From: Jarkko Sakkinen <jarkko@kernel.org>
To: Reinette Chatre <reinette.chatre@intel.com>,
dave.hansen@linux.intel.com, tglx@linutronix.de, bp@alien8.de,
luto@kernel.org, mingo@redhat.com, linux-sgx@vger.kernel.org,
x86@kernel.org
Cc: seanjc@google.com, kai.huang@intel.com, cathy.zhang@intel.com,
cedric.xing@intel.com, haitao.huang@intel.com,
mark.shanahan@intel.com, hpa@zytor.com,
linux-kernel@vger.kernel.org, nathaniel@profian.com
Subject: Re: [PATCH V3 14/30] x86/sgx: Support restricting of enclave page permissions
Date: Tue, 05 Apr 2022 21:39:01 +0300 [thread overview]
Message-ID: <0f44fba956288bcad69e076f84118bc50f8e5d2f.camel@kernel.org> (raw)
In-Reply-To: <59910ad4-a898-4eb2-5e2b-856c686b53fb@intel.com>
On Tue, 2022-04-05 at 09:49 -0700, Reinette Chatre wrote:
> Hi Jarkko,
>
> On 4/5/2022 7:52 AM, Jarkko Sakkinen wrote:
> > n Tue, 2022-04-05 at 17:27 +0300, Jarkko Sakkinen wrote:
> > > According to SDM having page type as regular is fine for EMODPR,
> > > i.e. that's why I did not care about having it in SECINFO.
> > >
> > > Given that the opcode itself contains validation, I wonder
> > > why this needs to be done:
> > >
> > > if (secinfo.flags & ~SGX_SECINFO_PERMISSION_MASK)
> > > return -EINVAL;
> > >
> > > if (memchr_inv(secinfo.reserved, 0, sizeof(secinfo.reserved)))
> > > return -EINVAL;
> > >
> > > perm = secinfo.flags & SGX_SECINFO_PERMISSION_MASK;
> > >
> > > I.e. why duplicate validation and why does it have different
> > > invariant than the opcode?
> >
> > Right it is done to prevent exceptions and also pseudo-code
> > has this validation:
> >
> > IF (EPCM(DS:RCX).PT is not PT_REG) THEN #PF(DS:RCX); FI;
>
> The current type of the page is validated - not the page type
> provided in the parameters of the command.
>
> >
> > This is clearly wrong:
>
> Could you please elaborate what is wrong? The hardware only checks
> the permission bits and that is what is provided.
I think it's for most a bit confusing that it takes a special Linux
defined SECINFO instead of what you read from spec.
>
> >
> > /*
> > * Return valid permission fields from a secinfo structure provided by
> > * user space. The secinfo structure is required to only have bits in
> > * the permission fields set.
> > */
> > static int sgx_perm_from_user_secinfo(void __user *_secinfo, u64 *secinfo_perm)
> >
> > It means that the API requires a malformed data as input.
>
> It is not clear to me how this is malformed. The API requires that only
> the permission bits are set in the secinfo, only the permission bits in secinfo
> is provided to the hardware, and the hardware only checks the permission bits.
>
> >
> > Maybe it would be better idea then to replace secinfo with just the
> > permission field?
>
> That is what I implemented in V1 [1], but was asked to change to secinfo. I could
> go back to that if you prefer.
Yeah, if I was the one saying that, I was clearly wrong. But also
perspective is now very different after using a lot of these
features.
Alternatively you could have a single "mod" ioctl given the disjoint
nature how the parameters go to SECINFO.
> Reinette
>
> [1] https://lore.kernel.org/linux-sgx/44fe170cfd855760857660b9f56cae8c4747cc15.1638381245.git.reinette.chatre@intel.com/
BR, Jarkko
next prev parent reply other threads:[~2022-04-05 22:23 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-04 16:49 [PATCH V3 00/30] x86/sgx and selftests/sgx: Support SGX2 Reinette Chatre
2022-04-04 16:49 ` [PATCH V3 01/30] x86/sgx: Add short descriptions to ENCLS wrappers Reinette Chatre
2022-04-05 6:52 ` Jarkko Sakkinen
2022-04-04 16:49 ` [PATCH V3 02/30] x86/sgx: Add wrapper for SGX2 EMODPR function Reinette Chatre
2022-04-05 6:53 ` Jarkko Sakkinen
2022-04-04 16:49 ` [PATCH V3 03/30] x86/sgx: Add wrapper for SGX2 EMODT function Reinette Chatre
2022-04-05 6:53 ` Jarkko Sakkinen
2022-04-04 16:49 ` [PATCH V3 04/30] x86/sgx: Add wrapper for SGX2 EAUG function Reinette Chatre
2022-04-05 6:54 ` Jarkko Sakkinen
2022-04-04 16:49 ` [PATCH V3 05/30] x86/sgx: Support loading enclave page without VMA permissions check Reinette Chatre
2022-04-05 6:56 ` Jarkko Sakkinen
2022-04-04 16:49 ` [PATCH V3 06/30] x86/sgx: Export sgx_encl_ewb_cpumask() Reinette Chatre
2022-04-05 6:56 ` Jarkko Sakkinen
2022-04-04 16:49 ` [PATCH V3 07/30] x86/sgx: Rename sgx_encl_ewb_cpumask() as sgx_encl_cpumask() Reinette Chatre
2022-04-05 6:57 ` Jarkko Sakkinen
2022-04-04 16:49 ` [PATCH V3 08/30] x86/sgx: Move PTE zap code to new sgx_zap_enclave_ptes() Reinette Chatre
2022-04-05 6:59 ` Jarkko Sakkinen
2022-04-04 16:49 ` [PATCH V3 09/30] x86/sgx: Make sgx_ipi_cb() available internally Reinette Chatre
2022-04-05 6:59 ` Jarkko Sakkinen
2022-04-04 16:49 ` [PATCH V3 10/30] x86/sgx: Create utility to validate user provided offset and length Reinette Chatre
2022-04-05 7:00 ` Jarkko Sakkinen
2022-04-04 16:49 ` [PATCH V3 11/30] x86/sgx: Keep record of SGX page type Reinette Chatre
2022-04-05 7:00 ` Jarkko Sakkinen
2022-04-04 16:49 ` [PATCH V3 12/30] x86/sgx: Export sgx_encl_{grow,shrink}() Reinette Chatre
2022-04-05 7:04 ` Jarkko Sakkinen
2022-04-04 16:49 ` [PATCH V3 13/30] x86/sgx: Export sgx_encl_page_alloc() Reinette Chatre
2022-04-04 16:49 ` [PATCH V3 14/30] x86/sgx: Support restricting of enclave page permissions Reinette Chatre
2022-04-05 5:03 ` Jarkko Sakkinen
2022-04-05 5:07 ` Jarkko Sakkinen
2022-04-05 13:40 ` Jarkko Sakkinen
2022-04-05 14:19 ` Jarkko Sakkinen
2022-04-05 14:27 ` Jarkko Sakkinen
2022-04-05 14:52 ` Jarkko Sakkinen
2022-04-05 16:49 ` Reinette Chatre
2022-04-05 18:39 ` Jarkko Sakkinen [this message]
2022-04-05 18:59 ` Reinette Chatre
2022-04-06 7:30 ` Jarkko Sakkinen
2022-04-06 17:51 ` Reinette Chatre
2022-04-05 16:40 ` Reinette Chatre
2022-04-04 16:49 ` [PATCH V3 15/30] x86/sgx: Support adding of pages to an initialized enclave Reinette Chatre
2022-04-05 5:05 ` Jarkko Sakkinen
2022-04-05 10:03 ` Jarkko Sakkinen
2022-04-06 7:37 ` Jarkko Sakkinen
2022-04-06 22:42 ` Reinette Chatre
2022-04-04 16:49 ` [PATCH V3 16/30] x86/sgx: Tighten accessible memory range after enclave initialization Reinette Chatre
2022-04-05 7:05 ` Jarkko Sakkinen
2022-04-04 16:49 ` [PATCH V3 17/30] x86/sgx: Support modifying SGX page type Reinette Chatre
2022-04-05 7:06 ` Jarkko Sakkinen
2022-04-05 15:34 ` Jarkko Sakkinen
2022-04-05 17:05 ` Reinette Chatre
2022-04-05 18:41 ` Jarkko Sakkinen
2022-04-05 18:59 ` Reinette Chatre
2022-04-06 7:32 ` Jarkko Sakkinen
2022-04-06 17:50 ` Reinette Chatre
2022-04-04 16:49 ` [PATCH V3 18/30] x86/sgx: Support complete page removal Reinette Chatre
2022-04-05 7:08 ` Jarkko Sakkinen
2022-04-04 16:49 ` [PATCH V3 19/30] x86/sgx: Free up EPC pages directly to support large page ranges Reinette Chatre
2022-04-05 7:11 ` Jarkko Sakkinen
2022-04-05 17:13 ` Reinette Chatre
2022-04-05 17:25 ` Dave Hansen
2022-04-06 6:35 ` Jarkko Sakkinen
2022-04-06 17:50 ` Reinette Chatre
2022-04-05 18:42 ` Jarkko Sakkinen
2022-04-05 19:56 ` Reinette Chatre
2022-04-04 16:49 ` [PATCH V3 20/30] Documentation/x86: Introduce enclave runtime management section Reinette Chatre
2022-04-04 16:49 ` [PATCH V3 21/30] selftests/sgx: Add test for EPCM permission changes Reinette Chatre
2022-04-05 7:02 ` Jarkko Sakkinen
2022-04-05 7:03 ` Jarkko Sakkinen
2022-04-05 17:28 ` Reinette Chatre
2022-04-05 18:43 ` Jarkko Sakkinen
2022-04-04 16:49 ` [PATCH V3 22/30] selftests/sgx: Add test for TCS page " Reinette Chatre
2022-04-04 16:49 ` [PATCH V3 23/30] selftests/sgx: Test two different SGX2 EAUG flows Reinette Chatre
2022-04-04 16:49 ` [PATCH V3 24/30] selftests/sgx: Introduce dynamic entry point Reinette Chatre
2022-04-04 16:49 ` [PATCH V3 25/30] selftests/sgx: Introduce TCS initialization enclave operation Reinette Chatre
2022-04-04 16:49 ` [PATCH V3 26/30] selftests/sgx: Test complete changing of page type flow Reinette Chatre
2022-04-04 16:49 ` [PATCH V3 27/30] selftests/sgx: Test faulty enclave behavior Reinette Chatre
2022-04-04 16:49 ` [PATCH V3 28/30] selftests/sgx: Test invalid access to removed enclave page Reinette Chatre
2022-04-04 16:49 ` [PATCH V3 29/30] selftests/sgx: Test reclaiming of untouched page Reinette Chatre
2022-04-04 16:49 ` [PATCH V3 30/30] selftests/sgx: Page removal stress test Reinette Chatre
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0f44fba956288bcad69e076f84118bc50f8e5d2f.camel@kernel.org \
--to=jarkko@kernel.org \
--cc=bp@alien8.de \
--cc=cathy.zhang@intel.com \
--cc=cedric.xing@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=haitao.huang@intel.com \
--cc=hpa@zytor.com \
--cc=kai.huang@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mark.shanahan@intel.com \
--cc=mingo@redhat.com \
--cc=nathaniel@profian.com \
--cc=reinette.chatre@intel.com \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox