> On Apr 23, 2019, at 12:26 PM, Sean Christopherson <sean.j.christopherson@xxxxxxxxx> wrote: > >> On Mon, Apr 22, 2019 at 05:37:24PM -0700, Cedric Xing wrote: >> The previous __vdso_sgx_enter_enclave() requires enclaves to preserve %rsp, >> which prohibits enclaves from allocating and passing parameters for >> untrusted function calls (aka. o-calls). >> >> This patch addresses the problem above by introducing a new ABI that preserves >> %rbp instead of %rsp. Then __vdso_sgx_enter_enclave() can anchor its frame >> using %rbp so that enclaves are allowed to allocate space on the untrusted >> stack by decrementing %rsp. Please note that the stack space allocated in such >> way will be part of __vdso_sgx_enter_enclave()'s frame so will be freed after >> __vdso_sgx_enter_enclave() returns. Therefore, __vdso_sgx_enter_enclave() has >> been changed to take a callback function as an optional parameter, which if >> supplied, will be invoked upon enclave exits (both AEX (Asynchronous Enclave >> eXit) and normal exits), with the value of %rsp left >> off by the enclave as a parameter to the callback. >> >> Here's the summary of API/ABI changes in this patch. More details could be >> found in arch/x86/entry/vdso/vsgx_enter_enclave.S. >> * 'struct sgx_enclave_exception' is renamed to 'struct sgx_enclave_exinfo' >> because it is filled upon both AEX (i.e. exceptions) and normal enclave >> exits. >> * __vdso_sgx_enter_enclave() anchors its frame using %rbp (instead of %rsp in >> the previous implementation). >> * __vdso_sgx_enter_enclave() takes one more parameter - a callback function to >> be invoked upon enclave exits. This callback is optional, and if not >> supplied, will cause __vdso_sgx_enter_enclave() to return upon enclave exits >> (same behavior as previous implementation). >> * The callback function is given as a parameter the value of %rsp at enclave >> exit to address data "pushed" by the enclave. A positive value returned by >> the callback will be treated as an ENCLU leaf for re-entering the enclave, >> while a zero or negative value will be passed through as the return >> value of __vdso_sgx_enter_enclave() to its caller. It's also safe to >> leave callback by longjmp() or by throwing a C++ exception. >> >> Signed-off-by: Cedric Xing <cedric.xing@xxxxxxxxx> >> --- >> arch/x86/entry/vdso/vsgx_enter_enclave.S | 156 ++++++++++++++--------- >> arch/x86/include/uapi/asm/sgx.h | 14 +- >> 2 files changed, 100 insertions(+), 70 deletions(-) >> >> diff --git a/arch/x86/entry/vdso/vsgx_enter_enclave.S b/arch/x86/entry/vdso/vsgx_enter_enclave.S >> index fe0bf6671d6d..210f4366374a 100644 >> --- a/arch/x86/entry/vdso/vsgx_enter_enclave.S >> +++ b/arch/x86/entry/vdso/vsgx_enter_enclave.S >> @@ -14,88 +14,118 @@ >> .code64 >> .section .text, "ax" >> >> -#ifdef SGX_KERNEL_DOC > > This #ifdef and the pseudo-C code below has a functional purpose. From > the original commit: > > Note, the C-like pseudocode describing the assembly routine is wrapped > in a non-existent macro instead of in a comment to trick kernel-doc into > auto-parsing the documentation and function prototype. This is a double > win as the pseudocode is intended to aid kernel developers, not userland > enclave developers. > > We don't need full pseudocode, but a C-like prototype is necessary to get > the kernel-doc comment parsed correctly. That should be explained in a comment :) —Andy
