From: "Huang, Kai" <kai.huang@intel.com>
To: "Chatre, Reinette" <reinette.chatre@intel.com>,
"Hansen, Dave" <dave.hansen@intel.com>,
"jarkko@kernel.org" <jarkko@kernel.org>
Cc: "linux-sgx@vger.kernel.org" <linux-sgx@vger.kernel.org>,
"Christopherson,, Sean" <seanjc@google.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>
Subject: Re: [PATCH] x86/intel: Clear SGX bit if both SGX driver and KVM SGX are not enabled
Date: Mon, 12 Sep 2022 20:54:20 +0000 [thread overview]
Message-ID: <b68befe6d17cd60a18cc29d7ca2187d91c19f9bc.camel@intel.com> (raw)
In-Reply-To: <28d7a4bf-591f-3afa-b9ea-526a14abc587@intel.com>
On Mon, 2022-09-12 at 07:34 -0700, Dave Hansen wrote:
> On 9/12/22 07:31, Reinette Chatre wrote:
> >
> > On 9/12/2022 3:47 AM, Jarkko Sakkinen wrote:
> > > On Fri, Sep 09, 2022 at 08:08:53PM +1200, Kai Huang wrote:
> > > > Currently on platform which has SGX enabled, if CONFIG_X86_SGX is not
> > > > enabled, the X86_FEATURE_SGX is not cleared, resulting in /proc/cpuinfo
> > > > shows "sgx" feature. This is not desired.
> > > >
> > > > Clear SGX feature bit if both SGX driver and KVM SGX are not enabled in
> > > > init_ia32_feat_ctl().
> > > >
> > > > Signed-off-by: Kai Huang <kai.huang@intel.com>
> > > Is it a pattern that flags are cleared when they are disabled by the
> > > kernel? I don't know the answer for this.
>
> There's no good pattern.
>
> But, one guideline is that the X86_FEATURE_*'s are for the *kernel*.
> They are *not* for userspace. The fact that the features are exposed to
> userspace in cpuinfo is unfortunate, but it doesn't change our guideline.
>
> So, if this patch is done only for the benefit of userspace, I don't
> think we should apply it.
It's not done for the userspace. AFAICT no one is complaining about this. I
just happened to see this and thought it's a right thing to do.
Also, in my other reply to this thread I put one reason that I think it's
reasonable:
"
But for SGX even the current upstream code clears SGX feature in some
conditions, for example, when SGX_LC is disabled by BIOS (in which case only KVM
SGX can be supported) and KVM SGX is also disabled, i.e. due to
CONFIG_X86_SGX_KVM isn't set:
if (!(msr & FEAT_CTL_SGX_LC_ENABLED) && enable_sgx_driver) {
if (!enable_sgx_kvm) {
pr_err_once("SGX Launch Control is locked. Disable SGX.\n");
clear_cpu_cap(c, X86_FEATURE_SGX);
else {
...
}
}
So I think it makes sense to clear SGX if both SGX driver and KVM SGX are not
enabled by the kernel.
"
--
Thanks,
-Kai
prev parent reply other threads:[~2022-09-12 20:54 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-09 8:08 [PATCH] x86/intel: Clear SGX bit if both SGX driver and KVM SGX are not enabled Kai Huang
2022-09-09 11:05 ` Huang, Kai
2022-09-09 12:11 ` Dave Hansen
2022-09-12 3:09 ` Huang, Kai
2022-09-12 10:47 ` Jarkko Sakkinen
2022-09-12 14:31 ` Reinette Chatre
2022-09-12 14:34 ` Dave Hansen
2022-09-12 20:54 ` Huang, Kai [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b68befe6d17cd60a18cc29d7ca2187d91c19f9bc.camel@intel.com \
--to=kai.huang@intel.com \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=jarkko@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=reinette.chatre@intel.com \
--cc=seanjc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.