On 2/26/21 4:15 AM, Kai Huang wrote: > From: Sean Christopherson <sean.j.christopherson@xxxxxxxxx> > > And extract sgx_set_attribute() out of sgx_ioc_enclave_provision() and > export it as symbol for KVM to use. > > Provisioning key is sensitive. SGX driver only allows to create enclave > which can access provisioning key when enclave creator has permission to > open /dev/sgx_provision. It should apply to VM as well, as provisioning > key is platform specific, thus unrestricted VM can also potentially > compromise provisioning key. > > Move provisioning device creation out of sgx_drv_init() to sgx_init() as > preparation for adding SGX virtualization support, so that even SGX > driver is not enabled due to flexible launch control is not available, > SGX virtualization can still be enabled, and use it to restrict VM's > capability of being able to access provisioning key. > > Signed-off-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx> > Reviewed-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx> > Signed-off-by: Kai Huang <kai.huang@xxxxxxxxx> Acked-by: Dave Hansen <dave.hansen@xxxxxxxxx>
