| Message ID | 20250309172215.21777-2-vdronov@redhat.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled | expand |
On Sun, 2025-03-09 at 18:22 +0100, Vladis Dronov wrote: > A kernel requires X86_FEATURE_SGX_LC to be able to create SGX enclaves. The kernel requires ... > There is quite a number of hardware which has X86_FEATURE_SGX but not > X86_FEATURE_SGX_LC. A kernel running on such a hardware does not create > /dev/sgx_enclave file silently. Explicitly warn if X86_FEATURE_SGX_LC > is not enabled to properly nofity a user about this condition. ^ notify And I don't think "notify" is correct because the reality is the kernel only prints some error message so that the user can check and see when it wants. How about: Explicitly print error message if X86_FEATURE_SGX_LC is not present so that the users can be aware of this condition which results in SGX driver being disabled. > > The X86_FEATURE_SGX_LC is a CPU feature that enables LE hash MSRs to be > writable when running native enclaves, i.e. using a custom root key rather > than the Intel proprietary key for enclave signing. Using "root key" can be controversial. Let's just say "key" instead. And the X86_FEATURE_SGX_LC feature itself doesn't automatically enable LE MSRs to be writable. We still need to opt-in in the 'feature control' MSR. How about: The X86_FEATURE_SGX_LC, a.k.a. SGX Launch Control, is a CPU feature that enables LE (Launch Enclave) hash MSRs to be writable (with additional opt-in required in the 'feature control' MSR) when running enclaves, i.e., using a custom key rather than the Intel proprietary key for enclave signing. > > Signed-off-by: Vladis Dronov <vdronov@redhat.com> I think this message will be useful for someone who knows SGX in general but doesn't know that Linux SGX driver requires the LE MSRs to be writable, thus requires the CPU supports SGX_LC feature bit. With the above addressed, feel free to add: Acked-by: Kai Huang <kai.huang@intel.com> > --- > > an out-of-commit-message note: > > I've hit this issue myself and have spent some time researching where is > my /dev/sgx_enclave file on an SGX-enabled hardware, so this is a bit > personal. > > Links related: > https://github.com/intel/linux-sgx/issues/837 > https://patchwork.kernel.org/project/platform-driver-x86/patch/20180827185507.17087-3-jarkko.sakkinen@linux.intel.com/ > > arch/x86/kernel/cpu/sgx/driver.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/kernel/cpu/sgx/driver.c b/arch/x86/kernel/cpu/sgx/driver.c > index 22b65a5f5ec6..df4fbfaa6616 100644 > --- a/arch/x86/kernel/cpu/sgx/driver.c > +++ b/arch/x86/kernel/cpu/sgx/driver.c > @@ -150,8 +150,10 @@ int __init sgx_drv_init(void) > u64 xfrm_mask; > int ret; > > - if (!cpu_feature_enabled(X86_FEATURE_SGX_LC)) > + if (!cpu_feature_enabled(X86_FEATURE_SGX_LC)) { > + pr_err("SGX disabled: SGX launch control is not available.\n"); > return -ENODEV; > + } > > cpuid_count(SGX_CPUID, 0, &eax, &ebx, &ecx, &edx); >
diff --git a/arch/x86/kernel/cpu/sgx/driver.c b/arch/x86/kernel/cpu/sgx/driver.c index 22b65a5f5ec6..df4fbfaa6616 100644 --- a/arch/x86/kernel/cpu/sgx/driver.c +++ b/arch/x86/kernel/cpu/sgx/driver.c @@ -150,8 +150,10 @@ int __init sgx_drv_init(void) u64 xfrm_mask; int ret; - if (!cpu_feature_enabled(X86_FEATURE_SGX_LC)) + if (!cpu_feature_enabled(X86_FEATURE_SGX_LC)) { + pr_err("SGX disabled: SGX launch control is not available.\n"); return -ENODEV; + } cpuid_count(SGX_CPUID, 0, &eax, &ebx, &ecx, &edx);
A kernel requires X86_FEATURE_SGX_LC to be able to create SGX enclaves. There is quite a number of hardware which has X86_FEATURE_SGX but not X86_FEATURE_SGX_LC. A kernel running on such a hardware does not create /dev/sgx_enclave file silently. Explicitly warn if X86_FEATURE_SGX_LC is not enabled to properly nofity a user about this condition. The X86_FEATURE_SGX_LC is a CPU feature that enables LE hash MSRs to be writable when running native enclaves, i.e. using a custom root key rather than the Intel proprietary key for enclave signing. Signed-off-by: Vladis Dronov <vdronov@redhat.com> --- an out-of-commit-message note: I've hit this issue myself and have spent some time researching where is my /dev/sgx_enclave file on an SGX-enabled hardware, so this is a bit personal. Links related: https://github.com/intel/linux-sgx/issues/837 https://patchwork.kernel.org/project/platform-driver-x86/patch/20180827185507.17087-3-jarkko.sakkinen@linux.intel.com/ arch/x86/kernel/cpu/sgx/driver.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)