From: Sean Christopherson <seanjc@google.com>
To: Kai Huang <kai.huang@intel.com>
Cc: Elena Reshetova <elena.reshetova@intel.com>,
Dave Hansen <dave.hansen@intel.com>,
"linux-sgx@vger.kernel.org" <linux-sgx@vger.kernel.org>,
Vincent R Scarlata <vincent.r.scarlata@intel.com>,
"x86@kernel.org" <x86@kernel.org>,
"jarkko@kernel.org" <jarkko@kernel.org>,
Vishal Annapurve <vannapurve@google.com>,
Chong Cai <chongc@google.com>,
Asit K Mallick <asit.k.mallick@intel.com>,
Erdem Aktas <erdemaktas@google.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"bondarn@google.com" <bondarn@google.com>,
"dionnaglaze@google.com" <dionnaglaze@google.com>,
Scott Raynor <scott.raynor@intel.com>
Subject: Re: [PATCH v3 2/2] x86/sgx: Implement EUPDATESVN and opportunistically call it during first EPC page alloc
Date: Tue, 22 Apr 2025 06:54:32 -0700 [thread overview]
Message-ID: <aAefmNVRFc3me6QQ@google.com> (raw)
In-Reply-To: <f5cb3c37589791b2004a100ca3ea3deb9e1ae708.camel@intel.com>
On Tue, Apr 22, 2025, Kai Huang wrote:
> On Fri, 2025-04-18 at 07:55 -0700, Sean Christopherson wrote:
> > On Tue, Apr 15, 2025, Elena Reshetova wrote:
> > That said, handling this deep in the bowels of EPC page allocation seems
> > unnecessary. The only way for there to be no active EPC pages is if there are
> > no enclaves. As above, virtual EPC usage is already all but guaranteed to hit
> > false positives, so I don't think there's anything gained by trying to update
> > the SVN based on EPC allocations.
> >
> > So rather than react to EPC allocations, why not hook sgx_open() and sgx_vepc_open()?
>
> The only thing I don't like about this is we need to hook both of them.
And having to maintain a separate counter.
> > It's the hypervisor's responsibility to enumerate SGX_CPUID_EUPDATESVN or not.
> > E.g. if the kernel is running in a "passthrough" type setup, it would be perfectly
> > fine to do EUPDATESVN from a guest kernel. EUPDATESVN could even be proxied,
> > e.g. by intercepting ECREATE to track EPC usage
>
> I am open to this HYPERVISOR check, because I don't think we currently support
> any kind of "passthrough" setup?
Who is "we"? KVM? From the SGX driver's perspective, it doesn't know on which
hypervisor it's running, or the intent of that hypervisor. I.e. whether or not
KVM or any other hypervisor supports something is irrelevant.
> And depending on what kinda of "passthrough" types, the things that the
> hypervisor traps can vary.
>
> Anyway, I agree it's not necessary to have this check, because currently it is
> not possible for a guest to see the EUPDATESVN in CPUID.
Why is that?
next prev parent reply other threads:[~2025-04-22 13:54 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-15 11:51 [PATCH v3 0/2] Enable automatic SVN updates for SGX enclaves Elena Reshetova
2025-04-15 11:51 ` [PATCH v3 1/2] x86/sgx: Use sgx_nr_used_pages for EPC page count instead of sgx_nr_free_pages Elena Reshetova
2025-04-16 10:33 ` Huang, Kai
2025-04-16 11:50 ` Reshetova, Elena
2025-04-16 18:50 ` Jarkko Sakkinen
2025-04-16 19:12 ` Jarkko Sakkinen
2025-04-15 11:51 ` [PATCH v3 2/2] x86/sgx: Implement EUPDATESVN and opportunistically call it during first EPC page alloc Elena Reshetova
2025-04-16 7:36 ` Huang, Kai
2025-04-16 12:06 ` Reshetova, Elena
2025-04-17 11:12 ` Huang, Kai
2025-04-18 14:18 ` Sean Christopherson
2025-04-22 6:58 ` Huang, Kai
2025-04-16 19:01 ` Jarkko Sakkinen
2025-04-18 14:55 ` Sean Christopherson
2025-04-22 7:23 ` Huang, Kai
2025-04-22 13:54 ` Sean Christopherson [this message]
2025-04-22 21:57 ` Huang, Kai
2025-04-24 8:34 ` Reshetova, Elena
2025-04-24 13:42 ` Sean Christopherson
2025-04-24 14:16 ` Reshetova, Elena
2025-04-24 17:19 ` Sean Christopherson
2025-04-25 6:52 ` Reshetova, Elena
2025-04-25 17:40 ` Sean Christopherson
2025-04-25 18:04 ` Dave Hansen
2025-04-25 19:29 ` Sean Christopherson
2025-04-25 20:11 ` Dave Hansen
2025-04-25 21:04 ` Sean Christopherson
2025-04-25 21:23 ` Dave Hansen
2025-04-25 21:58 ` Sean Christopherson
2025-04-25 22:07 ` Dave Hansen
2025-04-29 11:44 ` Reshetova, Elena
2025-04-29 14:46 ` Dave Hansen
2025-04-30 6:53 ` Reshetova, Elena
2025-04-30 15:16 ` Jarkko Sakkinen
2025-05-02 7:22 ` Reshetova, Elena
2025-05-02 8:56 ` Jarkko Sakkinen
2025-05-06 20:32 ` Nataliia Bondarevska
2025-04-28 6:25 ` Reshetova, Elena
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aAefmNVRFc3me6QQ@google.com \
--to=seanjc@google.com \
--cc=asit.k.mallick@intel.com \
--cc=bondarn@google.com \
--cc=chongc@google.com \
--cc=dave.hansen@intel.com \
--cc=dionnaglaze@google.com \
--cc=elena.reshetova@intel.com \
--cc=erdemaktas@google.com \
--cc=jarkko@kernel.org \
--cc=kai.huang@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=scott.raynor@intel.com \
--cc=vannapurve@google.com \
--cc=vincent.r.scarlata@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox