Hi-- On 4/21/20 11:41 AM, Andra Paraschiv wrote: > The Nitro Enclaves driver handles the enclave lifetime management. This > includes enclave creation, termination and setting up its resources such > as memory and CPU. > > An enclave runs alongside the VM that spawned it. It is abstracted as a > process running in the VM that launched it. The process interacts with > the NE driver, that exposes an ioctl interface for creating an enclave > and setting up its resources. > > Include the KVM API as part of the provided ioctl interface, with an > additional ENCLAVE_START ioctl command that triggers the enclave run. > > Signed-off-by: Alexandru Vasile <lexnv@xxxxxxxxxx> > Signed-off-by: Andra Paraschiv <andraprs@xxxxxxxxxx> > --- > include/linux/nitro_enclaves.h | 23 +++++++++++++ > include/uapi/linux/nitro_enclaves.h | 52 +++++++++++++++++++++++++++++ > 2 files changed, 75 insertions(+) > create mode 100644 include/linux/nitro_enclaves.h > create mode 100644 include/uapi/linux/nitro_enclaves.h > > diff --git a/include/uapi/linux/nitro_enclaves.h b/include/uapi/linux/nitro_enclaves.h > new file mode 100644 > index 000000000000..b90dfcf6253a > --- /dev/null > +++ b/include/uapi/linux/nitro_enclaves.h > @@ -0,0 +1,52 @@ > +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ > +/* > + * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved. > + * > + * This program is free software; you can redistribute it and/or modify it > + * under the terms and conditions of the GNU General Public License, > + * version 2, as published by the Free Software Foundation. > + * > + * This program is distributed in the hope that it will be useful, > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > + * GNU General Public License for more details. > + * > + * You should have received a copy of the GNU General Public License > + * along with this program; if not, see <http://www.gnu.org/licenses/>. > + */ > + > +#ifndef _UAPI_LINUX_NITRO_ENCLAVES_H_ > +#define _UAPI_LINUX_NITRO_ENCLAVES_H_ > + > +#include <linux/kvm.h> > +#include <linux/types.h> > + > +/* Nitro Enclaves (NE) Kernel Driver Interface */ > + > +/** > + * The command is used to trigger enclave start after the enclave resources, > + * such as memory and CPU, have been set. > + * > + * The enclave start metadata is an in / out data structure. It includes > + * provided info by the caller - enclave cid and flags - and returns the > + * slot uid and the cid (if input cid is 0). > + */ > +#define NE_ENCLAVE_START _IOWR('B', 0x1, struct enclave_start_metadata) Please document ioctl major ('B' in this case) and range used in Documentation/userspace-api/ioctl/ioctl-number.rst. > + > +/* Setup metadata necessary for enclave start. */ > +struct enclave_start_metadata { > + /* Flags for the enclave to start with (e.g. debug mode) (in). */ > + __u64 flags; > + > + /** > + * Context ID (CID) for the enclave vsock device. If 0 as input, the > + * CID is autogenerated by the hypervisor and returned back as output > + * by the driver (in/out). > + */ > + __u64 enclave_cid; > + > + /* Slot unique id mapped to the enclave to start (out). */ > + __u64 slot_uid; > +}; > + > +#endif /* _UAPI_LINUX_NITRO_ENCLAVES_H_ */ > thanks. -- ~Randy
