!158 Intel SPR: SGX: Backport SGX EDMM support

Description:

		The cache write policy: 0 for write-back, 1 for write-through,

		other or unknown.

What:		/sys/devices/system/node/nodeX/x86/sgx_total_bytes

Date:		November 2021

Contact:	Jarkko Sakkinen <jarkko@kernel.org>

Description:

		The total amount of SGX physical memory in bytes.

Software Guard eXtensions (SGX) hardware enables for user space applications

to set aside private memory regions of code and data:

* Privileged (ring-0) ENCLS functions orchestrate the construction of the.

* Privileged (ring-0) ENCLS functions orchestrate the construction of the

  regions.

* Unprivileged (ring-3) ENCLU functions allow an application to enter and

  execute inside the regions.

separate enclave “build” process.  Enclaves must be built before they can be

executed (entered). The first step in building an enclave is opening the

**/dev/sgx_enclave** device.  Since enclave memory is protected from direct

access, special privileged instructions are Then used to copy data into enclave

access, special privileged instructions are then used to copy data into enclave

pages and establish enclave page permissions.

.. kernel-doc:: arch/x86/kernel/cpu/sgx/ioctl.c

               sgx_ioc_enclave_init

               sgx_ioc_enclave_provision

Enclave runtime management

--------------------------

Systems supporting SGX2 additionally support changes to initialized

enclaves: modifying enclave page permissions and type, and dynamically

adding and removing of enclave pages. When an enclave accesses an address

within its address range that does not have a backing page then a new

regular page will be dynamically added to the enclave. The enclave is

still required to run EACCEPT on the new page before it can be used.

.. kernel-doc:: arch/x86/kernel/cpu/sgx/ioctl.c

   :functions: sgx_ioc_enclave_restrict_permissions

               sgx_ioc_enclave_modify_types

               sgx_ioc_enclave_remove_pages

Enclave vDSO

------------

ksgxd

=====

SGX support includes a kernel thread called *ksgxwapd*.

SGX support includes a kernel thread called *ksgxd*.

EPC sanitization

----------------

ksgxd is started when SGX initializes.  Enclave memory is typically ready

For use when the processor powers on or resets.  However, if SGX has been in

for use when the processor powers on or resets.  However, if SGX has been in

use since the reset, enclave pages may be in an inconsistent state.  This might

occur after a crash and kexec() cycle, for instance.  At boot, ksgxd

reinitializes all enclave pages so that they can be allocated and re-used.

Similar to the core kswapd, ksgxd, is responsible for managing the

overcommitment of enclave memory.  If the system runs out of enclave memory,

*ksgxwapd* “swaps” enclave memory to normal memory.

*ksgxd* “swaps” enclave memory to normal memory.

Launch Control

==============

copied, kernel executes EINIT function, which initializes the enclave. Only after

this the CPU can execute inside the enclave.

ENIT function takes an RSA-3072 signature of the enclave measurement.  The function

EINIT function takes an RSA-3072 signature of the enclave measurement.  The function

checks that the measurement is correct and signature is signed with the key

hashed to the four **IA32_SGXLEPUBKEYHASH{0, 1, 2, 3}** MSRs representing the

SHA256 of a public key.

MEE. TME-based SGX implementations do not have an integrity Merkle tree, which

means integrity and replay-attacks are not mitigated.  B, it includes

additional changes to prevent cipher text from being returned and SW memory

aliases from being Created.

aliases from being created.

DMA to enclave memory is blocked by range registers on both MEE and TME systems

(SDM section 41.10).

	   If a 32-bit architecture requires 64-bit arguments to be split into

	   pairs of 32-bit arguments, select this option.

# Select, if arch has a named attribute group bound to NUMA device nodes.

config HAVE_ARCH_NODE_DEV_GROUP

	bool

source "kernel/gcov/Kconfig"

source "scripts/gcc-plugins/Kconfig"

	select HAVE_ARCH_KCSAN			if X86_64

	select X86_FEATURE_NAMES		if PROC_FS

	select PROC_PID_ARCH_STATUS		if PROC_FS

	select HAVE_ARCH_NODE_DEV_GROUP		if X86_SGX

	imply IMA_SECURE_AND_OR_TRUSTED_BOOT    if EFI

config INSTRUCTION_DECODER

/**

 * enum sgx_return_code - The return code type for ENCLS, ENCLU and ENCLV

 * %SGX_EPC_PAGE_CONFLICT:	Page is being written by other ENCLS function.

 * %SGX_NOT_TRACKED:		Previous ETRACK's shootdown sequence has not

 *				been completed yet.

 * %SGX_CHILD_PRESENT		SECS has child pages present in the EPC.

 * %SGX_INVALID_EINITTOKEN:	EINITTOKEN is invalid and enclave signer's

 *				public key does not match IA32_SGXLEPUBKEYHASH.

 * %SGX_PAGE_NOT_MODIFIABLE:	The EPC page cannot be modified because it

 *				is in the PENDING or MODIFIED state.

 * %SGX_UNMASKED_EVENT:		An unmasked event, e.g. INTR, was received

 */

enum sgx_return_code {

	SGX_EPC_PAGE_CONFLICT		= 7,

	SGX_NOT_TRACKED			= 11,

	SGX_CHILD_PRESENT		= 13,

	SGX_INVALID_EINITTOKEN		= 16,

	SGX_PAGE_NOT_MODIFIABLE		= 20,

	SGX_UNMASKED_EVENT		= 128,

};

 * %SGX_PAGE_TYPE_REG:	a regular page

 * %SGX_PAGE_TYPE_VA:	a VA page

 * %SGX_PAGE_TYPE_TRIM:	a page in trimmed state

 *

 * Make sure when making changes to this enum that its values can still fit

 * in the bitfield within &struct sgx_encl_page

 */

enum sgx_page_type {

	SGX_PAGE_TYPE_SECS,