Re: [PATCH -v3] x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled

From: Huang, Kai
Date: Mon Mar 10 2025 - 06:56:34 EST

Next message: Mark Rutland: "Re: [PATCH V2] arm64/mm: Create level specific section mappings in map_range()"
Previous message: John Garry: "Re: [PATCH v4 11/12] xfs: Update atomic write max size"
In reply to: Ingo Molnar: "[PATCH -v3] x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled"
Next in thread: tip-bot2 for Vladis Dronov: "[tip: x86/urgent] x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2025-03-10 at 09:42 +0100, Ingo Molnar wrote:
> * Huang, Kai <kai.huang@xxxxxxxxx> wrote:
>
> > On Sun, 2025-03-09 at 18:22 +0100, Vladis Dronov wrote:
> > > A kernel requires X86_FEATURE_SGX_LC to be able to create SGX enclaves.
> >
> > The kernel requires ...
> >
> > > There is quite a number of hardware which has X86_FEATURE_SGX but not
> > > X86_FEATURE_SGX_LC. A kernel running on such a hardware does not create
> > > /dev/sgx_enclave file silently. Explicitly warn if X86_FEATURE_SGX_LC
> > > is not enabled to properly nofity a user about this condition.
> > ^
> > notify
> >
> > And I don't think "notify" is correct because the reality is the
> > kernel only prints some error message so that the user can check and
> > see when it wants.
> >
> > How about:
> >
> > Explicitly print error message if X86_FEATURE_SGX_LC is not present
> > so that the users can be aware of this condition which results in SGX
> > driver being disabled.
> >
> > >
> > > The X86_FEATURE_SGX_LC is a CPU feature that enables LE hash MSRs to be
> > > writable when running native enclaves, i.e. using a custom root key rather
> > > than the Intel proprietary key for enclave signing.
> >
> > Using "root key" can be controversial. Let's just say "key" instead.
> >
> > And the X86_FEATURE_SGX_LC feature itself doesn't automatically enable LE MSRs
> > to be writable. We still need to opt-in in the 'feature control' MSR.
>
> Why would it be controversial?

If we are talking out from key derivation's perspective, I think the "root key"
refers to something that sits at the bottom of the key hierarchy and is involved
in the key derivation of other keys.

If we are talking about asymmetric key signing and verification, then I think
the "root key" means the private key of the last level of the certificate-chain.

Here the key used to sign the enclave fits neither of above:

It's not the root of any certificate chain. The MRSIGNER (the hash of the
enclave signing key) is not involved in all SGX key derivations either (e.g.,
the derivation of REPORT_KEY doesn't use it, and the SEAL_KEY can choose to not
use it).

>
> > How about:
> >
> > The X86_FEATURE_SGX_LC, a.k.a. SGX Launch Control, is a CPU feature
> > that enables LE (Launch Enclave) hash MSRs to be writable (with
> > additional opt-in required in the 'feature control' MSR) when running
> > enclaves, i.e., using a custom key rather than the Intel proprietary
> > key for enclave signing.
>
>
> > > Signed-off-by: Vladis Dronov <vdronov@xxxxxxxxxx>
> >
> > I think this message will be useful for someone who knows SGX in
> > general but doesn't know that Linux SGX driver requires the LE MSRs
> > to be writable, thus requires the CPU supports SGX_LC feature bit.
> >
> > With the above addressed, feel free to add:
> >
> > Acked-by: Kai Huang <kai.huang@xxxxxxxxx>
>
> Thanks, I've edited the changelog to be a bit clearer.
>
> I also added an error message when the driver fails to register, and
> made all 3 failure error messages consistent and refer back to the
> /dev/sgx_enclave device node name.
>
> I also included part of this commit message note:
>
> > > an out-of-commit-message note:
> > >
> > > I've hit this issue myself and have spent some time researching where is
> > > my /dev/sgx_enclave file on an SGX-enabled hardware, so this is a bit
> > > personal.
> > >
> > > Links related:
> > > https://github.com/intel/linux-sgx/issues/837
> > > https://patchwork.kernel.org/project/platform-driver-x86/patch/20180827185507.17087-3-jarkko.sakkinen@xxxxxxxxxxxxxxx/
>
> Because this experience reflects arguably poor usability: people see
> 'SGX' in their /proc/cpuinfo file, think that their hardware is 'SGX
> enabled' and are wondering why the hell the /dev/sgx_enclave device
> node is not created, right?

Yes I believe so.

>
> I also Cc:-ed more SGX people.
>
> See the full -v3 patch below.
>
> Is the device node misnamed, should it be /dev/sgx_lc_enclave?
>

No. Form SGX hardware's perspective, LC (Launch Control) is a control mechanism
to allow running 3rd party's Launch Enclave (LE), which is a special enclave
used to control running other enclaves.

Linux SGX driver doesn't distinguish whether the enclave is LE or not, it just
treat all enclaves the same. So the name should be /dev/sgx_enclave.

> Should
> we hide the SGX feature bit from cpuinfo when SGX_LC is not present, so
> that people don't go on a wild goose chase?

No. KVM SGX virtualization can still work without the SGX_LC flag (only SGX flag
is needed).

Next message: Mark Rutland: "Re: [PATCH V2] arm64/mm: Create level specific section mappings in map_range()"
Previous message: John Garry: "Re: [PATCH v4 11/12] xfs: Update atomic write max size"
In reply to: Ingo Molnar: "[PATCH -v3] x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled"
Next in thread: tip-bot2 for Vladis Dronov: "[tip: x86/urgent] x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]