[PATCH v2 0/2] Enable automatic SVN updates for SGX enclaves
From: Elena Reshetova
Date: Fri Mar 28 2025 - 08:59:32 EST
Changes since v1 following review by Jarkko:
- first and second patch are squashed together and a better
explanation of the change is added into the commit message
- third and fourth patch are also combined for better understanding
of error code purposes used in 4th patch
- implementation of sgx_updatesvn adjusted following Jarkko's
suggestions
- minor fixes in both commit messages and code from the review
- dropping co-developed-by tag since the code now differs enough
from the original submission. However, the reference where the
original code came from and credits to original author is kept
Background
----------
In case an SGX vulnerability is discovered and TCB recovery
for SGX is triggered, Intel specifies a process that must be
followed for a given vulnerability. Steps to mitigate can vary
based on vulnerability type, affected components, etc.
In some cases, a vulnerability can be mitigated via a runtime
recovery flow by shutting down all running SGX enclaves,
clearing enclave page cache (EPC), applying a microcode patch
that does not require a reboot (via late microcode loading) and
restarting all SGX enclaves.
Problem statement
-------------------------
Even when the above-described runtime recovery flow to mitigate the
SGX vulnerability is followed, the SGX attestation evidence will
still reflect the security SVN version being equal to the previous
state of security SVN (containing vulnerability) that created
and managed the enclave until the runtime recovery event. This
limitation currently can be only overcome via a platform reboot,
which negates all the benefits from the rebootless late microcode
loading and not required in this case for functional or security
purposes.
Proposed solution
-----------------
SGX architecture introduced a new instruction called EUPDATESVN [1]
to Ice Lake. It allows updating security SVN version, given that EPC
is completely empty. The latter is required for security reasons
in order to reason that enclave security posture is as secure as the
security SVN version of the TCB that created it.
This series enables opportunistic execution of EUPDATESVN upon first
EPC page allocation for a first enclave to be run on the platform.
This series is partly based on the previous work done by Cathy Zhang
[2], which attempted to enable forceful destruction of all SGX
enclaves and execution of EUPDATESVN upon successful application of
any microcode patch. This approach is determined as being too
intrusive for the running SGX enclaves, especially taking into account
that it would be performed upon *every* microcode patch application
regardless if it changes the security SVN version or not (change to the
security SVN version is a rare event).
Testing
-------
Tested on EMR machine using kernel-6.14.0_rc7 & sgx selftests.
If Google folks in CC can test on their side, it would be greatly appreciated.
References
----------
[1] https://cdrdv2.intel.com/v1/dl/getContent/648682?explicitVersion=true
[2] https://lore.kernel.org/all/20220520103904.1216-1-cathy.zhang@xxxxxxxxx/
Elena Reshetova (2):
x86/sgx: Use sgx_nr_used_pages for EPC page count instead of
sgx_nr_free_pages
x86/sgx: Implement EUPDATESVN and opportunistically call it during
first EPC page alloc
arch/x86/include/asm/sgx.h | 41 +++++++++++-------
arch/x86/kernel/cpu/sgx/encls.h | 6 +++
arch/x86/kernel/cpu/sgx/main.c | 76 ++++++++++++++++++++++++++++++---
arch/x86/kernel/cpu/sgx/sgx.h | 1 +
4 files changed, 104 insertions(+), 20 deletions(-)
--
2.45.2