From: Sean Christopherson <seanjc@google.com>
To: Elena Reshetova <elena.reshetova@intel.com>
Cc: "jarkko@kernel.org" <jarkko@kernel.org>,
Kai Huang <kai.huang@intel.com>,
Dave Hansen <dave.hansen@intel.com>,
"linux-sgx@vger.kernel.org" <linux-sgx@vger.kernel.org>,
Vincent Scarlata <vincent.r.scarlata@intel.com>,
"x86@kernel.org" <x86@kernel.org>,
Vishal Annapurve <vannapurve@google.com>,
Chong Cai <chongc@google.com>,
Asit K Mallick <asit.k.mallick@intel.com>,
Erdem Aktas <erdemaktas@google.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"bondarn@google.com" <bondarn@google.com>,
"dionnaglaze@google.com" <dionnaglaze@google.com>,
Scott Raynor <scott.raynor@intel.com>
Subject: Re: [PATCH v3 2/2] x86/sgx: Implement EUPDATESVN and opportunistically call it during first EPC page alloc
Date: Fri, 25 Apr 2025 10:40:39 -0700 [thread overview]
Message-ID: <aAutUaQvgEliXPUs@google.com> (raw)
In-Reply-To: <DM8PR11MB5750AB0E790096AFF9AFD3AFE7842@DM8PR11MB5750.namprd11.prod.outlook.com>
On Fri, Apr 25, 2025, Elena Reshetova wrote:
> > On Thu, Apr 24, 2025, Elena Reshetova wrote:
> > Userspace generally won't care about a 10us delay when destroying a
> > process, but a 10us delay to launch an enclave could be quite problematic,
> > e.g. in the TDX use case where enclaves may be launched on-demand in
> > response to a guest attestation request.
>
> Ok, but in this case, you are hooking both: create and release.
> I guess your line of thinking is that in most of the cases it will be handled by
> a release flow when destroying enclaves, but in cases we happen to need
> to update a machine which doesn’t have a single enclave yet, the create flow
> will be used. The problem is that if you look at the instruction definition,
> we won't save too much when executing this in release flow (Kai I think already pointed
> this out):
>
> IF (Other instruction is accessing EPC) THEN
> RFLAGS.ZF := 1
> RAX := SGX_LOCKFAIL;
> GOTO ERROR_EXIT;
> FI
> (* Verify EPC is ready *)
> IF (the EPC contains any valid pages) THEN
> RFLAGS.ZF := 1;
> RAX := SGX_EPC_NOT_READY;
> GOTO ERROR_EXIT;
> FI
> (* Refresh paging key *)
> IF (NOT RDSEED(&TMP_KEY, 16)) THEN
> RFLAGS.ZF := 1;
> RAX := SGX_INSUFFICIENT_ENTROPY;
> GOTO ERROR_EXIT;
> FI
> (* Commit *)
> CR_BASE_KEY := TMP_KEY;
> TMP_CPUSVN := CR_CPUSVN;
> (* Update CPUSVN to current minimum patch even if locked *)
> (* Determine if info status is needed *)
>
> ----------------------------
> All above would be done anyhow on create even if we successfully
> executed it on release previously (( And then finally we go into:
Ah, so the slow part happens no matter what.
> IF (TMP_CPUSVN = CR_CPUSVN) THEN
> RFLAGS.CF := 1;
> RAX := SGX_NO_UPDATE;
> FI
> ERROR_EXIT:
>
> >
> > If the update time is tiny, then I agree that hooking release would probably do
> > more harm than good.
>
> So, it is not that the time is tiny, it is like we will do it twice,
> unnecessary and potentially quite long in both cases (taking RDSEED step into
> account).
>
> The reason why the instruction is defined this way is that it was not
> intended originally to be inserted into some existing SGX flows, but was
> envisioned to be standalone cmd for the host orchestrator to execute once it
> thinks system is ready.
So then why on earth is the kernel implementing automatic updates? I read back
through most of the cover letters, and IIUC, we went straight from "destroy all
enclaves and force an update" to "blindly try to do EUPDATESVN every time the
number of enclaves goes from 0=>1". Those are essentially the two most extreme
options.
Even worse, rejecting enclave creation on EUPDATESVN failure represents an ABI
change, i.e. could break existing setups.
Why not simply add an ioctl() or sysfs knob to let userspace trigger EUPDATESVN?
If there are pages in the EPC, return -EBUSY. That would give userspace full
control of the update policy, and would allow for a super simple implementation
in the kernel. Userspace should darn well know when it's an appropriate time to
do an SVN update, e.g. after userspace has initiated a ucode update, periodically
if it wants to, after the last TDX VM is destroyed, etc.
Assuming TDX module updates are coming down the pipe, with my KVM maintainer hat
on, that is exactly how I will "request" the module be updated. Userspace initiates
the update and is therefore responsible for knowing when to do (or not do) an update.
The kernel's job is purely to do the actual update and ensure correctness/safety,
e.g. reject the module update if there are active TDX VMs.
That is also how SEV firmware updates are being implemented. Userspace is
responsible for stopping any VM types that aren't compatible with conccurent
updates.
I see no reason to do something different for SGX.
next prev parent reply other threads:[~2025-04-25 17:40 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-15 11:51 [PATCH v3 0/2] Enable automatic SVN updates for SGX enclaves Elena Reshetova
2025-04-15 11:51 ` [PATCH v3 1/2] x86/sgx: Use sgx_nr_used_pages for EPC page count instead of sgx_nr_free_pages Elena Reshetova
2025-04-16 10:33 ` Huang, Kai
2025-04-16 11:50 ` Reshetova, Elena
2025-04-16 18:50 ` Jarkko Sakkinen
2025-04-16 19:12 ` Jarkko Sakkinen
2025-04-15 11:51 ` [PATCH v3 2/2] x86/sgx: Implement EUPDATESVN and opportunistically call it during first EPC page alloc Elena Reshetova
2025-04-16 7:36 ` Huang, Kai
2025-04-16 12:06 ` Reshetova, Elena
2025-04-17 11:12 ` Huang, Kai
2025-04-18 14:18 ` Sean Christopherson
2025-04-22 6:58 ` Huang, Kai
2025-04-16 19:01 ` Jarkko Sakkinen
2025-04-18 14:55 ` Sean Christopherson
2025-04-22 7:23 ` Huang, Kai
2025-04-22 13:54 ` Sean Christopherson
2025-04-22 21:57 ` Huang, Kai
2025-04-24 8:34 ` Reshetova, Elena
2025-04-24 13:42 ` Sean Christopherson
2025-04-24 14:16 ` Reshetova, Elena
2025-04-24 17:19 ` Sean Christopherson
2025-04-25 6:52 ` Reshetova, Elena
2025-04-25 17:40 ` Sean Christopherson [this message]
2025-04-25 18:04 ` Dave Hansen
2025-04-25 19:29 ` Sean Christopherson
2025-04-25 20:11 ` Dave Hansen
2025-04-25 21:04 ` Sean Christopherson
2025-04-25 21:23 ` Dave Hansen
2025-04-25 21:58 ` Sean Christopherson
2025-04-25 22:07 ` Dave Hansen
2025-04-29 11:44 ` Reshetova, Elena
2025-04-29 14:46 ` Dave Hansen
2025-04-30 6:53 ` Reshetova, Elena
2025-04-30 15:16 ` Jarkko Sakkinen
2025-05-02 7:22 ` Reshetova, Elena
2025-05-02 8:56 ` Jarkko Sakkinen
2025-05-06 20:32 ` Nataliia Bondarevska
2025-04-28 6:25 ` Reshetova, Elena
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aAutUaQvgEliXPUs@google.com \
--to=seanjc@google.com \
--cc=asit.k.mallick@intel.com \
--cc=bondarn@google.com \
--cc=chongc@google.com \
--cc=dave.hansen@intel.com \
--cc=dionnaglaze@google.com \
--cc=elena.reshetova@intel.com \
--cc=erdemaktas@google.com \
--cc=jarkko@kernel.org \
--cc=kai.huang@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=scott.raynor@intel.com \
--cc=vannapurve@google.com \
--cc=vincent.r.scarlata@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox