Re: [PATCH] x86/sgx: Refine rollback in SGX_IOC_ENCLAVE_ADD_PAGE

[Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>]

On Mon, Sep 28, 2020 at 04:24:23PM -0500, Haitao Huang wrote:
> On Fri, 18 Sep 2020 08:02:26 -0500, Jarkko Sakkinen
> <jarkko.sakkinen@linux.intel.com> wrote:
> 
> > Revert back 'count' to struct sgx_enclave_add_pages as in most of the
> > cases enclave can be recovered. Refine the documentation to better
> > describe the enclave is persisted.
> > 
> > Move the check for -EIO from sgx_encl_add_page() to
> > sgx_ioc_enclave_pages() to make it more visible. It was quite
> > hidden over there.
> > 
> > Cc: Sean Christopherson <sean.j.christopherson@intel.com>
> > Cc: Haitao Huang <haitao.huang@linux.intel.com>
> > Cc: Borislav Petkov <bp@alien8.de>
> > Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> > ---
> >  arch/x86/include/uapi/asm/sgx.h | 12 +++++++-----
> >  arch/x86/kernel/cpu/sgx/ioctl.c | 29 ++++++++++++++---------------
> >  2 files changed, 21 insertions(+), 20 deletions(-)
> > 
> > diff --git a/arch/x86/include/uapi/asm/sgx.h
> > b/arch/x86/include/uapi/asm/sgx.h
> > index 1564d7f88597..ec5157b2ff50 100644
> > --- a/arch/x86/include/uapi/asm/sgx.h
> > +++ b/arch/x86/include/uapi/asm/sgx.h
> > @@ -45,13 +45,15 @@ struct sgx_enclave_create  {
> >   * @length:	length of the data (multiple of the page size)
> >   * @secinfo:	address for the SECINFO data
> >   * @flags:	page control flags
> > + * @count:	number of bytes added (multiple of the page size)
> >   */
> >  struct sgx_enclave_add_pages {
> > -	__u64	src;
> > -	__u64	offset;
> > -	__u64	length;
> > -	__u64	secinfo;
> > -	__u64	flags;
> > +	__u64 src;
> > +	__u64 offset;
> > +	__u64 length;
> > +	__u64 secinfo;
> > +	__u64 flags;
> > +	__u64 count;
> >  };
> > /**
> > diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c
> > b/arch/x86/kernel/cpu/sgx/ioctl.c
> > index 30de66f4247b..d10179b47daa 100644
> > --- a/arch/x86/kernel/cpu/sgx/ioctl.c
> > +++ b/arch/x86/kernel/cpu/sgx/ioctl.c
> > @@ -449,16 +449,6 @@ static int sgx_encl_add_page(struct sgx_encl *encl,
> > unsigned long src,
> >  	sgx_free_epc_page(epc_page);
> >  	kfree(encl_page);
> > -	/*
> > -	 * Destroy enclave on ENCLS failure as this means that EPC has been
> > -	 * invalidated.
> > -	 */
> > -	if (ret == -EIO) {
> > -		mutex_lock(&encl->lock);
> > -		sgx_encl_destroy(encl);
> > -		mutex_unlock(&encl->lock);
> > -	}
> > -
> >  	return ret;
> >  }
> > @@ -487,12 +477,15 @@ static int sgx_encl_add_page(struct sgx_encl
> > *encl, unsigned long src,
> >   *
> >   * If ENCLS opcode fails, that effectively means that EPC has been
> > invalidated.
> >   * When this happens the enclave is destroyed and -EIO is returned to
> > the
> > - * caller.
> > + * caller. In this situation the function destroys the enclave as it
> > cannot
> > + * be recovered.
> >   *
> >   * Return:
> >   *   length of the data processed on success,
> >   *   -EACCES if an executable source page is located in a noexec
> > partition,
> > - *   -EIO if either ENCLS[EADD] or ENCLS[EEXTEND] fails
> > + *   -ENOMEM if the system is out of EPC pages,
> > + *   -EINTR if the call was interrupted before any data was processed,
> > + *   -EIO if either ENCLS[EADD] or ENCLS[EEXTEND] fails,
> >   *   -errno otherwise
> >   */
> >  static long sgx_ioc_enclave_add_pages(struct sgx_encl *encl, void
> > __user *arg)
> > @@ -549,10 +542,16 @@ static long sgx_ioc_enclave_add_pages(struct
> > sgx_encl *encl, void __user *arg)
> >  			break;
> >  	}
> > -	if (ret)
> > -		return ret;
> > +	addp.count = c;
> > +
> > +	/* On EADD or EEXTEND failure, destroy the enclave. */
> > +	if (ret == -EIO) {
> > +		mutex_lock(&encl->lock);
> > +		sgx_encl_destroy(encl);
> > +		mutex_unlock(&encl->lock);
> > +	}
> > -	return c;
> 
> missing copy_to_user for addp.count?

This somewhat deprecated patch. It's now all fixed in my master
branch.

/Jarkko