Re: RFC: userspace exception fixups

Sean Christopherson <sean.j.christopherson@xxxxxxxxx> · Fri, 2 Nov 2018 15:04:37 -0700

On Fri, Nov 02, 2018 at 08:02:23PM +0100, Jann Horn wrote:
> On Fri, Nov 2, 2018 at 7:27 PM Sean Christopherson
> <sean.j.christopherson@xxxxxxxxx> wrote:
> > On Fri, Nov 02, 2018 at 10:48:38AM -0700, Andy Lutomirski wrote:
> > > This whole mechanism seems very complicated, and it's not clear
> > > exactly what behavior user code wants.
> >
> > No argument there.  That's why I like the approach of dumping the
> > exception to userspace without trying to do anything intelligent in
> > the kernel.  Userspace can then do whatever it wants AND we don't
> > have to worry about mucking with stacks.
> >
> > One of the hiccups with the VDSO approach is that the enclave may
> > want to use the untrusted stack, i.e. the stack that has the VDSO's
> > stack frame.  For example, Intel's SDK uses the untrusted stack to
> > pass parameters for EEXIT, which means an AEX might occur with what
> > is effectively a bad stack from the VDSO's perspective.
> 
> What exactly does "uses the untrusted stack to pass parameters for
> EEXIT" mean? I guess you're saying that the enclave is writing to
> RSP+[0...some_positive_offset], and the written data needs to be
> visible to the code outside the enclave afterwards?

As is, they actually do it the other way around, i.e. negative offsets
relative to the untrusted %RSP.  Going into the enclave there is no
reserved space on the stack.  The SDK uses EEXIT like a function call,
i.e. pushing parameters on the stack and making an call outside of the
enclave, hence the name out-call.  This allows the SDK to handle any
reasonable out-call without a priori knowledge of the application's
maximum out-call "size".

Rough outline of what happens in a non-faulting case.

1: Userspace executes EENTER
        --------------------
        | userspace stack  | 
        -------------------- <-- %RSP at EENTER

2: Enclave does EEXIT to invoke out-call function

        --------------------
        | userspace stack  | 
        -------------------- <-- %RSP at EENTER
        | out-call func ID |
        | param1           |
        | ...              |
        | paramN           |
        -------------------- <-- %RSP at EEXIT

3: Userspace re-EENTERs enclave after handling EEXIT request

        --------------------
        | userspace stack  | 
        -------------------- <-- %RSP at original EENTER
        | out-call func ID |
        | param1           |
        | ...              |
        | paramN           |
        -------------------- <-- %RSP at post-EEXIT EENTER

4: Enclave cleans up the stack

        --------------------
        | userspace stack  | 
        -------------------- <-- %RSP back at original EENTER

In the faulting case, an AEX can occur while the enclave is pushing
parameters onto the stack for EEXIT.

1: Userspace executes EENTER
        --------------------
        | userspace stack  | 
        -------------------- <-- %RSP at EENTER

2: AEX occurs during enclave prep for EEXIT

        --------------------
        | userspace stack  | 
        -------------------- <-- %RSP at EENTER
        | out-call func ID |
        | param1           |
        | ...              | 
        -------------------- <-- %RSP at AEX

3: Userspace re-EENTERs enclave to invoke enclave fault handler

        --------------------
        | userspace stack  | 
        -------------------- <-- %RSP at original EENTER
        | out-call func ID |
        | param1           |
        | ...              | 
        -------------------- <-- %RSP at AEX
        | userspace stack  |
        -------------------- <-- %RSP at EENTER to fault handler

4: Enclave handles the fault, EEXITs back to userspace

        --------------------
        | userspace stack  | 
        -------------------- <-- %RSP at original EENTER
        | out-call func ID |
        | param1           |
        | ...              | 
        -------------------- <-- %RSP at AEX
        | userspace stack  |
        -------------------- <-- %RSP at EEXIT from fault handler

5: Userspace pops its stack and ERESUMEs back to the enclave
        --------------------
        | userspace stack  | 
        -------------------- <-- %RSP at original EENTER
        | out-call func ID |
        | param1           |
        | ...              | 
        -------------------- <-- %RSP at ERESUME

6: Enclave finishes its EEXIT to invoke out-call function

        --------------------
        | userspace stuff  | 
        -------------------- <-- %RSP at original EENTER
        | out-call func ID |
        | param1           |
        | ...              |
        | paramN           |
        -------------------- <-- %RSP at EEXIT 

> In other words, the vDSO helper would have to not touch the stack
> pointer (only using the 128-byte redzone to store spilled data, at
> least across the enclave entry), and return by decrementing the stack
> pointer by 8 immediately before returning (storing the return pointer
> in the redzone)?
> 
> So you'd call the vDSO helper with a normal "call
> vdso_helper_address", then the vDSO helper does "add rsp, 8", then the
> vDSO helper does its magic, and then it returns with "sub rsp, 8" and
> "ret"? That way you don't touch anything on the high-address side of
> RSP while still avoiding running into CET problems. (I'm assuming that
> you can use CET in a process that is hosting SGX enclaves?)