Changes in Makefile

540745dd - x86/sgx: Introduce virtual EPC for use by KVM guests

Fri, 19 Mar 2021 07:22:21 +0000

x86/sgx: Introduce virtual EPC for use by KVM guestsAdd a misc device /dev/sgx_vepc to allow userspace to allocate "raw"Enclave Page Cache (EPC) without an associated enclave. The intendedand only known use case for raw EPC allocation is to expose EPC to aKVM guest, hence the 'vepc' moniker, virt.{c,h} files and X86_SGX_KVMKconfig.The SGX driver uses the misc device /dev/sgx_enclave to supportuserspace in creating an enclave. Each file descriptor returned fromopening /dev/sgx_enclave represents an enclave. Unlike the SGX driver,KVM doesn't control how the guest uses the EPC, therefore EPC allocatedto a KVM guest is not associated with an enclave, and /dev/sgx_enclaveis not suitable for allocating EPC for a KVM guest.Having separate device nodes for the SGX driver and KVM virtual EPC alsoallows separate permission control for running host SGX enclaves and KVMSGX guests.To use /dev/sgx_vepc to allocate a virtual EPC instance with particularsize, the hypervisor opens /dev/sgx_vepc, and uses mmap() with theintended size to get an address range of virtual EPC. Then it may usethe address range to create one KVM memory slot as virtual EPC fora guest.Implement the "raw" EPC allocation in the x86 core-SGX subsystem via/dev/sgx_vepc rather than in KVM. Doing so has two major advantages: - Does not require changes to KVM's uAPI, e.g. EPC gets handled as just another memory backend for guests. - EPC management is wholly contained in the SGX subsystem, e.g. SGX does not have to export any symbols, changes to reclaim flows don't need to be routed through KVM, SGX's dirty laundry doesn't have to get aired out for the world to see, and so on and so forth.The virtual EPC pages allocated to guests are currently not reclaimable.Reclaiming an EPC page used by enclave requires a special reclaimmechanism separate from normal page reclaim, and that mechanism is notsupported for virutal EPC pages. Due to the complications of handlingreclaim conflicts between guest and host, reclaiming virtual EPC pagesis significantly more complex than basic support for SGX virtualization. [ bp: - Massage commit message and comments - use cpu_feature_enabled() - vertically align struct members init - massage Virtual EPC clarification text - move Kconfig prompt to Virtualization ]Signed-off-by: Sean Christopherson Co-developed-by: Kai Huang Signed-off-by: Kai Huang Signed-off-by: Borislav Petkov Acked-by: Dave Hansen Acked-by: Jarkko Sakkinen Link: https://lkml.kernel.org/r/0c38ced8c8e5a69872db4d6a1c0dabd01e07cad7.1616136308.git.kai.huang@intel.com List of files: /linux-6.15/arch/x86/kernel/cpu/sgx/Makefile

888d2491 - x86/sgx: Add SGX_IOC_ENCLAVE_CREATE

Thu, 12 Nov 2020 22:01:23 +0000

x86/sgx: Add SGX_IOC_ENCLAVE_CREATEAdd an ioctl() that performs the ECREATE function of the ENCLSinstruction, which creates an SGX Enclave Control Structure (SECS).Although the SECS is an in-memory data structure, it is present inenclave memory and is not directly accessible by software.Co-developed-by: Sean Christopherson Signed-off-by: Sean Christopherson Signed-off-by: Jarkko Sakkinen Signed-off-by: Borislav Petkov Tested-by: Jethro Beekman Link: https://lkml.kernel.org/r/20201112220135.165028-13-jarkko@kernel.org List of files: /linux-6.15/arch/x86/kernel/cpu/sgx/Makefile

3fe0778e - x86/sgx: Add an SGX misc driver interface

Thu, 12 Nov 2020 22:01:22 +0000

x86/sgx: Add an SGX misc driver interfaceIntel(R) SGX is a new hardware functionality that can be used byapplications to set aside private regions of code and data calledenclaves. New hardware protects enclave code and data from outsideaccess and modification.Add a driver that presents a device file and ioctl API to build andmanage enclaves. [ bp: Small touchups, remove unused encl variable in sgx_encl_find() as Reported-by: kernel test robot ]Signed-off-by: Jarkko Sakkinen Co-developed-by: Sean Christopherson Signed-off-by: Sean Christopherson Signed-off-by: Borislav Petkov Tested-by: Jethro Beekman Link: https://lkml.kernel.org/r/20201112220135.165028-12-jarkko@kernel.org List of files: /linux-6.15/arch/x86/kernel/cpu/sgx/Makefile

e7e05452 - x86/sgx: Initialize metadata for Enclave Page Cache (EPC) sections

Thu, 12 Nov 2020 22:01:16 +0000

x86/sgx: Initialize metadata for Enclave Page Cache (EPC) sectionsAlthough carved out of normal DRAM, enclave memory is marked in thesystem memory map as reserved and is not managed by the core mm. Theremay be several regions spread across the system. Each contiguous regionis called an Enclave Page Cache (EPC) section. EPC sections areenumerated via CPUIDEnclave pages can only be accessed when they are mapped as part of anenclave, by a hardware thread running inside the enclave.Parse CPUID data, create metadata for EPC pages and populate a simpleEPC page allocator. Although much smaller, ‘struct sgx_epc_page’metadata is the SGX analog of the core mm ‘struct page’.Similar to how the core mm’s page->flags encode zone and NUMAinformation, embed the EPC section index to the first eight bits ofsgx_epc_page->desc. This allows a quick reverse lookup from EPC page toEPC section. Existing client hardware supports only a single section,while upcoming server hardware will support at most eight sections.Thus, eight bits should be enough for long term needs.Signed-off-by: Sean Christopherson Co-developed-by: Serge Ayoun Signed-off-by: Serge Ayoun Co-developed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Borislav Petkov Acked-by: Jethro Beekman Link: https://lkml.kernel.org/r/20201112220135.165028-6-jarkko@kernel.org List of files: /linux-6.15/arch/x86/kernel/cpu/sgx/Makefile