[v38,03/24] x86/mm: x86/sgx: Signal SIGSEGV with PF_SGX

Message ID	20200915112842.897265-4-jarkko.sakkinen@linux.intel.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=APC0=CZ=vger.kernel.org=linux-sgx-owner@kernel.org> From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> To: x86@kernel.org, linux-sgx@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Sean Christopherson <sean.j.christopherson@intel.com>, Jethro Beekman <jethro@fortanix.com>, Darren Kenny <darren.kenny@oracle.com>, Borislav Petkov <bp@suse.de>, Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>, akpm@linux-foundation.org, andriy.shevchenko@linux.intel.com, asapek@google.com, bp@alien8.de, cedric.xing@intel.com, chenalexchen@google.com, conradparker@google.com, cyhanish@google.com, dave.hansen@intel.com, haitao.huang@intel.com, josh@joshtriplett.org, kai.huang@intel.com, kai.svahn@intel.com, kmoy@google.com, ludloff@google.com, luto@kernel.org, nhorman@redhat.com, npmccallum@redhat.com, puiterwijk@redhat.com, rientjes@google.com, tglx@linutronix.de, yaozhangx@google.com Subject: [PATCH v38 03/24] x86/mm: x86/sgx: Signal SIGSEGV with PF_SGX Date: Tue, 15 Sep 2020 14:28:21 +0300 Message-Id: <20200915112842.897265-4-jarkko.sakkinen@linux.intel.com> In-Reply-To: <20200915112842.897265-1-jarkko.sakkinen@linux.intel.com> References: <20200915112842.897265-1-jarkko.sakkinen@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-sgx-owner@vger.kernel.org Precedence: bulk
Series	Intel SGX foundations \| expand [v38,00/24] Intel SGX foundations [v38,01/24] x86/cpufeatures: x86/msr: Add Intel SGX hardware bits [v38,02/24] x86/cpufeatures: x86/msr: Add Intel SGX Launch Control hardware bits [v38,03/24] x86/mm: x86/sgx: Signal SIGSEGV with PF_SGX [v38,04/24] x86/sgx: Add SGX microarchitectural data structures [v38,05/24] x86/sgx: Add wrappers for ENCLS leaf functions [v38,06/24] x86/cpu/intel: Detect SGX support [v38,07/24] x86/cpu/intel: Add nosgx kernel parameter [v38,08/24] x86/sgx: Initialize metadata for Enclave Page Cache (EPC) sections [v38,09/24] x86/sgx: Add __sgx_alloc_epc_page() and sgx_free_epc_page() [v38,10/24] mm: Add vm_ops->mprotect() [v38,11/24] x86/sgx: Add SGX enclave driver [v38,12/24] x86/sgx: Add SGX_IOC_ENCLAVE_CREATE [v38,13/24] x86/sgx: Add SGX_IOC_ENCLAVE_ADD_PAGES [v38,14/24] x86/sgx: Add SGX_IOC_ENCLAVE_INIT [v38,15/24] x86/sgx: Enable provisioning for remote attestation [v38,16/24] x86/sgx: Add a page reclaimer [v38,17/24] x86/sgx: ptrace() support for the SGX driver [v38,18/24] x86/vdso: Add support for exception fixup in vDSO functions [v38,19/24] x86/fault: Add helper function to sanitize error code [v38,20/24] x86/traps: Attempt to fixup exceptions in vDSO before signaling [v38,21/24] x86/vdso: Implement a vDSO for Intel SGX enclave call [v38,22/24] selftests/x86: Add a selftest for SGX [v38,23/24] docs: x86/sgx: Document SGX micro architecture and kernel internals [v38,24/24] x86/sgx: Update MAINTAINERS

Message ID

20200915112842.897265-4-jarkko.sakkinen@linux.intel.com (mailing list archive)

State

New, archived

Headers

From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: x86@kernel.org, linux-sgx@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
        Sean Christopherson <sean.j.christopherson@intel.com>,
        Jethro Beekman <jethro@fortanix.com>,
        Darren Kenny <darren.kenny@oracle.com>,
        Borislav Petkov <bp@suse.de>,
        Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
        akpm@linux-foundation.org, andriy.shevchenko@linux.intel.com,
        asapek@google.com, bp@alien8.de, cedric.xing@intel.com,
        chenalexchen@google.com, conradparker@google.com,
        cyhanish@google.com, dave.hansen@intel.com, haitao.huang@intel.com,
        josh@joshtriplett.org, kai.huang@intel.com, kai.svahn@intel.com,
        kmoy@google.com, ludloff@google.com, luto@kernel.org,
        nhorman@redhat.com, npmccallum@redhat.com, puiterwijk@redhat.com,
        rientjes@google.com, tglx@linutronix.de, yaozhangx@google.com
Subject: [PATCH v38 03/24] x86/mm: x86/sgx: Signal SIGSEGV with PF_SGX
Date: Tue, 15 Sep 2020 14:28:21 +0300
Message-Id: <20200915112842.897265-4-jarkko.sakkinen@linux.intel.com>
In-Reply-To: <20200915112842.897265-1-jarkko.sakkinen@linux.intel.com>
References: <20200915112842.897265-1-jarkko.sakkinen@linux.intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-sgx-owner@vger.kernel.org
Precedence: bulk

Series

Intel SGX foundations | expand

Commit Message

Jarkko Sakkinen Sept. 15, 2020, 11:28 a.m. UTC

From: Sean Christopherson <sean.j.christopherson@intel.com>

Include SGX bit to the PF error codes and throw SIGSEGV with PF_SGX when
a #PF with SGX set happens.

CPU throws a #PF with the SGX set in the event of Enclave Page Cache Map
(EPCM) conflict. The EPCM is a CPU-internal table, which describes the
properties for a enclave page. Enclaves are measured and signed software
entities, which SGX hosts. [1]

Although the primary purpose of the EPCM conflict checks  is to prevent
malicious accesses to an enclave, an illegit access can happen also for
legit reasons.

All SGX reserved memory, including EPCM is encrypted with a transient key
that does not survive from the power transition. Throwing a SIGSEGV allows
user space software to react when this happens (e.g. recreate the enclave,
which was invalidated).

[1] Intel SDM: 36.5.1 Enclave Page Cache Map (EPCM)

Acked-by: Jethro Beekman <jethro@fortanix.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
---
 arch/x86/include/asm/traps.h | 14 ++++++++------
 arch/x86/mm/fault.c          | 13 +++++++++++++
 2 files changed, 21 insertions(+), 6 deletions(-)

Comments

Borislav Petkov Sept. 16, 2020, 11:44 a.m. UTC | #1

On Tue, Sep 15, 2020 at 02:28:21PM +0300, Jarkko Sakkinen wrote:
> From: Sean Christopherson <sean.j.christopherson@intel.com>
> 
> Include SGX bit to the PF error codes and throw SIGSEGV with PF_SGX when
> a #PF with SGX set happens.
> 
> CPU throws a #PF with the SGX set in the event of Enclave Page Cache Map
> (EPCM) conflict. The EPCM is a CPU-internal table, which describes the
> properties for a enclave page. Enclaves are measured and signed software
> entities, which SGX hosts. [1]
> 
> Although the primary purpose of the EPCM conflict checks  is to prevent
> malicious accesses to an enclave, an illegit access can happen also for
> legit reasons.
> 
> All SGX reserved memory, including EPCM is encrypted with a transient key
> that does not survive from the power transition. Throwing a SIGSEGV allows
> user space software to react when this happens (e.g. recreate the enclave,
> which was invalidated).
> 
> [1] Intel SDM: 36.5.1 Enclave Page Cache Map (EPCM)
> 
> Acked-by: Jethro Beekman <jethro@fortanix.com>
> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
> Reviewed-by: Borislav Petkov <bp@suse.de>
> Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> ---
>  arch/x86/include/asm/traps.h | 14 ++++++++------

The SEV-ES patchset moved that to arch/x86/include/asm/trap_pf.h but
fixing that up is real easy. Simply do this search-replace

s!arch/x86/include/asm/traps.h!arch/x86/include/asm/trap_pf.h!

on this patch.

Jarkko Sakkinen Sept. 16, 2020, 8:30 p.m. UTC | #2

On Wed, Sep 16, 2020 at 01:44:48PM +0200, Borislav Petkov wrote:
> On Tue, Sep 15, 2020 at 02:28:21PM +0300, Jarkko Sakkinen wrote:
> > From: Sean Christopherson <sean.j.christopherson@intel.com>
> > 
> > Include SGX bit to the PF error codes and throw SIGSEGV with PF_SGX when
> > a #PF with SGX set happens.
> > 
> > CPU throws a #PF with the SGX set in the event of Enclave Page Cache Map
> > (EPCM) conflict. The EPCM is a CPU-internal table, which describes the
> > properties for a enclave page. Enclaves are measured and signed software
> > entities, which SGX hosts. [1]
> > 
> > Although the primary purpose of the EPCM conflict checks  is to prevent
> > malicious accesses to an enclave, an illegit access can happen also for
> > legit reasons.
> > 
> > All SGX reserved memory, including EPCM is encrypted with a transient key
> > that does not survive from the power transition. Throwing a SIGSEGV allows
> > user space software to react when this happens (e.g. recreate the enclave,
> > which was invalidated).
> > 
> > [1] Intel SDM: 36.5.1 Enclave Page Cache Map (EPCM)
> > 
> > Acked-by: Jethro Beekman <jethro@fortanix.com>
> > Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
> > Reviewed-by: Borislav Petkov <bp@suse.de>
> > Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> > Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> > ---
> >  arch/x86/include/asm/traps.h | 14 ++++++++------
> 
> The SEV-ES patchset moved that to arch/x86/include/asm/trap_pf.h but
> fixing that up is real easy. Simply do this search-replace
> 
> s!arch/x86/include/asm/traps.h!arch/x86/include/asm/trap_pf.h!
> 
> on this patch.

Hey, I just did

git fetch mainline && git rebase mainline/master

Zero conflicts and there is no trap_pf.h yet. So this is not yet in
Linus' tree?

/Jarkko

Borislav Petkov Sept. 16, 2020, 8:32 p.m. UTC | #3

On Wed, Sep 16, 2020 at 11:30:08PM +0300, Jarkko Sakkinen wrote:
> Zero conflicts and there is no trap_pf.h yet. So this is not yet in
> Linus' tree?

tip tree: https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/log/?h=x86/seves

diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h
index 714b1a30e7b0..4446f95ad997 100644
--- a/arch/x86/include/asm/traps.h
+++ b/arch/x86/include/asm/traps.h
@@ -44,12 +44,13 @@  void __noreturn handle_stack_overflow(const char *message,
 /*
  * Page fault error code bits:
  *
- *   bit 0 ==	 0: no page found	1: protection fault
- *   bit 1 ==	 0: read access		1: write access
- *   bit 2 ==	 0: kernel-mode access	1: user-mode access
- *   bit 3 ==				1: use of reserved bit detected
- *   bit 4 ==				1: fault was an instruction fetch
- *   bit 5 ==				1: protection keys block access
+ *   bit 0  ==	 0: no page found	1: protection fault
+ *   bit 1  ==	 0: read access		1: write access
+ *   bit 2  ==	 0: kernel-mode access	1: user-mode access
+ *   bit 3  ==				1: use of reserved bit detected
+ *   bit 4  ==				1: fault was an instruction fetch
+ *   bit 5  ==				1: protection keys block access
+ *   bit 15 ==				1: inside SGX enclave
  */
 enum x86_pf_error_code {
 	X86_PF_PROT	=		1 << 0,
@@ -58,5 +59,6 @@  enum x86_pf_error_code {
 	X86_PF_RSVD	=		1 << 3,
 	X86_PF_INSTR	=		1 << 4,
 	X86_PF_PK	=		1 << 5,
+	X86_PF_SGX	=		1 << 15,
 };
 #endif /* _ASM_X86_TRAPS_H */
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 35f1498e9832..1a7cc6d3281a 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -1054,6 +1054,19 @@  access_error(unsigned long error_code, struct vm_area_struct *vma)
 	if (error_code & X86_PF_PK)
 		return 1;
 
+	/*
+	 * Access is blocked by the Enclave Page Cache Map (EPCM), i.e. the
+	 * access is allowed by the PTE but not the EPCM. This usually happens
+	 * when the EPCM is yanked out from under us, e.g. by hardware after a
+	 * suspend/resume cycle. In any case, software, i.e. the kernel, can't
+	 * fix the source of the fault as the EPCM can't be directly modified by
+	 * software. Handle the fault as an access error in order to signal
+	 * userspace so that userspace can rebuild their enclave(s), even though
+	 * userspace may not have actually violated access permissions.
+	 */
+	if (unlikely(error_code & X86_PF_SGX))
+		return 1;
+
 	/*
 	 * Make sure to check the VMA so that we do not perform
 	 * faults just to hit a X86_PF_PK as soon as we fill in a

[v38,03/24] x86/mm: x86/sgx: Signal SIGSEGV with PF_SGX

Commit Message

Comments

Patch