Message ID | 20200421184150.68011-2-andraprs@amazon.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | Add support for Nitro Enclaves | expand |
Hi-- On 4/21/20 11:41 AM, Andra Paraschiv wrote: > The Nitro Enclaves driver handles the enclave lifetime management. This > includes enclave creation, termination and setting up its resources such > as memory and CPU. > > An enclave runs alongside the VM that spawned it. It is abstracted as a > process running in the VM that launched it. The process interacts with > the NE driver, that exposes an ioctl interface for creating an enclave > and setting up its resources. > > Include the KVM API as part of the provided ioctl interface, with an > additional ENCLAVE_START ioctl command that triggers the enclave run. > > Signed-off-by: Alexandru Vasile <lexnv@amazon.com> > Signed-off-by: Andra Paraschiv <andraprs@amazon.com> > --- > include/linux/nitro_enclaves.h | 23 +++++++++++++ > include/uapi/linux/nitro_enclaves.h | 52 +++++++++++++++++++++++++++++ > 2 files changed, 75 insertions(+) > create mode 100644 include/linux/nitro_enclaves.h > create mode 100644 include/uapi/linux/nitro_enclaves.h > > diff --git a/include/uapi/linux/nitro_enclaves.h b/include/uapi/linux/nitro_enclaves.h > new file mode 100644 > index 000000000000..b90dfcf6253a > --- /dev/null > +++ b/include/uapi/linux/nitro_enclaves.h > @@ -0,0 +1,52 @@ > +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ > +/* > + * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved. > + * > + * This program is free software; you can redistribute it and/or modify it > + * under the terms and conditions of the GNU General Public License, > + * version 2, as published by the Free Software Foundation. > + * > + * This program is distributed in the hope that it will be useful, > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > + * GNU General Public License for more details. > + * > + * You should have received a copy of the GNU General Public License > + * along with this program; if not, see <http://www.gnu.org/licenses/>. > + */ > + > +#ifndef _UAPI_LINUX_NITRO_ENCLAVES_H_ > +#define _UAPI_LINUX_NITRO_ENCLAVES_H_ > + > +#include <linux/kvm.h> > +#include <linux/types.h> > + > +/* Nitro Enclaves (NE) Kernel Driver Interface */ > + > +/** > + * The command is used to trigger enclave start after the enclave resources, > + * such as memory and CPU, have been set. > + * > + * The enclave start metadata is an in / out data structure. It includes > + * provided info by the caller - enclave cid and flags - and returns the > + * slot uid and the cid (if input cid is 0). > + */ > +#define NE_ENCLAVE_START _IOWR('B', 0x1, struct enclave_start_metadata) Please document ioctl major ('B' in this case) and range used in Documentation/userspace-api/ioctl/ioctl-number.rst. > + > +/* Setup metadata necessary for enclave start. */ > +struct enclave_start_metadata { > + /* Flags for the enclave to start with (e.g. debug mode) (in). */ > + __u64 flags; > + > + /** > + * Context ID (CID) for the enclave vsock device. If 0 as input, the > + * CID is autogenerated by the hypervisor and returned back as output > + * by the driver (in/out). > + */ > + __u64 enclave_cid; > + > + /* Slot unique id mapped to the enclave to start (out). */ > + __u64 slot_uid; > +}; > + > +#endif /* _UAPI_LINUX_NITRO_ENCLAVES_H_ */ > thanks.
On 21/04/20 20:47, Randy Dunlap wrote: >> + >> +/** >> + * The command is used to trigger enclave start after the enclave resources, >> + * such as memory and CPU, have been set. >> + * >> + * The enclave start metadata is an in / out data structure. It includes >> + * provided info by the caller - enclave cid and flags - and returns the >> + * slot uid and the cid (if input cid is 0). >> + */ >> +#define NE_ENCLAVE_START _IOWR('B', 0x1, struct enclave_start_metadata) > Please document ioctl major ('B' in this case) and range used in > Documentation/userspace-api/ioctl/ioctl-number.rst. > Since it's really just a couple ioctls, I can "donate" part of the KVM space, for example major 0xAE minor 0x20-0x3f. Paolo
On 22/04/2020 00:45, Paolo Bonzini wrote: > On 21/04/20 20:47, Randy Dunlap wrote: >>> + >>> +/** >>> + * The command is used to trigger enclave start after the enclave resources, >>> + * such as memory and CPU, have been set. >>> + * >>> + * The enclave start metadata is an in / out data structure. It includes >>> + * provided info by the caller - enclave cid and flags - and returns the >>> + * slot uid and the cid (if input cid is 0). >>> + */ >>> +#define NE_ENCLAVE_START _IOWR('B', 0x1, struct enclave_start_metadata) >> Please document ioctl major ('B' in this case) and range used in >> Documentation/userspace-api/ioctl/ioctl-number.rst. >> > Since it's really just a couple ioctls, I can "donate" part of the KVM > space, for example major 0xAE minor 0x20-0x3f. Randy, thanks for the ioctl doc refs. I can update the ioctl-number doc to add an entry for the the Nitro Enclaves uapi with 0xAE and 0x20-0x3f range + update the KVM entry to have 0xAE 0x00-0x1f and 0x40-0xff. Will then use 0xAE and 0x20 for NE_ENCLAVE_START. Paolo, let me know if we should do this ioctl number update other way. And thanks for the proposal. :) Thanks, Andra Amazon Development Center (Romania) S.R.L. registered office: 27A Sf. Lazar Street, UBC5, floor 2, Iasi, Iasi County, 700045, Romania. Registered in Romania. Registration number J22/2621/2005.
diff --git a/include/linux/nitro_enclaves.h b/include/linux/nitro_enclaves.h new file mode 100644 index 000000000000..7e593a9fbf8c --- /dev/null +++ b/include/linux/nitro_enclaves.h @@ -0,0 +1,23 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, + * version 2, as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef _LINUX_NITRO_ENCLAVES_H_ +#define _LINUX_NITRO_ENCLAVES_H_ + +#include <uapi/linux/nitro_enclaves.h> + +#endif /* _LINUX_NITRO_ENCLAVES_H_ */ diff --git a/include/uapi/linux/nitro_enclaves.h b/include/uapi/linux/nitro_enclaves.h new file mode 100644 index 000000000000..b90dfcf6253a --- /dev/null +++ b/include/uapi/linux/nitro_enclaves.h @@ -0,0 +1,52 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +/* + * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, + * version 2, as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef _UAPI_LINUX_NITRO_ENCLAVES_H_ +#define _UAPI_LINUX_NITRO_ENCLAVES_H_ + +#include <linux/kvm.h> +#include <linux/types.h> + +/* Nitro Enclaves (NE) Kernel Driver Interface */ + +/** + * The command is used to trigger enclave start after the enclave resources, + * such as memory and CPU, have been set. + * + * The enclave start metadata is an in / out data structure. It includes + * provided info by the caller - enclave cid and flags - and returns the + * slot uid and the cid (if input cid is 0). + */ +#define NE_ENCLAVE_START _IOWR('B', 0x1, struct enclave_start_metadata) + +/* Setup metadata necessary for enclave start. */ +struct enclave_start_metadata { + /* Flags for the enclave to start with (e.g. debug mode) (in). */ + __u64 flags; + + /** + * Context ID (CID) for the enclave vsock device. If 0 as input, the + * CID is autogenerated by the hypervisor and returned back as output + * by the driver (in/out). + */ + __u64 enclave_cid; + + /* Slot unique id mapped to the enclave to start (out). */ + __u64 slot_uid; +}; + +#endif /* _UAPI_LINUX_NITRO_ENCLAVES_H_ */