From: Jarkko Sakkinen <jarkko@kernel.org>
To: Shuah Khan <shuah@kernel.org>
Cc: linux-kselftest@vger.kernel.org, linux-sgx@vger.kernel.org,
Reinette Chatre <reinette.chatre@intel.com>,
Borislav Petkov <bp@alien8.de>,
Jarkko Sakkinen <jarkko@kernel.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
linux-kernel@vger.kernel.org
Subject: [PATCH v4 3/8] selftests/sgx: Make data measurement for an enclave segment optional
Date: Mon, 9 Aug 2021 12:31:22 +0300 [thread overview]
Message-ID: <20210809093127.76264-4-jarkko@kernel.org> (raw)
In-Reply-To: <20210809093127.76264-1-jarkko@kernel.org>
For a heap makes sense to leave its contents "unmeasured" in the SGX
enclave build process, meaning that they won't contribute to the
cryptographic signature (a RSA-3072 signed SHA56 hash) of the enclave.
Enclaves are signed blobs where the signature is calculated both from
page data and also from "structural properties" of the pages. For
instance a page offset of *every* page added to the enclave is hashed.
For data, this is optional, not least because hashing a page has a
significant contribution to the enclave load time. Thus, where there is
no reason to hash, do not. The SGX ioctl interface supports this with
SGX_PAGE_MEASURE flag. Only when the flag is *set*, data is measured.
Add seg->measure boolean flag to struct encl_segment. Only when the
flag is set, include the segment data to the signature (represented
by SIGSTRUCT architectural structure).
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
---
tools/testing/selftests/sgx/load.c | 6 +++++-
tools/testing/selftests/sgx/main.h | 1 +
tools/testing/selftests/sgx/sigstruct.c | 6 ++++--
3 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/tools/testing/selftests/sgx/load.c b/tools/testing/selftests/sgx/load.c
index 5605474aab73..f1be78984c50 100644
--- a/tools/testing/selftests/sgx/load.c
+++ b/tools/testing/selftests/sgx/load.c
@@ -111,7 +111,10 @@ static bool encl_ioc_add_pages(struct encl *encl, struct encl_segment *seg)
ioc.offset = seg->offset;
ioc.length = seg->size;
ioc.secinfo = (unsigned long)&secinfo;
- ioc.flags = SGX_PAGE_MEASURE;
+ if (seg->measure)
+ ioc.flags = SGX_PAGE_MEASURE;
+ else
+ ioc.flags = 0;
rc = ioctl(encl->fd, SGX_IOC_ENCLAVE_ADD_PAGES, &ioc);
if (rc < 0) {
@@ -230,6 +233,7 @@ bool encl_load(const char *path, struct encl *encl)
seg->offset = (phdr->p_offset & PAGE_MASK) - src_offset;
seg->size = (phdr->p_filesz + PAGE_SIZE - 1) & PAGE_MASK;
seg->src = encl->src + seg->offset;
+ seg->measure = true;
j++;
}
diff --git a/tools/testing/selftests/sgx/main.h b/tools/testing/selftests/sgx/main.h
index 452d11dc4889..aebc69e7cdc8 100644
--- a/tools/testing/selftests/sgx/main.h
+++ b/tools/testing/selftests/sgx/main.h
@@ -12,6 +12,7 @@ struct encl_segment {
size_t size;
unsigned int prot;
unsigned int flags;
+ bool measure;
};
struct encl {
diff --git a/tools/testing/selftests/sgx/sigstruct.c b/tools/testing/selftests/sgx/sigstruct.c
index 202a96fd81bf..50c5ab1aa6fa 100644
--- a/tools/testing/selftests/sgx/sigstruct.c
+++ b/tools/testing/selftests/sgx/sigstruct.c
@@ -296,8 +296,10 @@ static bool mrenclave_segment(EVP_MD_CTX *ctx, struct encl *encl,
if (!mrenclave_eadd(ctx, seg->offset + offset, seg->flags))
return false;
- if (!mrenclave_eextend(ctx, seg->offset + offset, seg->src + offset))
- return false;
+ if (seg->measure) {
+ if (!mrenclave_eextend(ctx, seg->offset + offset, seg->src + offset))
+ return false;
+ }
}
return true;
--
2.32.0
next prev parent reply other threads:[~2021-08-09 9:31 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-09 9:31 [PATCH v4 0/8] Add an oversubscription test Jarkko Sakkinen
2021-08-09 9:31 ` [PATCH v4 1/8] x86/sgx: Add /sys/kernel/debug/x86/sgx_total_mem Jarkko Sakkinen
2021-08-13 17:33 ` Shuah Khan
2021-08-16 21:30 ` Jarkko Sakkinen
2021-08-13 18:53 ` Shuah Khan
2021-08-09 9:31 ` [PATCH v4 2/8] selftests/sgx: Assign source for each segment Jarkko Sakkinen
2021-08-09 9:31 ` Jarkko Sakkinen [this message]
2021-08-09 9:31 ` [PATCH v4 4/8] selftests/sgx: Create a heap for the test enclave Jarkko Sakkinen
2021-08-09 9:31 ` [PATCH v4 5/8] selftests/sgx: Dump segments and /proc/self/maps only on failure Jarkko Sakkinen
2021-08-09 9:31 ` [PATCH v4 6/8] selftests/sgx: Encpsulate the test enclave creation Jarkko Sakkinen
2021-08-09 9:31 ` [PATCH v4 7/8] selftests/sgx: Move setup_test_encl() to each TEST_F() Jarkko Sakkinen
2021-08-09 9:31 ` [PATCH v4 8/8] selftests/sgx: Add a new kselftest: unclobbered_vdso_oversubscribed Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210809093127.76264-4-jarkko@kernel.org \
--to=jarkko@kernel.org \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=reinette.chatre@intel.com \
--cc=shuah@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox