Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver

(off-list ancestor, not in this archive)
[PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Jarkko Sakkinen <hidden> · 2020-06-17
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Borislav Petkov <bp@alien8.de> · 2020-06-25
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Sean Christopherson <hidden> · 2020-06-25
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Borislav Petkov <bp@alien8.de> · 2020-06-25
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Jarkko Sakkinen <hidden> · 2020-06-26
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Jarkko Sakkinen <hidden> · 2020-06-25
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Borislav Petkov <bp@alien8.de> · 2020-06-25
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Jarkko Sakkinen <hidden> · 2020-06-26
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Borislav Petkov <bp@alien8.de> · 2020-06-25
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Jarkko Sakkinen <hidden> · 2020-06-26
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Borislav Petkov <bp@alien8.de> · 2020-06-26
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Sean Christopherson <hidden> · 2020-06-26
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Borislav Petkov <bp@alien8.de> · 2020-06-26
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Jarkko Sakkinen <hidden> · 2020-07-03
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Jarkko Sakkinen <hidden> · 2020-07-03
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Borislav Petkov <bp@alien8.de> · 2020-06-26
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Jarkko Sakkinen <hidden> · 2020-07-04
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Dave Hansen <hidden> · 2020-10-26
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Jarkko Sakkinen <hidden> · 2020-10-27
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Borislav Petkov <bp@alien8.de> · 2020-10-27
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Dave Hansen <hidden> · 2020-10-27
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Borislav Petkov <bp@alien8.de> · 2020-10-27
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Borislav Petkov <bp@alien8.de> · 2020-06-27
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Sean Christopherson <hidden> · 2020-06-29
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Borislav Petkov <bp@alien8.de> · 2020-06-29
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Jarkko Sakkinen <hidden> · 2020-07-04
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Sean Christopherson <hidden> · 2020-07-07
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Jarkko Sakkinen <hidden> · 2020-07-07
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Jarkko Sakkinen <hidden> · 2020-07-04
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Sean Christopherson <hidden> · 2020-07-02
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Jarkko Sakkinen <hidden> · 2020-07-04
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Haitao Huang <hidden> · 2020-09-02
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Sean Christopherson <hidden> · 2020-09-02
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Haitao Huang <hidden> · 2020-09-02
Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver · Jarkko Sakkinen <hidden> · 2020-09-04

From: Borislav Petkov <bp@alien8.de>
Date: 2020-06-25 18:53:39
Also in: lkml

On Thu, Jun 18, 2020 at 01:08:33AM +0300, Jarkko Sakkinen wrote:

Subject: Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver

					 ^
					 Add

Intel Software Guard eXtensions (SGX) is a set of CPU instructions that
can be used by applications to set aside private regions of code and
data. The code outside the SGX hosted software entity is disallowed to
access the memory inside the enclave enforced by the CPU. We call these
entities as enclaves.

s/as //

This commit implements a driver that provides an ioctl API to construct

s/This commit implements/Implement/

and run enclaves. Enclaves are constructed from pages residing in
reserved physical memory areas. The contents of these pages can only be
accessed when they are mapped as part of an enclave, by a hardware
thread running inside the enclave.

The starting state of an enclave consists of a fixed measured set of
pages that are copied to the EPC during the construction process by
using ENCLS leaf functions and Software Enclave Control Structure (SECS)
that defines the enclave properties.

Enclave are constructed by using ENCLS leaf functions ECREATE, EADD and

Enclaves

EINIT. ECREATE initializes SECS, EADD copies pages from system memory to
the EPC and EINIT check a given signed measurement and moves the enclave

		   checks

into a state ready for execution.

An initialized enclave can only be accessed through special Thread Control
Structure (TCS) pages by using ENCLU (ring-3 only) leaf EENTER.  This leaf
function converts a thread into enclave mode and continues the execution in
the offset defined by the TCS provided to EENTER. An enclave is exited
through syscall, exception, interrupts or by explicitly calling another
ENCLU leaf EEXIT.

The permissions, which enclave page is added will set the limit for maximum
permissions that can be set for mmap() and mprotect().

I can't parse that sentence.

This will
effectively allow to build different security schemes between producers and
consumers of enclaves. Later on we can increase granularity with LSM hooks
for page addition (i.e. for producers) and mapping of the enclave (i.e. for
consumers)

Other than that, nice explanation. I like that in a commit message.

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help