Re: [PATCH v4 01/18] nitro_enclaves: Add ioctl interface definition

From: Paraschiv, Andra-Irina
Date: Wed Jun 24 2020 - 10:03:54 EST



On 23/06/2020 11:56, Stefan Hajnoczi wrote:
On Mon, Jun 22, 2020 at 11:03:12PM +0300, Andra Paraschiv wrote:
diff --git a/include/uapi/linux/nitro_enclaves.h b/include/uapi/linux/nitro_enclaves.h
new file mode 100644
index 000000000000..3270eb939a97
--- /dev/null
+++ b/include/uapi/linux/nitro_enclaves.h
@@ -0,0 +1,137 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+/*
+ * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ */
+
+#ifndef _UAPI_LINUX_NITRO_ENCLAVES_H_
+#define _UAPI_LINUX_NITRO_ENCLAVES_H_
+
+#include <linux/types.h>
+
+/* Nitro Enclaves (NE) Kernel Driver Interface */
+
+#define NE_API_VERSION (1)
+
+/**
+ * The command is used to get the version of the NE API. This way the user space
+ * processes can be aware of the feature sets provided by the NE kernel driver.
+ *
+ * The NE API version is returned as result of this ioctl call.
+ */
+#define NE_GET_API_VERSION _IO(0xAE, 0x20)
+
+/**
+ * The command is used to create a slot that is associated with an enclave VM.
+ *
+ * The generated unique slot id is a read parameter of this command. An enclave
+ * file descriptor is returned as result of this ioctl call. The enclave fd can
+ * be further used with ioctl calls to set vCPUs and memory regions, then start
+ * the enclave.
+ */
+#define NE_CREATE_VM _IOR(0xAE, 0x21, __u64)
Information that would be useful for the ioctls:

1. Which fd the ioctl must be invoked on (/dev/nitro-enclaves, enclave fd, vCPU fd)

2. Errnos and their meanings

3. Which state(s) the ioctls may be invoked in (e.g. enclave created/started/etc)

I'll include this info in v5. Indeed, that's useful for the user space tooling that interacts with the kernel driver, in addition to the code review itself and future refs, to understand how it works.


+/* User memory region flags */
+
+/* Memory region for enclave general usage. */
+#define NE_DEFAULT_MEMORY_REGION (0x00)
+
+/* Memory region to be set for an enclave (write). */
+struct ne_user_memory_region {
+ /**
+ * Flags to determine the usage for the memory region (write).
+ */
+ __u64 flags;
Where is the write flag defined?

I guess it's supposed to be:

#define NE_USER_MEMORY_REGION_FLAG_WRITE (0x01)

For now, the flags field is included in the NE ioctl interface for extensions, it is not part of the NE PCI device interface yet.

The enclave image is copied into enclave memory before the enclave memory is carved out of the primary / parent VM. After carving it out (when the command request to add memory is sent to the PCI device and it is successfully completed), there will be faults if the enclave memory is written from the primary / parent VM.

Ah, and just as a note, that "read" / "write" in parentheses means that a certain data structure / field is read / written by user space. I updated to use "in" / "out" instead of "read" / "write" in v5.

Thank you.

Andra




Amazon Development Center (Romania) S.R.L. registered office: 27A Sf. Lazar Street, UBC5, floor 2, Iasi, Iasi County, 700045, Romania. Registered in Romania. Registration number J22/2621/2005.