On Mon, Mar 16, 2020 at 8:18 PM Xing, Cedric <cedric.xing@xxxxxxxxx> wrote:What if the enclave cannot proceed due to an unhandled exception so the execution has to get back to the C caller of the vDSO API?
On 3/16/2020 4:59 PM, Sean Christopherson wrote:
On Mon, Mar 16, 2020 at 04:50:26PM -0700, Xing, Cedric wrote:Not exactly.
On 3/16/2020 3:53 PM, Sean Christopherson wrote:
On Mon, Mar 16, 2020 at 11:38:24PM +0200, Jarkko Sakkinen wrote:The design of this vDSO API was NOT to minimize wrapping, but to allow
My suggestions explicitly maintained robustness, and in fact increased
it. If you think we've lost capability, please speak with specificity
rather than in vague generalities. Under my suggestions we can:
1. call the vDSO from C
2. pass context to the handler
3. have additional stack manipulation options in the handler
The cost for this is a net 2 additional instructions. No existing
capability is lost.
My vague generality in this case is just that the whole design
approach so far has been to minimize the amount of wrapping to
EENTER.
Yes and no. If we wanted to minimize the amount of wrapping around the
vDSO's ENCLU then we wouldn't have the exit handler shenanigans in the
first place. The whole process has been about balancing the wants of each
use case against the overall quality of the API and code.
maximal flexibility. More specifically, we strove not to restrict how info
was exchanged between the enclave and its host process. After all, calling
convention is compiler specific - i.e. the enclave could be built by a
different compiler (e.g. MSVC) that doesn't share the same list of CSRs as
the host process. Therefore, the API has been implemented to pass through
virtually all registers except those used by EENTER itself. Similarly, all
registers are passed back from enclave to the caller (or the exit handler)
except those used by EEXIT. %rbp is an exception because the vDSO API has to
anchor the stack, using either %rsp or %rbp. We picked %rbp to allow the
enclave to allocate space on the stack.
And unless I'm missing something, using %rcx to pass @leaf would still
satisfy the above, correct? Ditto for saving/restoring %rbx.
I.e. a runtime that's designed to work with enclave's using a different
calling convention wouldn't be able to take advantage of being able to call
the vDSO from C, but neither would it take on any meaningful burden.
If called directly from C code, the caller would expect CSRs to be
preserved.
Correct. This requires collaboration between the caller of the vDSO
and the enclave.
Then who should preserve CSRs?
The enclave.
It can't be the enclave
because it may not follow the same calling convention.
This is incorrect. You are presuming there is not tight integration
between the caller of the vDSO and the enclave. In my case, the
integration is total and complete. We have working code today that
does this.
Moreover, the
enclave may run into an exception, in which case it doesn't have the
ability to restore CSRs.
There are two solutions to this:
1. Write the handler in assembly and don't return to C on AEX.
2. The caller can simply preserve the registers. Nothing stops that.
We have implemented #1.