Re: [PATCH v33 15/21] x86/vdso: Add support for exception fixup in vDSO functions
From: Sean Christopherson
Date: Tue Jun 30 2020 - 10:55:47 EST
On Tue, Jun 30, 2020 at 10:41:28AM +0200, Borislav Petkov wrote:
> On Mon, Jun 29, 2020 at 11:00:55PM -0700, Sean Christopherson wrote:
> > E.g. the vDSO function should get the fixup even if userspace screws
> > up mmap() and invokes __vdso_sgx_enter_enclave() without being tagged
> > an SGX task.
>
> I sincerely hope you don't mean this seriously.
>
> Please add a member to task_struct which denotes that a task is an
> sgx task, test that member where needed and forget real quickly about
> running *any* *fixup* for unrelated tasks.
But IMO they're not unrelated if they end up in __vdso_sgx_enter_enclave().
Getting to the point where __vdso_sgx_enter_enclave() actually attempts
ENCLU (the single fixup entry) requires a very deliberate attempt to run an
enclave. Not to mention the fixup doesn't squash the fault, it simply
morphs what would be a signal into a synchronous error.
And I don't see how to sanely track this in task_struct. As stated before,
the only foolproof way to identify an SGX task is by tracking whether it
has a VMA backed by /dev/sgx/enclave, i.e. the flag would probably need to
reside in mm_struct. Keying off opening /dev/sgx/enclave isn't viable as
enclaves can be handed off via SCM_RIGHTS or fork().
Putting a flag in mm_struct is doable, but it would need to be sticky to
keep things sane, e.g. clearing the flag on unmapping the enclave would
require refcounting VMAs and hooking vm_ops->close. The refcounting is
painful (we had it for several years) and ->close prevents merging VMAs,
which IMO is far worse than unconditionally morphing fault-based signals
that originate in __vdso_sgx_enter_enclave(). And assuming we don't do the
whole ->close thing, we'd end up with MADV_DONTFORK -> fork() having
divergent behavior for mm_structs without /dev/sgx/enclave VMAs, i.e. the
child of MADV_DONTFORK -> fork() case would not be tagged SGX (unless we
intentionally do the "wrong" thing and propagate the flag), whereas the
munmap() case would result in a SGX-tagged mm_struct with no
/dev/sgx/enclave VMAs.