Re: [PATCH v29 00/20] Intel SGX foundations

From: Jarkko Sakkinen
Date: Wed May 13 2020 - 19:09:36 EST


On Wed, 2020-05-06 at 09:39 -0700, Jordan Hand wrote:
> On 4/21/20 2:52 PM, Jarkko Sakkinen wrote:
> > Intel(R) SGX is a set of CPU instructions that can be used by applications
> > to set aside private regions of code and data. The code outside the enclave
> > is disallowed to access the memory inside the enclave by the CPU access
> > control.
> >
> > There is a new hardware unit in the processor called Memory Encryption
> > Engine (MEE) starting from the Skylake microacrhitecture. BIOS can define
> > one or many MEE regions that can hold enclave data by configuring them with
> > PRMRR registers.
> >
> > The MEE automatically encrypts the data leaving the processor package to
> > the MEE regions. The data is encrypted using a random key whose life-time
> > is exactly one power cycle.
> >
> > The current implementation requires that the firmware sets
> > IA32_SGXLEPUBKEYHASH* MSRs as writable so that ultimately the kernel can
> > decide what enclaves it wants run. The implementation does not create
> > any bottlenecks to support read-only MSRs later on.
> >
> > You can tell if your CPU supports SGX by looking into /proc/cpuinfo:
> >
> > cat /proc/cpuinfo | grep sgx
> >
> > v29:
> > * The selftest has been moved to selftests/sgx. Because SGX is an execution
> > environment of its own, it really isn't a great fit with more "standard"
> > x86 tests.
> >
> > The RSA key is now generated on fly and the whole signing process has
> > been made as part of the enclave loader instead of signing the enclave
> > during the compilation time.
> >
> > Finally, the enclave loader loads now the test enclave directly from its
> > ELF file, which means that ELF file does not need to be coverted as raw
> > binary during the build process.
> > * Version the mm_list instead of using on synchronize_mm() when adding new
> > entries. We hold the write lock for the mm_struct, and dup_mm() can thus
> > deadlock with the page reclaimer, which could hold the lock for the old
> > mm_struct.
> > * Disallow mmap(PROT_NONE) from /dev/sgx. Any mapping (e.g. anonymous) can
> > be used to reserve the address range. Now /dev/sgx supports only opaque
> > mappings to the (initialized) enclave data.
> > * Make the vDSO callable directly from C by preserving RBX and taking leaf
> > from RCX.
> >
>
> Tested with the Open Enclave SDK on top of Intel PSW. Specifically built
> the Intel PSW with changes to support /dev/sgx mapping[1] new in v29.
>
> Tested-by: Jordan Hand <jorhand@xxxxxxxxxxxxxxxxxxx>
>
> [1] https://github.com/intel/linux-sgx/pull/530

Thank you!

/Jarkko