lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20181210232141.5425-1-sean.j.christopherson@intel.com>
Date:   Mon, 10 Dec 2018 15:21:37 -0800
From:   Sean Christopherson <sean.j.christopherson@...el.com>
To:     Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        x86@...nel.org, Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
        Sean Christopherson <sean.j.christopherson@...el.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Andy Lutomirski <luto@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>
Cc:     "H. Peter Anvin" <hpa@...or.com>, linux-kernel@...r.kernel.org,
        linux-sgx@...r.kernel.org, Andy Lutomirski <luto@...capital.net>,
        Josh Triplett <josh@...htriplett.org>,
        Haitao Huang <haitao.huang@...ux.intel.com>,
        Jethro Beekman <jethro@...tanix.com>,
        "Dr . Greg Wettstein" <greg@...ellic.com>
Subject: [RFC PATCH v3 0/4] x86: Add exception fixup for SGX ENCLU

This is effectively v3 of the "x86: Add vDSO exception fixup for SGX"
series, but as you might of noticed, there are no vDSO changes here.

Andy's comment on Spectre/retpoline[1] and Jethro's comment on making
the vDSO as barebones as possible[2] got me wondering if we could let
userspace dynamically set the "return" target of the SGX vDSO function,
taking advantage of the fact that most (all?) SGX processes will have a
single entry point for all enclaves.

The initial idea was to make __vdso_sgx_enter_enclave() a barebones
"function" consisting of ENCLU and UD2.  SGX would provide an IOCTL via
/dev/sgx that could be used to patch the UD2 in the current vDSO image
to a JMP rel32, with rel32 pointing at an address provided by the
user.  Aside from the issues of rel32 in a 64-bit memory space,
patching the vDSO image added a lot of overhead just so that the kernel
could know the address of ENCLU.

At that point I realized it's a hell of a lot easier to simply provide
an IOCTL via /dev/sgx that allows userspace to register a per-process
ENCLU exception handler.  At a high level, the basic idea is the same
as the vDSO approach: provide a hardcoded fixup handler for ENCLU and
attempt to fixup select unhandled exceptions that occurred in user code.

Pros:
  - No vDSO function.
  - Minimal userspace changes.
  - Smaller ABI, i.e. less bikeshedding (fingers crossed).
  - Kernel doesn't prevent userspace from doing stupid things, e.g.
    modifying the process' stack from within the enclave.
  - Kernel can proactively enforce the ENCLU handler as the only
    officialy supported ABI for enclave exception handling.

Cons:
  - Userspace can only register a single ENCLU handler per process.
  - ABI is more esoteric than a standard function call.


This series is based on Jarkko's current master branch, which moves all
of the SGX code into arch/x86.  The full code can be found here:

https://github.com/sean-jc/linux/tree/2538adcece15447b988d93bf677af48073c7d219

I have not actually tested this *exact* commit beyond compiling as I do
not know the health status of Jarkko's code.  To test, I cherry-picked
the patches into an older stable version of the code.  Git was able to
handle the file renaming.

v1: https://lkml.kernel.org/r/20181205232012.28920-1-sean.j.christopherson@intel.com
v2: https://lkml.kernel.org/r/20181206221922.31012-1-sean.j.christopherson@intel.com
v3:
  - Replace the vDSO fixup with SGX specific fixup.
  - Patches 2/4 and 3/4 are essentially identical, the only difference
    being the name of the function that is called.  The changelogs for
    these patches still need a lot of attention.

[1] https://lkml.kernel.org/r/CALCETrVBR+2HjTqX=W4r9GOq69Xg36v4gmCKqK0wUjzAqBJnrw@mail.gmail.com
[2] https://lkml.kernel.org/r/f595c046-682c-0d4a-ce68-44d4634cedf2@fortanix.com

Sean Christopherson (4):
  x86/sgx: Add a per-mm ENCLU exception fixup handler
  x86/fault: Attempt to fixup unhandled #PF on ENCLU before signaling
  x86/traps: Attempt to fixup exceptions in vDSO before signaling
  x86/sgx: Add an SGX IOCTL to register a per-mm ENCLU exception handler

 arch/x86/include/asm/mmu.h             |  4 ++++
 arch/x86/include/asm/sgx.h             | 13 +++++++++++++
 arch/x86/include/uapi/asm/sgx.h        | 23 ++++++++++++++++++-----
 arch/x86/kernel/cpu/sgx/driver/encl.c  |  6 ++++++
 arch/x86/kernel/cpu/sgx/driver/ioctl.c | 20 ++++++++++++++++++++
 arch/x86/kernel/cpu/sgx/main.c         | 18 ++++++++++++++++++
 arch/x86/kernel/traps.c                | 15 +++++++++++++++
 arch/x86/mm/fault.c                    |  7 +++++++
 8 files changed, 101 insertions(+), 5 deletions(-)

-- 
2.19.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ