[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d78eb8b6-86ed-f39a-63a1-38785ea92a50@intel.com>
Date: Thu, 2 Dec 2021 16:32:15 -0800
From: Dave Hansen <dave.hansen@...el.com>
To: Reinette Chatre <reinette.chatre@...el.com>,
dave.hansen@...ux.intel.com, jarkko@...nel.org, tglx@...utronix.de,
bp@...en8.de, luto@...nel.org, mingo@...hat.com,
linux-sgx@...r.kernel.org, x86@...nel.org
Cc: seanjc@...gle.com, kai.huang@...el.com, cathy.zhang@...el.com,
cedric.xing@...el.com, haitao.huang@...el.com,
mark.shanahan@...el.com, hpa@...or.com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 10/25] x86/sgx: Support enclave page permission changes
On 12/1/21 11:23 AM, Reinette Chatre wrote:
> Whether enclave page permissions are restricted or extended it
> is necessary to ensure that the page table entries and enclave page
> permissions are in sync. Introduce a new ioctl,
These should be "ioctl()".
> SGX_IOC_PAGE_MODP, to support enclave page permission changes. Since
> the OS has no insight in how permissions may have been extended from
> within the enclave all page permission requests are treated as
> permission restrictions.
I'm trying to wrap my head around this a bit. If this is only for
restricting permissions, should we be reflecting that in the naming?
SGX_IOC_PAGE_RESTRICT_PERM, perhaps? Wouldn't that be more direct than
saying, "here's a permission change ioctl(), but it doesn't arbitrarily
change things, it treats all changes as restrictions"?
The pseudocode for EMODPR looks like this:
> (* Update EPCM permissions *)
> EPCM(DS:RCX).R := EPCM(DS:RCX).R & SCRATCH_SECINFO.FLAGS.R;
> EPCM(DS:RCX).W := EPCM(DS:RCX).W & SCRATCH_SECINFO.FLAGS.W;
> EPCM(DS:RCX).X := EPCM(DS:RCX).X & SCRATCH_SECINFO.FLAGS.X;
so it makes total sense that it can only restrict permissions since it's
effectively:
new_hw_perm = old_hw_perm & secinfo_perm;
...
> +/**
> + * struct sgx_page_modp - parameter structure for the %SGX_IOC_PAGE_MODP ioctl
> + * @offset: starting page offset (page aligned relative to enclave base
> + * address defined in SECS)
> + * @length: length of memory (multiple of the page size)
> + * @prot: new protection bits of pages in range described by @offset
> + * and @length
> + * @result: SGX result code of ENCLS[EMODPR] function
> + * @count: bytes successfully changed (multiple of page size)
> + */
> +struct sgx_page_modp {
> + __u64 offset;
> + __u64 length;
> + __u64 prot;
> + __u64 result;
> + __u64 count;
> +};
Could we make it more explicit that offset/length/prot are inputs and
result/count are output?
..
> + if (!params.length || params.length & (PAGE_SIZE - 1))
> + return -EINVAL;
I find these a bit easier to read if they're:
if (!params.length || !IS_ALIGNED(params.length, PAGE_SIZE))
...
> + if (params.offset + params.length - PAGE_SIZE >= encl->size)
> + return -EINVAL;
I hate boundary conditions. :) But, I think this would be simpler
written as:
if (params.offset + params.length > encl->size)
Please double-check me on that, though. I've gotten these kinds of
checks wrong more times than I care to admit.
Powered by blists - more mailing lists