Re: [PATCH v30 04/20] x86/sgx: Add SGX microarchitectural data structures

From: Jarkko Sakkinen
Date: Fri May 22 2020 - 15:50:25 EST


On Fri, May 22, 2020 at 09:13:26AM -0700, Sean Christopherson wrote:
> On Fri, May 22, 2020 at 06:54:05PM +0300, Jarkko Sakkinen wrote:
> > On Wed, May 20, 2020 at 08:47:45PM +0200, Borislav Petkov wrote:
> > > On Fri, May 15, 2020 at 03:43:54AM +0300, Jarkko Sakkinen wrote:
> > > > +/**
> > > > + * struct sgx_sigstruct_header - defines author of the enclave
> > > > + * @header1: constant byte string
> > > > + * @vendor: must be either 0x0000 or 0x8086
> > >
> > > Out of pure curiosity: what is that about?
> > >
> > > Nothing in the patchset enforces this, so hw does? If so, why?
> > >
> > > Are those vendor IDs going to be assigned by someone or what's up?
> > >
> > > Thx.
> >
> > In SGX1 world 0x8086 was used to mark architectural enclaves and 0x0000
> > user run enclaves. In SGX2 world they are irrelevant.
>
> That's not accurate, the vendor is irrelevant in all SGX eras, e.g. enclaves
> signed by someone other than Intel can use 0x8086 on SGX1 hardware and even
> pre-LC hardware. 0x8086 is/was used as an _informal_ "this is an
> Intel-signed enclave", but in no way was it mandatory or reliable.
>
> > In order to retain compatiblity I'd add an explicit check to:
> >
> > 1. Allow vendor ID of 0x0000 or 0x8086.
> > 2. Reject other vendor ID's (-EINVAL).
>
> Unless we also check the reserved fields in sigstruct, I don't see the
> point. Even then, I don't understand what the kernel gains from enforcing
> anything with respect to sigstruct. Enforcing the SECS makes sense as we
> don't want to allow userspace to enable some unknown future feature. But
> sigstruct is purely for verification, we (Intel) have far bigger problems
> if Intel is enabling new behavior via sigstruct.
>
> That being said, I'm not dead set against sanity checking sigstruct, I just
> think it'd be a waste of cycles.

If other values except two are never going to be used it is more than a
legit point to validate this field.

It also the potential to use ~0x8086 bits to be defined later if ever
needed lets say for some kernel specific purpose.

/Jarkko