOS reserves a fixed size region of physical memory +for these structures by setting Processor Reserved Memory Range Registers +(PRMRR). + +This memory range is protected from outside access by the CPU and all the data +coming in and out of the CPU package is encrypted by a key that is generated for +each boot cycle. + +Enclaves execute in ring-3 in a special enclave submode using pages from the +reserved memory range. A fixed logical address range for the enclave is reserved +by ENCLS(ECREATE), a leaf instruction used to create enclaves. It is referred in +the documentation commonly as the ELRANGE. + +Every memory access to the ELRANGE is asserted by the CPU. If the CPU is not +executing in the enclave mode inside the enclave, #GP is raised. On the other +hand enclave code can make memory accesses both inside and outside of the +ELRANGE. + +Enclave can only execute code inside the ELRANGE. Instructions that may cause +VMEXIT, IO instructions and instructions that require a privilege change are +prohibited inside the enclave. Interrupts and exceptions always cause enclave +to exit and jump to an address outside the enclave given when the enclave is +entered by using the leaf instruction ENCLS(EENTER). + +Data types +---------- + +The protected memory range contains the following data: + +* **Enclave Page Cache (EPC):** protected pages +* **Enclave Page Cache Map (EPCM):** a database that describes the state of the + pages and link them to an enclave. + +EPC has a number of different types of pages: + +* **SGX Enclave Control Structure (SECS)**: describes the global + properties of an enclave. +* **Regular (REG):** code and data pages in the ELRANGE. +* **Thread Control Structure (TCS):** pages that define entry points inside an + enclave. The enclave can only be entered through these entry points and each + can host a single hardware thread at a time. +* **Version Array (VA)**: 64-bit version numbers for pages that have been + swapped outside the enclave. Each page contains 512 version numbers. + +Launch control +-------------- + +To launch an enclave, two structures must be provided for ENCLS(EINIT): + +1. **SIGSTRUCT:** signed measurement of the enclave binary. +2. **EINITTOKEN:** a cryptographic token CMAC-signed with a AES256-key called + *launch key*, which is re-generated for each boot cycle. + +The CPU holds a SHA256 hash of a 3072-bit RSA public key inside +IA32_SGXLEPUBKEYHASHn MSRs. Enclaves with a SIGSTRUCT that is signed with this +key do not require a valid EINITTOKEN and can be authorized with special +privileges. One of those privileges is ability to acquire the launch key with +ENCLS(EGETKEY). + +**IA32_FEATURE_CONTROL[17]** is used by the BIOS configure whether +IA32_SGXLEPUBKEYHASH MSRs are read-only or read-write before locking the +feature control register and handing over control to the operating system. + +Enclave construction +-------------------- + +The construction is started by filling out the SECS that contains enclave +address range, privileged attributes and measurement of TCS and REG pages (pages +that will be mapped to the address range) among the other things. This structure +is passed out to the ENCLS(ECREATE) together with a physical address of a page +in EPC that will hold the SECS. + +The pages are added with ENCLS(EADD) and measured with ENCLS(EEXTEND) i.e. +SHA256 hash MRENCLAVE residing in the SECS is extended with the page data. + +After all of the pages have been added, the enclave is initialized with +ENCLS(EINIT). ENCLS(INIT) checks that the SIGSTRUCT is signed with the contained +public key. If the given EINITTOKEN has the valid bit set, the CPU checks that +the token is valid (CMAC'd with the launch key). If the token is not valid, +the CPU will check whether the enclave is signed with a key matching to the +IA32_SGXLEPUBKEYHASHn MSRs. + +Swapping pages +-------------- + +Enclave pages can be swapped out with ENCLS(EWB) to the unprotected memory. In +addition to the EPC page, ENCLS(EWB) takes in a VA page and address for PCMD +structure (Page Crypto MetaData) as input. The VA page will seal a version +number for the page. PCMD is 128 byte structure that contains tracking +information for the page, most importantly its MAC. With these structures the +enclave is sealed and rollback protected while it resides in the unprotected +memory. + +Before the page can be swapped out it must not have any active TLB references. +ENCLS(EBLOCK) instruction moves a page to the *blocked* state, which means +that no new TLB entries can be created to it by the hardware threads. + +After this a shootdown sequence is started with ENCLS(ETRACK), which sets an +increased counter value to the entering hardware threads. ENCLS(EWB) will +return SGX_NOT_TRACKED error while there are still threads with the earlier +couner value because that means that there might be hardware thread inside +the enclave with TLB entries to pages that are to be swapped. + +Kernel internals +================ + +Requirements +------------ + +Because SGX has an ever evolving and expanding feature set, it's possible for +a BIOS or VMM to configure a system in such a way that not all CPUs are equal, +e.g. where Launch Control is only enabled on a subset of CPUs. Linux does +*not* support such a heterogeneous system configuration, nor does it even +attempt to play nice in the face of a misconfigured system. With the exception +of Launch Control's hash MSRs, which can vary per CPU, Linux assumes that all +CPUs have a configuration that is identical to the boot CPU. + + +Roles and responsibilities +-------------------------- + +SGX introduces system resources, e.g. EPC memory, that must be accessible to +multiple entities, e.g. the native kernel driver (to expose SGX to userspace) +and KVM (to expose SGX to VMs), ideally without introducing any dependencies +between each SGX entity. To that end, the kernel owns and manages the shared +system resources, i.e. the EPC and Launch Control MSRs, and defines functions +that provide appropriate access to the shared resources. SGX support for +user space and VMs is left to the SGX platform driver and KVM respectively. + +Launching enclaves +------------------ + +The current kernel implementation supports only unlocked MSRs i.e. +FEATURE_CONTROL_SGX_LE_WR must be set. The launch is performed by setting the +MSRs to the hash of the public key modulus of the enclave signer, which is one +f the fields in the SIGSTRUCT. + +EPC management +-------------- + +Due to the unique requirements for swapping EPC pages, and because EPC pages +(currently) do not have associated page structures, management of the EPC is +not handled by the standard Linux swapper. SGX directly handles swapping +of EPC pages, including a kthread to initiate reclaim and a rudimentary LRU +mechanism. The consumers of EPC pages, e.g. the SGX driver, are required to +implement function callbacks that can be invoked by the kernel to age, +swap, and/or forcefully reclaim a target EPC page. In effect, the kernel +controls what happens and when, while the consumers (driver, KVM, etc..) do +the actual work. + +SGX uapi +======== + +.. kernel-doc:: drivers/platform/x86/intel_sgx/sgx_ioctl.c + :functions: sgx_ioc_enclave_create + sgx_ioc_enclave_add_page + sgx_ioc_enclave_init + +.. kernel-doc:: arch/x86/include/uapi/asm/sgx.h + +References +========== + +* System Programming Manual: 39.1.4 Intel® SGX Launch Control Configuration
Documentation of the features of the Software Guard eXtensions used by the Linux kernel and basic design choices for the core and driver and functionality. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> --- Documentation/index.rst | 1 + Documentation/x86/intel_sgx.rst | 185 ++++++++++++++++++++++++++++++++ 2 files changed, 186 insertions(+) create mode 100644 Documentation/x86/intel_sgx.rst