Re: [PATCH v35 23/24] docs: x86/sgx: Document SGX micro architecture and kernel internals

From: Matthew Wilcox
Date: Tue Jul 07 2020 - 00:06:21 EST


On Tue, Jul 07, 2020 at 06:37:46AM +0300, Jarkko Sakkinen wrote:
> +*Software Guard eXtensions (SGX)* is a set of instructions that enable ring-3

I can never remember which way up intel numbers their rings.
Is that user mode or kernel mode?

> +applications to set aside private regions of code and data. These regions are
> +called enclaves. An enclave can be entered to a fixed set of entry points. Only

entered through?

> +a CPU running inside the enclave can access its code and data.
> +
> +The support can be determined by
> +
> + ``grep sgx /proc/cpuinfo``
> +
> +Enclave Page Cache
> +==================
> +
> +SGX utilizes an *Enclave Page Cache (EPC)* to store pages that are associated
> +with an enclave. It is contained in a BIOS reserved region of physical memory.
> +Unlike pages used for regular memory, pages can only be accessed outside the
> +enclave for different purposes with the instructions **ENCLS**, **ENCLV** and
> +**ENCLU**.
> +
> +Direct memory accesses to an enclave can be only done by a CPU executing inside
> +the enclave. An enclave can be entered with **ENCLU[EENTER]** to a fixed set of
> +entry points. However, a CPU executing inside the enclave can do outside memory
> +accesses.

This is rather tortured. I think what you're trying to say here is:

Only a CPU executing inside an enclave can access memory belonging to the
enclave. The CPU may access memory outside the enclave as long as it does
not attempt to access memory which is inside a different enclave.

> +Enclave Page Cache Map
> +----------------------
> +
> +The processor tracks EPC pages via the *Enclave Page Cache Map (EPCM)*. EPCM
> +contains an entry for each EPC page, which describes the owning enclave, access
> +rights and page type among the other things.
> +
> +The permissions from EPCM is consulted if and only if walking the kernel page
> +tables succeeds. The total permissions are thus a conjunction between page table
> +and EPCM permissions.
> +
> +For all intents and purposes the SGX architecture allows the processor to
> +invalidate all EPCM entries at will, i.e. requires that software be prepared to
> +handle an EPCM fault at any time. The contents of EPC are encrypted with an
> +ephemeral key, which is lost on power transitions.

The SGX architecture allows the processor to invalidate any EPCM entry
at any time. Sotware must be prepared to handle the resulting EPCM fault.
The contents of EPC are encrypted with an ephemeral key, which is lost on
power transitions.

(can you be a bit more specific about power transitions? do you mean
suspend/resume? hibernate/wake? poweroff/poweron? what about reset?
surely you don't mean S1? or do you?)