kernel icon indicating copy to clipboard operation
kernel copied to clipboard

Published 20 hours ago verified publisher icon bytedance

[5.15-velinux] Intel: backport KVM Fix for Clearing SGX EDECCSSA to 5.15

Open zhiquan1-li opened this issue 8 months ago • 1 comments

This PR includes incremental backporting patches which mainly covers some SGX bug fixes which are missing in VeLinux.

About the patches The total patch number is 4:

5f4d1fd5b5d3 selftests/sgx: Ignore OpenSSL 3.0 deprecated functions warning
ee56a283988d x86/sgx: Improve comments for sgx_encl_lookup/alloc_backing()
370839c241f7 x86/sgx: Allow enclaves to use Asynchrounous Exit Notification
7efb4d8a392a KVM: VMX: Also clear SGX EDECCSSA in KVM CPU caps when SGX is disabled

Tests

  1. Build successfully for each commit
  2. Kernel selftest - SGX: PASSED
cd tools/testing/selftests/sgx/
make
./test_sgx
  1. Kernel selftest - SGX in VM: PASSED
  2. Function test

Step 1. Original SGX EDECCSSA status in guest

[root@guest ~]# cpuid -1 -l 0x12
CPU:
   Software Guard Extensions (SGX) capability (0x12/0):
      SGX1 supported                           = true
      SGX2 supported                           = true
      SGX ENCLV E*VIRTCHILD, ESETCONTEXT       = false
      SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
      SGX ENCLU EVERIFYREPORT2                 = false
      SGX ENCLS EUPDATESVN                     = false
      SGX ENCLU EDECCSSA                       = true
      MISCSELECT.EXINFO supported: #PF & #GP   = true
      MISCSELECT.CPINFO supported: #CP         = false
      MaxEnclaveSize_Not64 (log2)              = 0x1f (31)
      MaxEnclaveSize_64 (log2)                 = 0x38 (56)

Step 2. Disable SGX in guest

root@KVM-host:~# rmmod kvm_intel
root@KVM-host:~# modprobe kvm_intel sgx=0

Step 3. The SGX EDECCSSA capability is cleared in KVM, then its status becomes false

[root@guest ~]# cpuid -1 -l 0x12
CPU:
   Software Guard Extensions (SGX) capability (0x12/0):
      SGX1 supported                           = false
      SGX2 supported                           = false
      SGX ENCLV E*VIRTCHILD, ESETCONTEXT       = false
      SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
      SGX ENCLU EVERIFYREPORT2                 = false
      SGX ENCLS EUPDATESVN                     = false
      SGX ENCLU EDECCSSA                       = false
      MISCSELECT.EXINFO supported: #PF & #GP   = false
      MISCSELECT.CPINFO supported: #CP         = false
      MaxEnclaveSize_Not64 (log2)              = 0x0 (0)
      MaxEnclaveSize_64 (log2)                 = 0x0 (0)
[root@TDX-guest ~]#

Known issue: None

Default config change: None

zhiquan1-li avatar Mar 18 '25 06:03 zhiquan1-li

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
0 out of 3 committers have signed the CLA.

:x: kaccardi
:x: kaihuang
:x: hansendc
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar Mar 18 '25 06:03 CLAassistant

Will re-submit to avoid CLA check.

zhiquan1-li avatar Mar 31 '25 01:03 zhiquan1-li