| /linux/Documentation/arch/x86/ |
| H A D | sgx.rst | 18 These memory regions are called enclaves. An enclave can be only entered at a
20 at a time. While the enclave is loaded from a regular binary file by using
21 ENCLS functions, only the threads inside the enclave can access its memory. The
34 Enclave Page Cache
37 SGX utilizes an *Enclave Page Cache (EPC)* to store pages that are associated
38 with an enclave. It is contained in a BIOS-reserved region of physical memory.
40 the enclave during enclave construction with special, limited SGX instructions.
42 Only a CPU executing inside an enclave can directly access enclave memory.
43 However, a CPU executing inside an enclave may access normal memory outside the
44 enclave.
[all …]
|
| /linux/include/uapi/linux/ |
| H A D | nitro_enclaves.h | 17 * an enclave VM.
21 * enclave. Memory and vCPUs are set for the slot mapped to an enclave.
34 * * Enclave file descriptor - Enclave file descriptor used with
36 * regions, then start the enclave.
50 * NE_ADD_VCPU - The command is used to set a vCPU for an enclave. The vCPU can
54 * be associated with an enclave.
56 * then a CPU is chosen from the enclave CPU pool and returned via
58 * The ioctl can be invoked on the enclave fd, before an enclave
70 * that created the enclave.
77 * * NE_ERR_NOT_IN_INIT_STATE - The enclave is not in init state
[all …]
|
| /linux/Documentation/virt/ |
| H A D | ne_overview.rst | 16 application then runs in a separate VM than the primary VM, namely an enclave.
23 The resources that are allocated for the enclave, such as memory and CPUs, are
24 carved out of the primary VM. Each enclave is mapped to a process running in the
29 1. An enclave abstraction process - a user space process running in the primary
31 enclave VM (that's 2 below).
37 maps to an enclave start PCI command. The PCI device commands are then
42 2. The enclave itself - a VM running on the same host as the primary VM that
44 for the enclave VM. An enclave does not have persistent storage attached.
46 The memory regions carved out of the primary VM and given to an enclave need to
49 user space [2][3][7]. The memory size for an enclave needs to be at least
[all …]
|
| /linux/samples/nitro_enclaves/ |
| H A D | ne_ioctl_sample.c | 13 * Load the nitro_enclaves module, setting also the enclave CPU pool. The
14 * enclave CPUs need to be full cores from the same NUMA node. CPU 0 and its
16 * cannot be included in the enclave CPU pool.
44 * the enclave CPUs.
110 * NE_SLEEP_TIME - Amount of time in seconds for the process to keep the enclave alive.
115 * NE_DEFAULT_NR_VCPUS - Default number of vCPUs set for an enclave.
126 * an enclave.
131 * NE_IMAGE_LOAD_HEARTBEAT_CID - Vsock CID for enclave image loading heartbeat logic.
135 * NE_IMAGE_LOAD_HEARTBEAT_PORT - Vsock port for enclave image loading heartbeat logic.
139 * NE_IMAGE_LOAD_HEARTBEAT_VALUE - Heartbeat value for enclave image loading.
[all …]
|
| H A D | Makefile | 5 # Enclave lifetime management support for Nitro Enclaves (NE) - ioctl sample
|
| /linux/drivers/virt/nitro_enclaves/ |
| H A D | ne_misc_dev.h | 20 * struct ne_mem_region - Entry in the enclave user space memory regions list.
21 * @mem_region_list_entry: Entry in the list of enclave memory regions.
36 * struct ne_enclave - Per-enclave data used for enclave lifetime management.
41 * the enclave process via the poll function.
46 * @mem_regions_list: Enclave user space memory regions list.
47 * @mem_size: Enclave memory size.
48 * @mm : Enclave process abstraction mm data struct.
49 * @nr_mem_regions: Number of memory regions associated with the enclave.
54 * @nr_vcpus: Number of vcpus associated with the enclave.
55 * @numa_node: NUMA node of the enclave memory and CPUs.
[all …]
|
| H A D | ne_misc_dev.c | 7 * DOC: Enclave lifetime management driver for Nitro Enclaves (NE).
43 * NE_EIF_LOAD_OFFSET - The offset where to copy the Enclave Image Format (EIF)
44 * image in enclave memory.
49 * NE_MIN_ENCLAVE_MEM_SIZE - The minimum memory size an enclave can be launched
55 * NE_MIN_MEM_REGION_SIZE - The minimum size of an enclave memory region.
107 * enclave(s). The cpumasks from the array, indexed
110 * enclave(s). The full CPU cores are part of the
140 * ne_check_enclaves_created() - Verify if at least one enclave has been created.
145 * * True if at least one enclave is created.
332 * CPUs that are given to enclave(s) should not be considered online in ne_setup_cpu_pool()
[all …]
|
| H A D | ne_pci_dev.h | 106 * NE_VEC_EVENT - MSI-X vector used for out-of-band events e.g. enclave crash.
113 * @ENCLAVE_START: Start an enclave, after setting its resources.
114 * @ENCLAVE_GET_SLOT: Get the slot uid of an enclave.
115 * @ENCLAVE_STOP: Terminate an enclave.
116 * @SLOT_ALLOC : Allocate a slot for an enclave.
117 * @SLOT_FREE: Free the slot allocated for an enclave
118 * @SLOT_ADD_MEM: Add a memory region to an enclave slot.
119 * @SLOT_ADD_VCPU: Add a vCPU to an enclave slot.
148 * @slot_uid: Slot unique id mapped to the enclave to start.
149 * @enclave_cid: Context ID (CID) for the enclave vsock device.
[all …]
|
| H A D | ne_pci_dev.c | 181 * request sent to the PCI device for enclave lifetime
210 * one enclave is changing state without client interaction.
228 * PCI device and determine for which enclave(s) the out-of-band event in ne_event_work_handler()
249 /* Notify enclave process that the enclave state changed. */ in ne_event_work_handler()
342 * This IRQ gets triggered every time any enclave's state changes. Its in ne_setup_msix()
|
| H A D | Makefile | 5 # Enclave lifetime management support for Nitro Enclaves (NE).
|
| H A D | Kconfig | 12 This driver consists of support for enclave lifetime management
|
| /linux/arch/x86/include/asm/ |
| H A D | sgx.h | 72 * %SGX_INVALID_EINITTOKEN: EINITTOKEN is invalid and enclave signer's
94 * Save State Area (SSA) is a stack inside the enclave used to store processor
109 * %SGX_ATTR_INIT: Enclave can be entered (is initialized).
111 * %SGX_ATTR_MODE64BIT: Tell that this a 64-bit enclave.
117 * EINIT as an authorization to run an enclave.
150 * struct sgx_secs - SGX Enclave Control Structure (SECS)
155 * @attributes: attributes for enclave
157 * @mrenclave: SHA256-hash of the enclave contents
164 * SGX Enclave Control Structure (SECS) is a special enclave page that is not
166 * range and other global attributes for the enclave and it is the first EPC
[all …]
|
| /linux/tools/testing/selftests/sgx/ |
| H A D | main.c | 31 * about an enclave page. &enum sgx_secinfo_page_state specifies the
134 * Return the offset in the enclave where the TCS segment can be found.
152 * Return the offset in the enclave where the data segment can be found.
170 FIXTURE(enclave) { in FIXTURE() argument
188 TH_LOG("Failed to load the test enclave."); in setup_test_encl()
199 * An enclave consumer only must do this. in setup_test_encl()
246 TH_LOG("Failed to initialize the test enclave."); in setup_test_encl()
253 FIXTURE_SETUP(enclave) in FIXTURE_SETUP() argument
257 FIXTURE_TEARDOWN(enclave) in FIXTURE_TEARDOWN() argument
282 TEST_F(enclave, unclobbered_vdso) in TEST_F() argument
[all …]
|
| H A D | test_encl_bootstrap.S | 44 # inside the enclave for TCS #1 and one page into the enclave for
62 # NOTE: as the selftest enclave is *not* intended for production,
|
| H A D | test_encl.c | 126 * Symbol placed at the start of the enclave image by the linker script.
129 * addressing as __encl_base(%rip), so we can get the actual enclave base
155 * The enclave base address needs to be added, as this call site in encl_body()
|
| H A D | load.c | 53 perror("enclave executable open()"); in encl_map_bin()
59 perror("enclave executable stat()"); in encl_map_bin()
65 perror("enclave executable mmap()"); in encl_map_bin()
134 * Parse the enclave code's symbol table to locate and return address of
|
| /linux/arch/x86/include/uapi/asm/ |
| H A D | sgx.h | 88 * @offset: starting page offset (page aligned relative to enclave base
107 * @offset: starting page offset (page aligned relative to enclave base
124 * @offset: starting page offset (page aligned relative to enclave base
130 * enclave if the system supports SGX2. First, the %SGX_IOC_ENCLAVE_MODIFY_TYPES
132 * succeeds ENCLU[EACCEPT] should be run from within the enclave and then
148 * The register parameters contain the snapshot of their values at enclave
162 * @tcs: TCS used to enter the enclave
189 * a vDSO function to enter an SGX enclave.
201 * state in accordance with the x86-64 ABI is the responsibility of the enclave
203 * code without careful consideration by both the enclave and its runtime.
[all …]
|
| /linux/arch/x86/kernel/cpu/sgx/ |
| H A D | ioctl.c | 145 * @encl: An enclave pointer.
148 * Allocate kernel data structures for the enclave and invoke ECREATE.
320 * the enclave will be destroyed in response to EEXTEND failure. in sgx_encl_add_page()
355 * an enclave.
378 * @encl: an enclave pointer
381 * Add one or more pages to an uninitialized enclave, and optionally extend the
399 * The function deinitializes kernel data structures for enclave and returns
402 * - Enclave Page Cache (EPC), the physical memory holding enclaves, has
485 * the mask for enforcement in sigstruct. For example an enclave could in sgx_encl_init()
560 * @encl: an enclave pointer
[all …]
|
| H A D | encls.h | 139 /* Initialize an EPC page into an SGX Enclave Control Structure (SECS) page. */
145 /* Hash a 256 byte region of an enclave page to SECS:MRENCLAVE. */
152 * Associate an EPC page to an enclave either as a REG or TCS page
160 /* Finalize enclave build, initialize enclave for user code execution. */
166 /* Disassociate EPC page from its enclave and mark it as unused. */
172 /* Copy data to an EPC page belonging to a debug enclave. */
178 /* Copy data from an EPC page belonging to a debug enclave. */
197 /* Make EPC page inaccessible to enclave, ready to be written to memory. */
230 /* Zero a page of EPC memory and add it to an initialized enclave. */
|
| H A D | main.c | 194 * has reset the count for threads inside the enclave by using ETRACK, and
230 * enclave. Note, it's imperative that the cpu in sgx_encl_ewb()
232 * miss cpus that entered the enclave between in sgx_encl_ewb()
287 * reclaim them to the enclave's private shmem files. Skip the pages, which have
387 * sgx_reclaim_direct() should be called (without enclave's mutex held)
695 * the task. Hardware has already exited the SGX enclave and in arch_memory_failure()
696 * will not allow re-entry to an enclave that has a memory in arch_memory_failure()
698 * enclave is broken. in arch_memory_failure()
866 * Bare-metal driver requires to update them to hash of enclave's signer
893 * @allowed_attributes: Pointer to allowed enclave attributes
[all …]
|
| H A D | driver.c | 51 * entries for processes, which have closed the enclave file but have in sgx_release()
68 /* The enclave is no longer mapped by any mm. */ in sgx_release()
|
| H A D | virt.c | 3 * Device driver to expose SGX enclave memory to KVM guests.
140 * logical processor is still running in the enclave in guest, in sgx_vepc_free_page()
170 * while one or more CPUs is running the enclave. Only in sgx_vepc_remove_all()
|
| /linux/Documentation/firmware-guide/acpi/apei/ |
| H A D | einj.rst | 257 address. But the h/w prevents any software outside of an SGX enclave
258 from accessing enclave pages (even BIOS SMM mode).
261 1) Determine physical address of enclave page
264 3) Enter the enclave
|
| /linux/tools/arch/x86/kcpuid/ |
| H A D | cpuid.csv | 415 0x12, 0, ebx, 0, miscselect_exinfo , SSA.MISC frame: reporting #PF and #GP exceptions inside enclave supported
416 0x12, 0, ebx, 1, miscselect_cpinfo , SSA.MISC frame: reporting #CP exceptions inside enclave supported
417 0x12, 0, edx, 7:0, max_enclave_sz_not64 , Maximum enclave size in non-64-bit mode (log2)
418 0x12, 0, edx, 15:8, max_enclave_sz_64 , Maximum enclave size in 64-bit mode (log2)
419 0x12, 1, eax, 0, secs_attr_init , ATTRIBUTES.INIT supported (enclave initialized by EINIT)
420 0x12, 1, eax, 1, secs_attr_debug , ATTRIBUTES.DEBUG supported (enclave permits debugger read/write)
421 0x12, 1, eax, 2, secs_attr_mode64bit , ATTRIBUTES.MODE64BIT supported (enclave runs in 64-bit mode)
426 0x12, 1, eax, 10, secs_attr_aexnotify , ATTRIBUTES.AEXNOTIFY supported (enclave threads may get AEX notifications
427 0x12, 1, ecx, 0, xfrm_x87 , Enclave XFRM.X87 (bit 0) supported
428 0x12, 1, ecx, 1, xfrm_sse , Enclave XFR
[all...] |
| /linux/Documentation/admin-guide/hw-vuln/ |
| H A D | special-register-buffer-data-sampling.rst | 92 enclaves (including execution of RDRAND or RDSEED inside an enclave, as well
104 enclave on that logical processor. Opting out of the mitigation for a
108 Note that inside of an Intel SGX enclave, the mitigation is applied regardless
|