x86/sgx: Return 0 when !CONFIG_INTEL_SGX_DRIVER
diff mbox series

Message ID 20190714143212.971-1-jarkko.sakkinen@linux.intel.com
State New
Headers show
Series
  • x86/sgx: Return 0 when !CONFIG_INTEL_SGX_DRIVER
Related show

Commit Message

Jarkko Sakkinen July 14, 2019, 2:32 p.m. UTC
When the config option is not enabled the initialization is always
succesful.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
---
This was the reason why I got the -ENODEV error with my BuildRoot image.
The config option was not enabled but took some time realize as I was
kind of getting an error code from the driver initialization. Finally
when I used ftrace with 'sgx*' I knew what was going on.
 arch/x86/kernel/cpu/sgx/driver/driver.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Jarkko Sakkinen July 15, 2019, 9:29 a.m. UTC | #1
On Sun, Jul 14, 2019 at 05:32:12PM +0300, Jarkko Sakkinen wrote:
> When the config option is not enabled the initialization is always
> succesful.
> 
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

It would whole a lot simpler if the call was just flagged:

#ifdef CONFIG_INTEL_SGX_DRIVER
	ret = sgx_drv_init();
	if (ret)
		goto err_kthread;
#endif

/Jarkko
Sean Christopherson July 15, 2019, 1:59 p.m. UTC | #2
On Sun, Jul 14, 2019 at 05:32:12PM +0300, Jarkko Sakkinen wrote:
> When the config option is not enabled the initialization is always
> succesful.

Why would the be initialization be considered successful?  It's dead code
and memory consumption if the driver can't load.  When KVM support gets
added, the initialization can be considered successful if the driver *or*
virtual EPC are enabled and load cleanly.

> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> ---
> This was the reason why I got the -ENODEV error with my BuildRoot image.
> The config option was not enabled but took some time realize as I was
> kind of getting an error code from the driver initialization. Finally
> when I used ftrace with 'sgx*' I knew what was going on.
>  arch/x86/kernel/cpu/sgx/driver/driver.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kernel/cpu/sgx/driver/driver.h b/arch/x86/kernel/cpu/sgx/driver/driver.h
> index da60839b133a..aafa64a4f481 100644
> --- a/arch/x86/kernel/cpu/sgx/driver/driver.h
> +++ b/arch/x86/kernel/cpu/sgx/driver/driver.h
> @@ -37,7 +37,7 @@ int sgx_drv_init(void);
>  #else
>  static inline int sgx_drv_init(void)
>  {
> -	return -ENODEV;
> +	return 0;
>  }
>  #endif
>  
> -- 
> 2.20.1
>
Jarkko Sakkinen Aug. 1, 2019, 4:22 p.m. UTC | #3
On Mon, Jul 15, 2019 at 06:59:03AM -0700, Sean Christopherson wrote:
> On Sun, Jul 14, 2019 at 05:32:12PM +0300, Jarkko Sakkinen wrote:
> > When the config option is not enabled the initialization is always
> > succesful.
> 
> Why would the be initialization be considered successful?  It's dead code
> and memory consumption if the driver can't load.  When KVM support gets
> added, the initialization can be considered successful if the driver *or*
> virtual EPC are enabled and load cleanly.

When a config option disabled means it that the functionality does not
exist at all, which means that there is nothing to fail. That is why it
would be actually better to flag the whole call than the way it is done
in this patch.

/Jarkko
Sean Christopherson Aug. 1, 2019, 4:29 p.m. UTC | #4
On Thu, Aug 01, 2019 at 07:22:19PM +0300, Jarkko Sakkinen wrote:
> On Mon, Jul 15, 2019 at 06:59:03AM -0700, Sean Christopherson wrote:
> > On Sun, Jul 14, 2019 at 05:32:12PM +0300, Jarkko Sakkinen wrote:
> > > When the config option is not enabled the initialization is always
> > > succesful.
> > 
> > Why would the be initialization be considered successful?  It's dead code
> > and memory consumption if the driver can't load.  When KVM support gets
> > added, the initialization can be considered successful if the driver *or*
> > virtual EPC are enabled and load cleanly.
> 
> When a config option disabled means it that the functionality does not
> exist at all, which means that there is nothing to fail. That is why it
> would be actually better to flag the whole call than the way it is done
> in this patch.

Regardless of how it's done, the core SGX management shouldn't consume
resources if it doesn't have downstream consumers.  Making INTEL_SGX
depend on INTEL_SGX_DRIVER is the obvious alternative.
Jarkko Sakkinen Aug. 2, 2019, 7:33 p.m. UTC | #5
On Thu, Aug 01, 2019 at 09:29:31AM -0700, Sean Christopherson wrote:
> On Thu, Aug 01, 2019 at 07:22:19PM +0300, Jarkko Sakkinen wrote:
> > On Mon, Jul 15, 2019 at 06:59:03AM -0700, Sean Christopherson wrote:
> > > On Sun, Jul 14, 2019 at 05:32:12PM +0300, Jarkko Sakkinen wrote:
> > > > When the config option is not enabled the initialization is always
> > > > succesful.
> > > 
> > > Why would the be initialization be considered successful?  It's dead code
> > > and memory consumption if the driver can't load.  When KVM support gets
> > > added, the initialization can be considered successful if the driver *or*
> > > virtual EPC are enabled and load cleanly.
> > 
> > When a config option disabled means it that the functionality does not
> > exist at all, which means that there is nothing to fail. That is why it
> > would be actually better to flag the whole call than the way it is done
> > in this patch.
> 
> Regardless of how it's done, the core SGX management shouldn't consume
> resources if it doesn't have downstream consumers.  Making INTEL_SGX
> depend on INTEL_SGX_DRIVER is the obvious alternative.

Is there a specific blocker that prevents using SGX just with KVM when
the latter option is disabled?

/Jarkko
Sean Christopherson Aug. 13, 2019, 1:22 a.m. UTC | #6
On Fri, Aug 02, 2019 at 10:33:38PM +0300, Jarkko Sakkinen wrote:
> On Thu, Aug 01, 2019 at 09:29:31AM -0700, Sean Christopherson wrote:
> > On Thu, Aug 01, 2019 at 07:22:19PM +0300, Jarkko Sakkinen wrote:
> > > On Mon, Jul 15, 2019 at 06:59:03AM -0700, Sean Christopherson wrote:
> > > > On Sun, Jul 14, 2019 at 05:32:12PM +0300, Jarkko Sakkinen wrote:
> > > > > When the config option is not enabled the initialization is always
> > > > > succesful.
> > > > 
> > > > Why would the be initialization be considered successful?  It's dead code
> > > > and memory consumption if the driver can't load.  When KVM support gets
> > > > added, the initialization can be considered successful if the driver *or*
> > > > virtual EPC are enabled and load cleanly.
> > > 
> > > When a config option disabled means it that the functionality does not
> > > exist at all, which means that there is nothing to fail. That is why it
> > > would be actually better to flag the whole call than the way it is done
> > > in this patch.
> > 
> > Regardless of how it's done, the core SGX management shouldn't consume
> > resources if it doesn't have downstream consumers.  Making INTEL_SGX
> > depend on INTEL_SGX_DRIVER is the obvious alternative.
> 
> Is there a specific blocker that prevents using SGX just with KVM when
> the latter option is disabled?

Nope, KVM does not have any dependencies on the native driver.  But if
sgx_drv_init() returns 0 when CONFIG_INTEL_SGX_DRIVER=n, then sgx_init()
won't handle KVM failure correctly since it will think the native driver
initialized cleanly.  E.g. with both KVM and driver in play, I was
thinking of something like this in sgx_init():

        /* Success if the native *or* virtual driver initialized cleanly. */
        ret = sgx_drv_init();
        ret = sgx_virt_epc_init() ? ret : 0;
        if (ret)
		goto err;

	return 0;

If sgx_drv_init() returns 0 when CONFIG_INTEL_SGX_DRIVER=n, then failure
in sgx_virt_epc_init() is ignored and we end up with the SGX subsystem
wasting resources again.
Jarkko Sakkinen Aug. 15, 2019, 9:56 p.m. UTC | #7
On Mon, Aug 12, 2019 at 06:22:27PM -0700, Sean Christopherson wrote:
> Nope, KVM does not have any dependencies on the native driver.  But if
> sgx_drv_init() returns 0 when CONFIG_INTEL_SGX_DRIVER=n, then sgx_init()
> won't handle KVM failure correctly since it will think the native driver
> initialized cleanly.  E.g. with both KVM and driver in play, I was
> thinking of something like this in sgx_init():
> 
>         /* Success if the native *or* virtual driver initialized cleanly. */
>         ret = sgx_drv_init();
>         ret = sgx_virt_epc_init() ? ret : 0;
>         if (ret)
> 		goto err;
> 
> 	return 0;
> 
> If sgx_drv_init() returns 0 when CONFIG_INTEL_SGX_DRIVER=n, then failure
> in sgx_virt_epc_init() is ignored and we end up with the SGX subsystem
> wasting resources again.

I get what you are saying but what exist now does not align with this
and on the other hand nothing prevents the reconsider the flow once we
get to this point.

/Jarkko
Sean Christopherson Aug. 21, 2019, 5:24 p.m. UTC | #8
On Fri, Aug 16, 2019 at 12:56:00AM +0300, Jarkko Sakkinen wrote:
> On Mon, Aug 12, 2019 at 06:22:27PM -0700, Sean Christopherson wrote:
> > Nope, KVM does not have any dependencies on the native driver.  But if
> > sgx_drv_init() returns 0 when CONFIG_INTEL_SGX_DRIVER=n, then sgx_init()
> > won't handle KVM failure correctly since it will think the native driver
> > initialized cleanly.  E.g. with both KVM and driver in play, I was
> > thinking of something like this in sgx_init():
> > 
> >         /* Success if the native *or* virtual driver initialized cleanly. */
> >         ret = sgx_drv_init();
> >         ret = sgx_virt_epc_init() ? ret : 0;
> >         if (ret)
> > 		goto err;
> > 
> > 	return 0;
> > 
> > If sgx_drv_init() returns 0 when CONFIG_INTEL_SGX_DRIVER=n, then failure
> > in sgx_virt_epc_init() is ignored and we end up with the SGX subsystem
> > wasting resources again.
> 
> I get what you are saying but what exist now does not align with this
> and on the other hand nothing prevents the reconsider the flow once we
> get to this point.

How does the current code not align with this approach?  The core subsystem
should tear itself down if loading the driver fails, which includes failing
because it doesn't exist.
Jarkko Sakkinen Aug. 22, 2019, 12:29 a.m. UTC | #9
On Wed, Aug 21, 2019 at 10:24:00AM -0700, Sean Christopherson wrote:
> How does the current code not align with this approach?  The core subsystem
> should tear itself down if loading the driver fails, which includes failing
> because it doesn't exist.

I get now the real issue that you are trying to point out (did not
earlier). Still, I think your approach to fix it needs some
reconsideration.

Something that *does not exist* can never fail. That should be dead
obvious.

If the SGX driver does not exit and KVM does not have SGX support
compiled in, then the only logical conclusion that you can end up with
is that neither the SGX core should exist in vmlinux in the first place.

This all summarizes to that I have to remove the INTEL_SGX_DRIVER
kconfig flag. Its existence can only be considered when there >= 2
in-kernel users for SGX.

/Jarkko
Sean Christopherson Aug. 22, 2019, 12:31 a.m. UTC | #10
On Thu, Aug 22, 2019 at 03:29:40AM +0300, Jarkko Sakkinen wrote:
> On Wed, Aug 21, 2019 at 10:24:00AM -0700, Sean Christopherson wrote:
> > How does the current code not align with this approach?  The core subsystem
> > should tear itself down if loading the driver fails, which includes failing
> > because it doesn't exist.
> 
> I get now the real issue that you are trying to point out (did not
> earlier). Still, I think your approach to fix it needs some
> reconsideration.
> 
> Something that *does not exist* can never fail. That should be dead
> obvious.
> 
> If the SGX driver does not exit and KVM does not have SGX support
> compiled in, then the only logical conclusion that you can end up with
> is that neither the SGX core should exist in vmlinux in the first place.
> 
> This all summarizes to that I have to remove the INTEL_SGX_DRIVER
> kconfig flag. Its existence can only be considered when there >= 2
> in-kernel users for SGX.

That works too.
Jarkko Sakkinen Aug. 22, 2019, 1:26 a.m. UTC | #11
On Thu, Aug 22, 2019 at 03:29:40AM +0300, Jarkko Sakkinen wrote:
> On Wed, Aug 21, 2019 at 10:24:00AM -0700, Sean Christopherson wrote:
> > How does the current code not align with this approach?  The core subsystem
> > should tear itself down if loading the driver fails, which includes failing
> > because it doesn't exist.
> 
> I get now the real issue that you are trying to point out (did not
> earlier). Still, I think your approach to fix it needs some
> reconsideration.
> 
> Something that *does not exist* can never fail. That should be dead
> obvious.
> 
> If the SGX driver does not exit and KVM does not have SGX support
> compiled in, then the only logical conclusion that you can end up with
> is that neither the SGX core should exist in vmlinux in the first place.
> 
> This all summarizes to that I have to remove the INTEL_SGX_DRIVER
> kconfig flag. Its existence can only be considered when there >= 2
> in-kernel users for SGX.

The subdirectory for the driver has clearly turned into legacy with only
two source files and one header file in it.

Even if/when we want to add INTEL_SGX_DRIVER back it is easiest use it
in the main makefile.

I prepared snippets to execute these changes.

This is for driver.h, ioctl.c, main.c (rename):

git filter-branch -f --index-filter 'git ls-files -s | \
    sed "s/sgx\/driver\/main\.c/sgx\/driver.c/" | \
    GIT_INDEX_FILE=$GIT_INDEX_FILE.new git update-index --index-info && \
    mv "$GIT_INDEX_FILE.new" "$GIT_INDEX_FILE"' mainline/master..master

This for for Makefile (remove):

git filter-branch -f --index-filter 'git ls-files -s | \
    sed "/sgx\/driver\/Makefile/d" | \
    GIT_INDEX_FILE=$GIT_INDEX_FILE.new git update-index --index-info && \
    mv "$GIT_INDEX_FILE.new" "$GIT_INDEX_FILE"' mainline/master..master

/Jarkko
Jarkko Sakkinen Aug. 22, 2019, 2:42 p.m. UTC | #12
On Wed, 2019-08-21 at 17:31 -0700, Sean Christopherson wrote:
> On Thu, Aug 22, 2019 at 03:29:40AM +0300, Jarkko Sakkinen wrote:
> > On Wed, Aug 21, 2019 at 10:24:00AM -0700, Sean Christopherson wrote:
> > > How does the current code not align with this approach?  The core subsystem
> > > should tear itself down if loading the driver fails, which includes failing
> > > because it doesn't exist.
> > 
> > I get now the real issue that you are trying to point out (did not
> > earlier). Still, I think your approach to fix it needs some
> > reconsideration.
> > 
> > Something that *does not exist* can never fail. That should be dead
> > obvious.
> > 
> > If the SGX driver does not exit and KVM does not have SGX support
> > compiled in, then the only logical conclusion that you can end up with
> > is that neither the SGX core should exist in vmlinux in the first place.
> > 
> > This all summarizes to that I have to remove the INTEL_SGX_DRIVER
> > kconfig flag. Its existence can only be considered when there >= 2
> > in-kernel users for SGX.
> 
> That works too.

It is only thing that fixes the issue. Leaving unused code to vmlinux
can be classified as a regression.

/Jarkko

Patch
diff mbox series

diff --git a/arch/x86/kernel/cpu/sgx/driver/driver.h b/arch/x86/kernel/cpu/sgx/driver/driver.h
index da60839b133a..aafa64a4f481 100644
--- a/arch/x86/kernel/cpu/sgx/driver/driver.h
+++ b/arch/x86/kernel/cpu/sgx/driver/driver.h
@@ -37,7 +37,7 @@  int sgx_drv_init(void);
 #else
 static inline int sgx_drv_init(void)
 {
-	return -ENODEV;
+	return 0;
 }
 #endif