[RFC PATCH v3 0/4] x86: Add exception fixup for SGX ENCLU
From: Sean Christopherson
Date: Mon Dec 10 2018 - 18:22:00 EST
This is effectively v3 of the "x86: Add vDSO exception fixup for SGX"
series, but as you might of noticed, there are no vDSO changes here.
Andy's comment on Spectre/retpoline and Jethro's comment on making
the vDSO as barebones as possible got me wondering if we could let
userspace dynamically set the "return" target of the SGX vDSO function,
taking advantage of the fact that most (all?) SGX processes will have a
single entry point for all enclaves.
The initial idea was to make __vdso_sgx_enter_enclave() a barebones
"function" consisting of ENCLU and UD2. SGX would provide an IOCTL via
/dev/sgx that could be used to patch the UD2 in the current vDSO image
to a JMP rel32, with rel32 pointing at an address provided by the
user. Aside from the issues of rel32 in a 64-bit memory space,
patching the vDSO image added a lot of overhead just so that the kernel
could know the address of ENCLU.
At that point I realized it's a hell of a lot easier to simply provide
an IOCTL via /dev/sgx that allows userspace to register a per-process
ENCLU exception handler. At a high level, the basic idea is the same
as the vDSO approach: provide a hardcoded fixup handler for ENCLU and
attempt to fixup select unhandled exceptions that occurred in user code.
- No vDSO function.
- Minimal userspace changes.
- Smaller ABI, i.e. less bikeshedding (fingers crossed).
- Kernel doesn't prevent userspace from doing stupid things, e.g.
modifying the process' stack from within the enclave.
- Kernel can proactively enforce the ENCLU handler as the only
officialy supported ABI for enclave exception handling.
- Userspace can only register a single ENCLU handler per process.
- ABI is more esoteric than a standard function call.
This series is based on Jarkko's current master branch, which moves all
of the SGX code into arch/x86. The full code can be found here:
I have not actually tested this *exact* commit beyond compiling as I do
not know the health status of Jarkko's code. To test, I cherry-picked
the patches into an older stable version of the code. Git was able to
handle the file renaming.
- Replace the vDSO fixup with SGX specific fixup.
- Patches 2/4 and 3/4 are essentially identical, the only difference
being the name of the function that is called. The changelogs for
these patches still need a lot of attention.
Sean Christopherson (4):
x86/sgx: Add a per-mm ENCLU exception fixup handler
x86/fault: Attempt to fixup unhandled #PF on ENCLU before signaling
x86/traps: Attempt to fixup exceptions in vDSO before signaling
x86/sgx: Add an SGX IOCTL to register a per-mm ENCLU exception handler
arch/x86/include/asm/mmu.h | 4 ++++
arch/x86/include/asm/sgx.h | 13 +++++++++++++
arch/x86/include/uapi/asm/sgx.h | 23 ++++++++++++++++++-----
arch/x86/kernel/cpu/sgx/driver/encl.c | 6 ++++++
arch/x86/kernel/cpu/sgx/driver/ioctl.c | 20 ++++++++++++++++++++
arch/x86/kernel/cpu/sgx/main.c | 18 ++++++++++++++++++
arch/x86/kernel/traps.c | 15 +++++++++++++++
arch/x86/mm/fault.c | 7 +++++++
8 files changed, 101 insertions(+), 5 deletions(-)