[RFC,v3,23/27] KVM: VMX: Add SGX ENCLS[ECREATE] handler to enforce CPUID restrictions

Message ID	d68c01baed78f859ac5fce4519646fc8a356c77d.1611634586.git.kai.huang@intel.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <kvm-owner@kernel.org> IronPort-SDR: /UhDMClHFeahOyKTZGTlJG2DxlOBnqx2QF99u2RuFdGeFDts8hFSQ3EI06+TcwJ5vpC+VZa3ZN xbABHSQzHh1w== IronPort-SDR: U86Gq95GiiWwAr+tQ7XRDHmPryk/ztnOXAhfLzelgZCMpazZRQD5nB6R2p3DTm3xCHc+e0RL0j 5qWjSe4bjAEQ== From: Kai Huang <kai.huang@intel.com> To: linux-sgx@vger.kernel.org, kvm@vger.kernel.org, x86@kernel.org Cc: seanjc@google.com, jarkko@kernel.org, luto@kernel.org, dave.hansen@intel.com, haitao.huang@intel.com, pbonzini@redhat.com, bp@alien8.de, tglx@linutronix.de, mingo@redhat.com, hpa@zytor.com, jmattson@google.com, joro@8bytes.org, vkuznets@redhat.com, wanpengli@tencent.com, Kai Huang <kai.huang@intel.com> Subject: [RFC PATCH v3 23/27] KVM: VMX: Add SGX ENCLS[ECREATE] handler to enforce CPUID restrictions Date: Tue, 26 Jan 2021 22:31:44 +1300 Message-Id: <d68c01baed78f859ac5fce4519646fc8a356c77d.1611634586.git.kai.huang@intel.com> In-Reply-To: <cover.1611634586.git.kai.huang@intel.com> References: <cover.1611634586.git.kai.huang@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	KVM SGX virtualization support \| expand [RFC,v3,00/27] KVM SGX virtualization support [RFC,v3,01/27] x86/cpufeatures: Add SGX1 and SGX2 sub-features [RFC,v3,02/27] x86/cpufeatures: Make SGX_LC feature bit depend on SGX bit [RFC,v3,03/27] x86/sgx: Remove a warn from sgx_free_epc_page() [RFC,v3,04/27] x86/sgx: Wipe out EREMOVE from sgx_free_epc_page() [RFC,v3,05/27] x86/sgx: Add SGX_CHILD_PRESENT hardware error code [RFC,v3,06/27] x86/sgx: Introduce virtual EPC for use by KVM guests [RFC,v3,07/27] x86/cpu/intel: Allow SGX virtualization without Launch Control support [RFC,v3,08/27] x86/sgx: Initialize virtual EPC driver even when SGX driver is disabled [RFC,v3,09/27] x86/sgx: Expose SGX architectural definitions to the kernel [RFC,v3,10/27] x86/sgx: Move ENCLS leaf definitions to sgx_arch.h [RFC,v3,11/27] x86/sgx: Add SGX2 ENCLS leaf definitions (EAUG, EMODPR and EMODT) [RFC,v3,12/27] x86/sgx: Add encls_faulted() helper [RFC,v3,13/27] x86/sgx: Add helper to update SGX_LEPUBKEYHASHn MSRs [RFC,v3,14/27] x86/sgx: Add helpers to expose ECREATE and EINIT to KVM [RFC,v3,15/27] x86/sgx: Move provisioning device creation out of SGX driver [RFC,v3,16/27] KVM: VMX: Convert vcpu_vmx.exit_reason to a union [RFC,v3,17/27] KVM: x86: Export kvm_mmu_gva_to_gpa_{read,write}() for SGX (VMX) [RFC,v3,18/27] KVM: x86: Define new #PF SGX error code bit [RFC,v3,19/27] KVM: x86: Add support for reverse CPUID lookup of scattered features [RFC,v3,20/27] KVM: x86: Add reverse-CPUID lookup support for scattered SGX features [RFC,v3,21/27] KVM: VMX: Add basic handling of VM-Exit from SGX enclave [RFC,v3,22/27] KVM: VMX: Frame in ENCLS handler for SGX virtualization [RFC,v3,23/27] KVM: VMX: Add SGX ENCLS[ECREATE] handler to enforce CPUID restrictions [RFC,v3,24/27] KVM: VMX: Add emulation of SGX Launch Control LE hash MSRs [RFC,v3,25/27] KVM: VMX: Add ENCLS[EINIT] handler to support SGX Launch Control (LC) [RFC,v3,26/27] KVM: VMX: Enable SGX virtualization for SGX1, SGX2 and LC [RFC,v3,27/27] KVM: x86: Add capability to grant VM access to privileged SGX attribute

diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index 9581f81e62a4..cd71f30fbdd1 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1000,6 +1000,9 @@ struct kvm_arch { struct msr_bitmap_range ranges[16]; } msr_filter; + /* Guest can access the SGX PROVISIONKEY. */ + bool sgx_provisioning_allowed; + struct kvm_pmu_event_filter *pmu_event_filter; struct task_struct *nx_lpage_recovery_thread; diff --git a/arch/x86/kvm/vmx/sgx.c b/arch/x86/kvm/vmx/sgx.c index 693bf7735308..4281045318ac 100644 --- a/arch/x86/kvm/vmx/sgx.c +++ b/arch/x86/kvm/vmx/sgx.c @@ -12,6 +12,247 @@ bool __read_mostly enable_sgx; +/* + * ENCLS's memory operands use a fixed segment (DS) and a fixed + * address size based on the mode. Related prefixes are ignored. + */ +static int sgx_get_encls_gva(struct kvm_vcpu *vcpu, unsigned long offset, + int size, int alignment, gva_t *gva) +{ + struct kvm_segment s; + bool fault; + + /* Skip vmcs.GUEST_DS retrieval for 64-bit mode to avoid VMREADs. */ + *gva = offset; + if (!is_long_mode(vcpu)) { + vmx_get_segment(vcpu, &s, VCPU_SREG_DS); + *gva += s.base; + } + + if (!IS_ALIGNED(*gva, alignment)) { + fault = true; + } else if (likely(is_long_mode(vcpu))) { + fault = is_noncanonical_address(*gva, vcpu); + } else { + *gva &= 0xffffffff; + fault = (s.unusable) || + (s.type != 2 && s.type != 3) || + (*gva > s.limit) || + ((s.base != 0 || s.limit != 0xffffffff) && + (((u64)*gva + size - 1) > s.limit + 1)); + } + if (fault) + kvm_inject_gp(vcpu, 0); + return fault ? -EINVAL : 0; +} + +static void sgx_handle_emulation_failure(struct kvm_vcpu *vcpu, u64 addr, + unsigned int size) +{ + vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; + vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION; + vcpu->run->internal.ndata = 2; + vcpu->run->internal.data[0] = addr; + vcpu->run->internal.data[1] = size; +} + +static int sgx_read_hva(struct kvm_vcpu *vcpu, unsigned long hva, void *data, + unsigned int size) +{ + if (__copy_from_user(data, (void __user *)hva, size)) { + sgx_handle_emulation_failure(vcpu, hva, size); + return -EFAULT; + } + + return 0; +} + +static int sgx_gva_to_gpa(struct kvm_vcpu *vcpu, gva_t gva, bool write, + gpa_t *gpa) +{ + struct x86_exception ex; + + if (write) + *gpa = kvm_mmu_gva_to_gpa_write(vcpu, gva, &ex); + else + *gpa = kvm_mmu_gva_to_gpa_read(vcpu, gva, &ex); + + if (*gpa == UNMAPPED_GVA) { + kvm_inject_emulated_page_fault(vcpu, &ex); + return -EFAULT; + } + + return 0; +} + +static int sgx_gpa_to_hva(struct kvm_vcpu *vcpu, gpa_t gpa, unsigned long *hva) +{ + *hva = kvm_vcpu_gfn_to_hva(vcpu, PFN_DOWN(gpa)); + if (kvm_is_error_hva(*hva)) { + sgx_handle_emulation_failure(vcpu, gpa, 1); + return -EFAULT; + } + + *hva |= gpa & ~PAGE_MASK; + + return 0; +} + +static int sgx_inject_fault(struct kvm_vcpu *vcpu, gva_t gva, int trapnr) +{ + struct x86_exception ex; + + /* + * A non-EPCM #PF indicates a bad userspace HVA. This *should* check + * for PFEC.SGX and not assume any #PF on SGX2 originated in the EPC, + * but the error code isn't (yet) plumbed through the ENCLS helpers. + */ + if (trapnr == PF_VECTOR && !boot_cpu_has(X86_FEATURE_SGX2)) { + vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; + vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION; + vcpu->run->internal.ndata = 0; + return 0; + } + + /* + * If the guest thinks it's running on SGX2 hardware, inject an SGX + * #PF if the fault matches an EPCM fault signature (#GP on SGX1, + * #PF on SGX2). The assumption is that EPCM faults are much more + * likely than a bad userspace address. + */ + if ((trapnr == PF_VECTOR || !boot_cpu_has(X86_FEATURE_SGX2)) && + guest_cpuid_has(vcpu, X86_FEATURE_SGX2)) { + memset(&ex, 0, sizeof(ex)); + ex.vector = PF_VECTOR; + ex.error_code = PFERR_PRESENT_MASK | PFERR_WRITE_MASK | + PFERR_SGX_MASK; + ex.address = gva; + ex.error_code_valid = true; + ex.nested_page_fault = false; + kvm_inject_page_fault(vcpu, &ex); + } else { + kvm_inject_gp(vcpu, 0); + } + return 1; +} + +static int handle_encls_ecreate(struct kvm_vcpu *vcpu) +{ + unsigned long a_hva, m_hva, x_hva, s_hva, secs_hva; + struct kvm_cpuid_entry2 *sgx_12_0, *sgx_12_1; + gpa_t metadata_gpa, contents_gpa, secs_gpa; + struct sgx_pageinfo pageinfo; + gva_t pageinfo_gva, secs_gva; + u64 attributes, xfrm, size; + struct x86_exception ex; + u8 max_size_log2; + u32 miscselect; + int trapnr, r; + + sgx_12_0 = kvm_find_cpuid_entry(vcpu, 0x12, 0); + sgx_12_1 = kvm_find_cpuid_entry(vcpu, 0x12, 1); + if (!sgx_12_0 || !sgx_12_1) { + kvm_inject_gp(vcpu, 0); + return 1; + } + + if (sgx_get_encls_gva(vcpu, kvm_rbx_read(vcpu), 32, 32, &pageinfo_gva) || + sgx_get_encls_gva(vcpu, kvm_rcx_read(vcpu), 4096, 4096, &secs_gva)) + return 1; + + /* + * Copy the PAGEINFO to local memory, its pointers need to be + * translated, i.e. we need to do a deep copy/translate. + */ + r = kvm_read_guest_virt(vcpu, pageinfo_gva, &pageinfo, + sizeof(pageinfo), &ex); + if (r == X86EMUL_PROPAGATE_FAULT) { + kvm_inject_emulated_page_fault(vcpu, &ex); + return 1; + } else if (r != X86EMUL_CONTINUE) { + sgx_handle_emulation_failure(vcpu, pageinfo_gva, size); + return 0; + } + + /* + * Verify alignment early. This conveniently avoids having to worry + * about page splits on userspace addresses. + */ + if (!IS_ALIGNED(pageinfo.metadata, 64) || + !IS_ALIGNED(pageinfo.contents, 4096)) { + kvm_inject_gp(vcpu, 0); + return 1; + } + + /* + * Translate the SECINFO, SOURCE and SECS pointers from GVA to GPA. + * Resume the guest on failure to inject a #PF. + */ + if (sgx_gva_to_gpa(vcpu, pageinfo.metadata, false, &metadata_gpa) || + sgx_gva_to_gpa(vcpu, pageinfo.contents, false, &contents_gpa) || + sgx_gva_to_gpa(vcpu, secs_gva, true, &secs_gpa)) + return 1; + + /* + * ...and then to HVA. The order of accesses isn't architectural, i.e. + * KVM doesn't have to fully process one address at a time. Exit to + * userspace if a GPA is invalid. + */ + if (sgx_gpa_to_hva(vcpu, metadata_gpa, + (unsigned long *)&pageinfo.metadata) || + sgx_gpa_to_hva(vcpu, contents_gpa, + (unsigned long *)&pageinfo.contents) || + sgx_gpa_to_hva(vcpu, secs_gpa, &secs_hva)) + return 0; + + /* + * Read out select portions of the input SECS to enforce userspace + * restrictions on MISCSELECT, ATTRIBUTES, etc... Note, 'contents' is + * page aligned, i.e. no need to worry about page splits. + */ + m_hva = pageinfo.contents + offsetof(struct sgx_secs, miscselect); + a_hva = pageinfo.contents + offsetof(struct sgx_secs, attributes); + x_hva = pageinfo.contents + offsetof(struct sgx_secs, xfrm); + s_hva = pageinfo.contents + offsetof(struct sgx_secs, size); + + /* Exit to userspace if copying from a host userspace address fails. */ + if (sgx_read_hva(vcpu, m_hva, &miscselect, sizeof(miscselect)) || + sgx_read_hva(vcpu, a_hva, &attributes, sizeof(attributes)) || + sgx_read_hva(vcpu, x_hva, &xfrm, sizeof(xfrm)) || + sgx_read_hva(vcpu, s_hva, &size, sizeof(size))) + return 0; + + /* Enforce restriction of access to the PROVISIONKEY. */ + if (!vcpu->kvm->arch.sgx_provisioning_allowed && + (attributes & SGX_ATTR_PROVISIONKEY)) { + if (sgx_12_1->eax & SGX_ATTR_PROVISIONKEY) + pr_warn_once("KVM: SGX PROVISIONKEY advertised but not allowed\n"); + kvm_inject_gp(vcpu, 0); + return 1; + } + + /* Enforce CPUID restrictions on MISCSELECT, ATTRIBUTES and XFRM. */ + if ((u32)miscselect & ~sgx_12_0->ebx || + (u32)attributes & ~sgx_12_1->eax || + (u32)(attributes >> 32) & ~sgx_12_1->ebx || + (u32)xfrm & ~sgx_12_1->ecx || + (u32)(xfrm >> 32) & ~sgx_12_1->edx) { + kvm_inject_gp(vcpu, 0); + return 1; + } + + /* Enforce CPUID restriction on max enclave size. */ + max_size_log2 = (attributes & SGX_ATTR_MODE64BIT) ? sgx_12_0->edx >> 8 : + sgx_12_0->edx; + if (size >= BIT_ULL(max_size_log2)) + kvm_inject_gp(vcpu, 0); + + if (sgx_virt_ecreate(&pageinfo, (void __user *)secs_hva, &trapnr)) + return sgx_inject_fault(vcpu, secs_gva, trapnr); + + return kvm_skip_emulated_instruction(vcpu); +} + static inline bool encls_leaf_enabled_in_guest(struct kvm_vcpu *vcpu, u32 leaf) { if (!enable_sgx || !guest_cpuid_has(vcpu, X86_FEATURE_SGX)) @@ -42,6 +283,8 @@ int handle_encls(struct kvm_vcpu *vcpu) } else if (!sgx_enabled_in_guest_bios(vcpu)) { kvm_inject_gp(vcpu, 0); } else { + if (leaf == ECREATE) + return handle_encls_ecreate(vcpu); WARN(1, "KVM: unexpected exit on ENCLS[%u]", leaf); vcpu->run->exit_reason = KVM_EXIT_UNKNOWN; vcpu->run->hw.hardware_exit_reason = EXIT_REASON_ENCLS;

[RFC,v3,23/27] KVM: VMX: Add SGX ENCLS[ECREATE] handler to enforce CPUID restrictions

Commit Message

Comments

Patch