Re: [PATCH v4] sgx.7: New page with overview of Software Guard eXtensions (SGX)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Is there any feedback for this version?

/Jarkko

On Mon, Mar 01, 2021 at 11:23:44PM +0200, Jarkko Sakkinen wrote:
> Signed-off-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
> ---
> v4:
> * Did a heavy edit trying to streamline the story a bit and focus on
>   stuff important to the user (e.g. lighten up x86 details).
> v3:
> * Overhaul based on Michael's comments. Most likely needs to be refined
>   in various places but this is at least a small step forward for sure.
> v2:
> * Fixed the semantic newlines convention and various style errors etc.
>   that were reported by Alenjandro and Michael.
> * SGX was merged to v5.
>  man7/sgx.7 | 196 +++++++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 196 insertions(+)
>  create mode 100644 man7/sgx.7
> 
> diff --git a/man7/sgx.7 b/man7/sgx.7
> new file mode 100644
> index 000000000..c0b67020e
> --- /dev/null
> +++ b/man7/sgx.7
> @@ -0,0 +1,196 @@
> +.\" Copyright (C) 2021 Intel Corporation
> +.\"
> +.\" %%%LICENSE_START(VERBATIM)
> +.\" Permission is granted to make and distribute verbatim copies of this
> +.\" manual provided the copyright notice and this permission notice are
> +.\" preserved on all copies.
> +.\"
> +.\" Permission is granted to copy and distribute modified versions of this
> +.\" manual under the conditions for verbatim copying, provided that the
> +.\" entire resulting derived work is distributed under the terms of a
> +.\" permission notice identical to this one.
> +.\"
> +.\" Since the Linux kernel and libraries are constantly changing, this
> +.\" manual page may be incorrect or out-of-date.  The author(s) assume no
> +.\" responsibility for errors or omissions, or for damages resulting from
> +.\" the use of the information contained herein.  The author(s) may not
> +.\" have taken the same level of care in the production of this manual,
> +.\" which is licensed free of charge, as they might when working
> +.\" professionally.
> +.\"
> +.\" Formatted or processed versions of this manual, if unaccompanied by
> +.\" the source, must acknowledge the copyright and authors of this work.
> +.\" %%%LICENSE_END
> +.\"
> +.TH SGX 7 2021\-02\-02 "Linux" "Linux Programmer's Manual"
> +.PP
> +sgx - overview of Software Guard eXtensions
> +.SH DESCRIPTION
> +.PP
> +Intel Software Guard eXtensions (SGX) allow applications to set
> +aside private memory regions of code and data.
> +These memory regions are called enclaves.
> +.PP
> +SGX must be enabled in BIOS.
> +If SGX appears to be unsupported on a system having hardware support,
> +ensure that SGX is enabled in the BIOS.
> +If a BIOS presents a choice between \(dqEnabled\(dq and \(dqSoftware
> +Enabled\(dq modes for SGX,
> +choose \(dqEnabled\(dq.
> +.PP
> +SGX is available only if the kernel was configured and built with the
> +.B CONFIG_X86_SGX
> +option.
> +You can determine whether the hardware supports SGX by checking
> +whether "sgx" appears in the
> +.I flags
> +field in
> +.IR /proc/cpuinfo .
> +.SS Overview
> +.PP
> +An enclave is a region of address space,
> +mapping pages from Enclave Page Cache (EPC),
> +which consists of sections of non-addressable system memory.
> +They are constructed with sub-functions of the privileged (ring-0) ENCLS x86
> +instruction,
> +and interacted with sub-functions of the unprivileged (ring-3) ENCLU x86
> +instruction.
> +Any other type of memory access gets asserted by the CPU.
> +Enclaves are represented to the user space as memory-mapped files,
> +shareable by multiple processes.
> +.PP
> +An EPC page can be initialized with ENCLS sub-functions to any of the
> +following types:
> +.TP
> +SECS
> +SGX Enclave Control Structure (SECS) contains the enclave global properties
> +such as the base address,
> +size and SHA256 checksum of its contents.
> +.TP
> +REG
> +Regular (REG) pages are code and data pages of the enclave.
> +They are mapped to the enclave address space.
> +.TP
> +TCS
> +Thread Control Structure (TCS) pages describe the entry points to an enclave with
> +an offset from the base address.
> +They are mapped to the enclave address space.
> +ENCLU provides EENTER and ERESUME sub-functions,
> +which take the address of a TCS page,
> +and jump executing inside an enclave from the given offset.
> +.PP
> +An enclave can be entered only at a fixed set of entry points,
> +each defined by a TCS,
> +by invoking EENTER and ERESUME.
> +Any other type of memory access is strictly prohibited by the CPU.
> +.PP
> +A thread inside an enclave can read and write memory inside and outside the
> +enclave,
> +but any action causing execution outside the enclave is asserted by the CPU
> +with an exception,
> +and ultimately exit from the enclave.
> +A thread can cleanly exit from the enclave with EEXIT sub-function of the ENCLU,
> +to a given address outside the enclave.
> +.PP
> +Although carved out of normal DRAM,
> +enclave memory is marked in the system memory map as reserved and is not
> +managed by the Linux memory manager.
> +There may be several enclave regions spread across the system.
> +Each contiguous region is called an Enclave Page Cache (EPC) section.
> +The pages belonging to the EPC sections are encrypted when they leave the
> +Last Level Cache (LLC).
> +.SS Construction
> +.PP
> +An enclave's life-cycle starts by opening
> +.I /dev/sgx_enclave,
> +and ends when all the file descriptors have been closed.
> +After opening the enclave,
> +its contents must be populated with the
> +.BR ioctl (2)
> +interface provided by
> +.IR <asm/sgx.h> .
> +.PP
> +The are rudimentarily the steps to construct an enclave:
> +.IP 1.
> +Invoke
> +.B SGX_IOC_ENCLAVE_CREATE,
> +which takes in data for the SECS,
> +and initializes an EPC page for it.
> +SECS is used by various ENCLS sub-functions to modify the enclave state.
> +It is kept internally by the kernel,
> +and is never made available to the user space.
> +.IP 2.
> +Populate regular and TCS pages to the enclave,
> +by invoking
> +.B SGX_IOC_ENCLAVE_ADD_PAGES.
> +.IP 3.
> +Invoke
> +.B SGX_IOC_ENCLAVE_INIT,
> +which makes the enclave executable.
> +After this new pages can no longer be added.
> +.SS Access rights
> +The state of each EPC page is stored to a structure called the
> +.I Enclave Page Cache Map (EPCM),
> +which takes a portion of the EPC.
> +The state consists of page type and access rights,
> +among the other things.
> +When a page is accessed by a CPU,
> +the EPCM permissions are enforced,
> +in addition to the
> +.BR mmap(2)
> +permissions.
> +EPCM permissions are defined when invoking
> +.B SGX_IOC_ENCLAVE_ADD_PAGES,
> +by setting them to the
> +.B flags
> +field of
> +.B struct enclave_add_pages.
> +.PP
> +A memory access to an unitialized EPC page causes EPCM fault,
> +with a new SGX bit set in the error code.
> +A new power cycle invalidates the whole EPCM,
> +making all EPC pages unitialized.
> +E.g. if the system goes to sleep,
> +and then wakes up,
> +all the data is gone.
> +Thus, a user space run-time must be prepared to handle this exception,
> +at any point of time.
> +.PP
> +When the pages are mapped to memory via
> +.BR mmap (2)
> +or
> +.BR mprotect (2),
> +the EPCM permissions are compared against the declared permissions.
> +If the declared permissions have bits set that are not part of the EPCM
> +permissions,
> +the operation fails with the error
> +.B EACCES.
> +.SS Exception handling
> +These are the exceptions triggered by an enclave:
> +.IP
> +Undefined instruction (#UD) exception is triggered when executing inside an enclave,
> +for any instruction that may cause VMEXIT,
> +I/O instruction, 
> +or a change in CPU privilege levels.
> +.IP
> +Page fault (#PF) with a new SGX bit set,
> +also known as EPCM fault,
> +is triggered,
> +when accessing unitialized EPC page,
> +or when the memory access surpasses the EPCM permissions.
> +.PP
> +In order to assist the run-time,
> +the kernel provides a vDSO entry point,
> +.BR vsgx_enter_enclave,
> +which wraps the code required the enter the enclave.
> +When an exception occurs,
> +the vDSO populates
> +.B struct sgx_enclave_run 
> +with the exception data,
> +and returns to the caller.
> +.SH VERSIONS
> +The SGX feature was added in Linux 5.11.
> +.SH SEE ALSO
> +.BR ioctl (2),
> +.BR mmap() (2),
> +.BR mprotect (2)
> -- 
> 2.30.1
> 



[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux