sgx upstreaming story
play

SGX Upstreaming Story Linux Plumbers Conference 2019 Jarkko Sakkinen - PowerPoint PPT Presentation

Jan 07, 2023 •545 likes •707 views

SGX Upstreaming Story Linux Plumbers Conference 2019 Jarkko Sakkinen < jarkko.sakkinen@linux.intel.com > First, a little bit of history Skylake 2015 First attempt 2016/04/25: Only Intel blessed enclaves :(

  1. SGX Upstreaming Story Linux Plumbers Conference 2019 Jarkko Sakkinen < jarkko.sakkinen@linux.intel.com >

  2. First, a little bit of history Skylake 2015 First attempt 2016/04/25: Only Intel blessed enclaves :( https://lwn.net/Articles/686808/ At LPC 2016 first plans for flexible launch control. In September 2017 new series was started. In December Geminilake launchedx. https://lwn.net/Articles/786487/ Latest version is v22.

  3. Enclaves Reserved address space. Memory is committed from a reserved memory area called Enclave Page Cache (EPC). Predefined entry points (ring-3). CPU asserted access. Memory encryption (outside LLC). Local and remote attestation.

  4. The kernel assets Sources arch/x86/kernel/cpu/sgx tools/testing/selftests/x86/sgx Devices /dev/sgx/enclave SGX IOC ENCLAVE CREATE SGX IOC ENCLAVE ADD PAGE SGX IOC ENCLAVE INIT SGX IOC ENCLAVE SET ATTRIBUTE /dev/sgx/provision Community linux-sgx@vger.kernel.org https://github.com/jsakkine-intel/linux-sgx.git

  5. The kernel assets: arch/x86/kernel/cpu/sgx $ wc -l arch/x86/kernel/cpu/sgx/* 423 arch/x86/kernel/cpu/sgx/arch.h 275 arch/x86/kernel/cpu/sgx/driver.c 34 arch/x86/kernel/cpu/sgx/driver.h 718 arch/x86/kernel/cpu/sgx/encl.c 133 arch/x86/kernel/cpu/sgx/encl.h 56 arch/x86/kernel/cpu/sgx/encls.c 263 arch/x86/kernel/cpu/sgx/encls.h 721 arch/x86/kernel/cpu/sgx/ioctl.c 311 arch/x86/kernel/cpu/sgx/main.c 5 arch/x86/kernel/cpu/sgx/Makefile 472 arch/x86/kernel/cpu/sgx/reclaim.c 89 arch/x86/kernel/cpu/sgx/sgx.h 3500 total

  6. The kernel assets: tools/testing/selftests/x86/sgx $ wc -l tools/testing/selftests/x86/sgx/* 39 tools/testing/selftests/x86/sgx/defines.h 94 tools/testing/selftests/x86/sgx/encl bootstrap.S 20 tools/testing/selftests/x86/sgx/encl.c 34 tools/testing/selftests/x86/sgx/encl.lds 371 tools/testing/selftests/x86/sgx/main.c 47 tools/testing/selftests/x86/sgx/Makefile 49 tools/testing/selftests/x86/sgx/sgx call.S 493 tools/testing/selftests/x86/sgx/sgxsign.c 39 tools/testing/selftests/x86/sgx/signing key.pem 1186 total

  7. A short breakdown Constructing enclaves (/dev/sgx/enclave) Executing enclaves Overcommitment Access control (e.g. DAC, SELinux, AppArmor) Provisioning (/dev/sgx/provision)

  8. Constructing enclaves /dev/sgx/enclave mmap() with PROT NONE . SGX IOC ENCLAVE CREATE (secs) SGX Enclave Control Structure (SECS) SGX IOC ENCLAVE ADD PAGE (addr, page, secinfo, mrmask) SGX IOC ENCLAVE INIT (sigstruct) mprotect() (capped by EADD) vma- > may protect()

  9. Constructing enclaves: ENCLS[EINIT] IA32 SGXLEPUBKEYHASH { 0, 1, 2, 3 } MSRs FEATURE CONTROL SGX LE WR Locked MSRs: requires a Launch Enclave. Tokens generated by the LE and passed to EINIT. Linux runs enclaves only with unlocked MSRs.

  10. Executing enclaves ENCLU[EENTER] (rbx=TCS, rcx=AEP/rip successor) Thread Control Structure (TCS) Asynchronous Exit Point (AEP) Exit to Asychronous Exit Point (AEP). ENCLU[ERESUME] (rbx=TCS, rcx=AEP) ENCLU[EEXIT] (rbx=outside address, rcx=AEP)

  11. Executing enclaves: TCS .section ".tcs", "a" .balign 4096 .fill 1, 8, 0 # STATE (set by CPU) .fill 1, 8, 0 # FLAGS .quad encl ssa # OSSA .fill 1, 4, 0 # CSSA (set by CPU) .fill 1, 4, 1 # NSSA .quad encl entry # OENTRY .fill 1, 8, 0 # AEP (set by EENTER/RESUME) .fill 1, 8, 0 # OFSBASE .fill 1, 8, 0 # OGSBASE .fill 1, 4, 0xFFFFFFFF # FSLIMIT (32-bit) .fill 1, 4, 0xFFFFFFFF # GSLIMIT (32-bit) .fill 4024, 1, 0 # Reserved

  12. Executing enclaves: vdso sgx enter enclave Enclaves generate exceptions as part of their normal operation. Permisson conflict: #PF with PF SGX Illegal instructions: #UD https://software.intel.com/en-us/node/703005 vdso sgx enter enclave Exception: di=exception (e.g. #PF), si=error (e.g. PF SGX), rdx=addr

  13. Access control: DAC /dev/sgx/enclave permissions control who can build enclaves. The build process also caps mmap() and mprotect(). /dev/sgx/provision permissions control who can grant access to provision an enclave. Enclaves always need an outside delegate for syscalls. They can read and write process memory but cannot affect outside system. The end game is that there needs to be a process that is able to change writable pages executable pages unconditionally.

  14. Access control: LSM hooks security enclave load(vma, prot) : Allow LSM intervene when a a page is loaded into enclave. Prevent loading a non-executable file. Deny WX from unprivileged process (as defined by the LSM). security enclave map(vma, prot) : Allow LSM intervene mmap() or mprotect() of an enclave. Deny WX.

  15. Access control: LSM hooks That’s all folks, thank you.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Multipath TCP Upstreaming Mat Martineau (Intel) and Matthieu Baerts (Tessares) Plan

Multipath TCP Upstreaming Mat Martineau (Intel) and Matthieu Baerts (Tessares) Plan

Multipath TCP Upstreaming Mat Martineau (Intel) and Matthieu Baerts (Tessares) Plan Multipath TCP Overview First Patch Set Upstreaming Roadmap Advanced Features Roadmap Conclusion and links 2 What is MPTCP? 3 Multipath

1.36k views • 68 slides
ELC 2017 War Story: Using Zephyr to Develop a Wearable Device Neil Armstrong &amp; Fabien Parent

ELC 2017 War Story: Using Zephyr to Develop a Wearable Device Neil Armstrong &amp; Fabien Parent

ELC 2017 War Story: Using Zephyr to Develop a Wearable Device Neil Armstrong &amp; Fabien Parent Agenda Based on a true story Many choices, why Zephyr? Zephyr in a nutshell Porting &amp; upstreaming a new platform

356 views • 35 slides
1 QC STORY -32 QC STORY -32 QC STORY -32 QC Story-1 QC Story-1 QC Story-1 Awards and

1 QC STORY -32 QC STORY -32 QC STORY -32 QC Story-1 QC Story-1 QC Story-1 Awards and

QC STORY -32 QC STORY -32 QC STORY -32 Shop Floor view QC Story-1 QC Story-1 FACTORY OVERVIEW QC Story-1 On Behalf of Susira Industries Ltd., Chennai. We Welcome the Delegates for the QCI DL SHAH NATIONAL AWARDS ON ECONOMICS OF

976 views • 13 slides
REXOTICA Your story matters Opportunity Each product has a function and a story and we

REXOTICA Your story matters Opportunity Each product has a function and a story and we

REXOTICA Your story matters Opportunity Each product has a function and a story and we believe it is all about your story A perfect gift What we do We make specially designed jewelry that embodies your personal story in a resin A

320 views • 11 slides
THE STORY OF REDEMPTION SACRED SPACE SUMMER OF LEARNING UNFOLDING HIS STORY The main story that

THE STORY OF REDEMPTION SACRED SPACE SUMMER OF LEARNING UNFOLDING HIS STORY The main story that

THE STORY OF REDEMPTION SACRED SPACE SUMMER OF LEARNING UNFOLDING HIS STORY The main story that God is telling in the Bible is his Redemptive History. We will see this story unfold as we look at his Divine Covenants, His Kingdom, and His

773 views • 50 slides
B R P D T H D E V E L O P M E N T 841-847 St. Nicholas Ave New York, New York 10031 ND June

B R P D T H D E V E L O P M E N T 841-847 St. Nicholas Ave New York, New York 10031 ND June

COLOR LEGEND FOR BLOCK PLAN 3 STORY 4 STORY 5 STORY 6 STORY 7 STORY B R P D T H D E V E L O P M E N T 841-847 St. Nicholas Ave New York, New York 10031 ND June 27th, 2017 N Architecture P.C. SLM 825 East Gate Blvd Garden City, NY

550 views • 24 slides
The Moral of the Story The Moral of the Story Creating a brand story that builds relationships

The Moral of the Story The Moral of the Story Creating a brand story that builds relationships

The Moral of the Story The Moral of the Story Creating a brand story that builds relationships with people Jeff Freedman CEO, Small Army jfreedman@smallarmy,net @smallarmyjeff 617-450-0000 Jeff Freedman, Moral of the story Page 2 Every

393 views • 21 slides
GLR Week July 25, 2018 Familys Story Familys Story Familys Story It's so hard to hear

GLR Week July 25, 2018 Familys Story Familys Story Familys Story It's so hard to hear

GLR Week July 25, 2018 Familys Story Familys Story Familys Story It's so hard to hear your baby cry. Try some of these tips to comfort your child: holding, stroking, talking, and more: http://bit.ly/2BEKpgj Parents &amp; Caregivers

607 views • 14 slides
A Bri A Brief ef Hi Hist story ory A Br A Brief ief Hi Hist story ory A Bri A Brief

A Bri A Brief ef Hi Hist story ory A Br A Brief ief Hi Hist story ory A Bri A Brief

A Bri A Brief ef Hi Hist story ory A Br A Brief ief Hi Hist story ory A Bri A Brief ef Hi Hist story ory A Brief A Bri ef Hi Hist story ory of Council of Cou ncil Ta Tax x of of Co Coun uncil cil Ta Tax x of Co

775 views • 35 slides
The Story so Far.... t = +380,000 years 1964 The Story so Far.... t = +600 million years 1964

The Story so Far.... t = +380,000 years 1964 The Story so Far.... t = +600 million years 1964

The Story so Far.... t = +380,000 years 1964 The Story so Far.... t = +600 million years 1964 Galaxy Detected! ? udfy-38135539 z=8.6 WMAP The Story so Far.... t = ~1 billion years 1964 Large Scale Structure ? WMAP The Story so

596 views • 27 slides
Study 21 Presentation The Story also talks about five movements that take part in Gods Story:

Study 21 Presentation The Story also talks about five movements that take part in Gods Story:

Study 21 Presentation The Story also talks about five movements that take part in Gods Story: Movement 1: The Story of the Garden (Genesis 1-11) Movement 2: The Story of Israel (Genesis 12 Malachi) Movement 3: The Story of Jesus (Matthew

307 views • 3 slides
Study 25 Presentation The Story also talks about five movements that take part in Gods Story:

Study 25 Presentation The Story also talks about five movements that take part in Gods Story:

Study 25 Presentation The Story also talks about five movements that take part in Gods Story: Movement 1: The Story of the Garden (Genesis 1-11) Movement 2: The Story of Israel (Genesis 12 Malachi) Movement 3: The Story of Jesus (Matthew

327 views • 5 slides
Study 8 Presentation The Story also talks about five movements that take part in Gods Story:

Study 8 Presentation The Story also talks about five movements that take part in Gods Story:

Study 8 Presentation The Story also talks about five movements that take part in Gods Story: Movement 1: The Story of the Garden (Genesis 1-11) Movement 2: The Story of Israel (Genesis 12 Malachi) Movement 3: The Story of Jesus (Matthew

306 views • 5 slides
Study 16 Presentation The Story also talks about five movements that take part in Gods Story:

Study 16 Presentation The Story also talks about five movements that take part in Gods Story:

Study 16 Presentation The Story also talks about five movements that take part in Gods Story: Movement 1: The Story of the Garden (Genesis 1-11) Movement 2: The Story of Israel (Genesis 12 Malachi) Movement 3: The Story of Jesus (Matthew

355 views • 3 slides
Future Software Resources Ltd Story Story!!!! When was the last time you paused and took an

Future Software Resources Ltd Story Story!!!! When was the last time you paused and took an

Future Software Resources Ltd Story Story!!!! When was the last time you paused and took an advert seriously? Can you remember why? The average African is wired to respond to stories, remember Tales by Moonlight. Your brand story is a

344 views • 22 slides
The Whole Bible Story Ch rjsu ian Storyte lm ing Conference 2018 The Whole Story By Other Names

The Whole Bible Story Ch rjsu ian Storyte lm ing Conference 2018 The Whole Story By Other Names

The Whole Bible Story Ch rjsu ian Storyte lm ing Conference 2018 The Whole Story By Other Names arching Narrative Over- D i v i n Meta e D r a m a Tale God - Story Sacred a m a r d o e Story h T Narrative Grand

826 views • 46 slides
SVD slow control progress Szymon Bacher Institute of Nuclear Physics, Polish Academy of Science,

SVD slow control progress Szymon Bacher Institute of Nuclear Physics, Polish Academy of Science,

SVD slow control progress Szymon Bacher Institute of Nuclear Physics, Polish Academy of Science, Krakw, Poland University of Science and Technology, Krakw, Poland Personal change Juan is about to leave SVD Slow control soon, I have

411 views • 18 slides
Hall D Fast Feedback Trent Allison Ops StayTreat 2015 Hall D FFB Overview Correctors BPM

Hall D Fast Feedback Trent Allison Ops StayTreat 2015 Hall D FFB Overview Correctors BPM

Hall D Fast Feedback Trent Allison Ops StayTreat 2015 Hall D FFB Overview Correctors BPM Correctors BPM X Y X Y V H V H Control Algorithm Data from 2 BPMs used to control 2 sets of correctors Locking position at 1 point does

612 views • 18 slides
State Notation Language and the Sequencer Andrew Johnson APS Engineering Support Division

State Notation Language and the Sequencer Andrew Johnson APS Engineering Support Division

State Notation Language and the Sequencer Andrew Johnson APS Engineering Support Division October 18th, 2006 SNS EPICS Training Outline What is State Notation Language (SNL) Where it fits in the EPICS toolkit Components of a state

549 views • 38 slides
Annual Report 27 APRIL 2020 Purposes of the 2019 Annual Report SUMMARIZE FINDINGS SOURCE OF

Annual Report 27 APRIL 2020 Purposes of the 2019 Annual Report SUMMARIZE FINDINGS SOURCE OF

2019 IOC Annual Report 27 APRIL 2020 Purposes of the 2019 Annual Report SUMMARIZE FINDINGS SOURCE OF PUBLIC SUMMARIZE PROJECTS OF THE 2019 AUDIT INFORMATION ABOUT FUNDED WITH SURTAX PURPOSE OF SURTAX DOLLARS IN YEAR 1 Feedback Provided

430 views • 12 slides
image motion 2 Tues. Feb. 6, 2018 1 Overview of Today Abstract computational problem: how to

image motion 2 Tues. Feb. 6, 2018 1 Overview of Today Abstract computational problem: how to

COMP 546 Lecture 8 image motion 2 Tues. Feb. 6, 2018 1 Overview of Today Abstract computational problem: how to estimate the local image velocity ? Solution based on V1 motion detectors 2 Intensity changes in XY

710 views • 33 slides
Internationalisation at Home good ideas and curriculum innovation IAH Symposium Brisbane,

Internationalisation at Home good ideas and curriculum innovation IAH Symposium Brisbane,

Internationalisation at Home good ideas and curriculum innovation IAH Symposium Brisbane, Australia 26 October 2012 Associate Professor Betty Leask Australian National Teaching Fellow University of South Australia AUSTRALIA

554 views • 22 slides
Inverse Reinforcement Learning CS 294-112: Deep Reinforcement Learning Sergey Levine Todays

Inverse Reinforcement Learning CS 294-112: Deep Reinforcement Learning Sergey Levine Todays

Inverse Reinforcement Learning CS 294-112: Deep Reinforcement Learning Sergey Levine Todays Lecture 1. So far: manually design reward function to define a task 2. What if we want to learn the reward function from observing an expert, and

650 views • 33 slides
Mission Thread Market (MTM): A Faster, Cheaper, Better Path to Netcentricity (A JITC - W2GOG

Mission Thread Market (MTM): A Faster, Cheaper, Better Path to Netcentricity (A JITC - W2GOG

World Wide Consortium for the Grid (W2COG) Institute: Assured Value-of-Information-Service (V oIS) across a networked enterprise Better networked capability - faster, and cheaper - through adaptive collaborative, value-focused, architecture,

452 views • 17 slides

More recommend