This repository has been archived by the owner on Jan 20, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 261
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
sync with upstreamed SGX driver in Linux Kernel 5.11
- Loading branch information
Showing
2 changed files
with
33 additions
and
15 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,8 @@ | ||
| Introduction to SGX | ||
| =================== | ||
|
|
||
| .. highlight:: sh | ||
|
|
||
| Graphene project uses :term:`SGX` to securely run software. SGX is | ||
| a |~| complicated topic, which may be hard to learn, because the documentation | ||
| is scattered through official/reference documentation, blogposts and academic | ||
|
|
@@ -80,7 +82,7 @@ Installation Instructions | |
| Linux kernel drivers | ||
| ^^^^^^^^^^^^^^^^^^^^ | ||
|
|
||
| For historical reasons, there are three SGX drivers currently (March 2020): | ||
| For historical reasons, there are three SGX drivers currently (January 2021): | ||
|
|
||
| - https://github.com/intel/linux-sgx-driver -- old one, does not support DCAP, | ||
| deprecated | ||
|
|
@@ -90,13 +92,21 @@ For historical reasons, there are three SGX drivers currently (March 2020): | |
| old EPID remote-attestation technique) and the new DCAP (with new ECDSA and | ||
| more "normal" PKI infrastructure). | ||
|
|
||
| - Upstreaming in-kernel SGX driver (see LKML patches) -- will be upstreamed one | ||
| day, supports both non-DCAP and DCAP. The DCAP driver closely matches this | ||
| upstreaming version. | ||
|
|
||
| The in-tree driver will not be a |~| module | ||
| (https://lore.kernel.org/linux-sgx/[email protected]/), | ||
| so "installation instructions" will likely be minimal. | ||
| - SGX support was upstreamed to the Linux mainline starting from 5.11. | ||
| It currently supports only DCAP attestation. The driver is accessible through | ||
| /dev/sgx_enclave and /dev/sgx_provision. | ||
|
|
||
| The following udev rules are recommended for users to access the SGX node:: | ||
|
|
||
| groupadd -r sgx | ||
| gpasswd -a USERNAME sgx | ||
| groupadd -r sgx_prv | ||
| gpasswd -a USERNAME sgx_prv | ||
| cat > /etc/udev/rules.d/65-graphene-sgx.rules << EOF | ||
| SUBSYSTEM=="misc",KERNEL=="sgx_enclave",MODE="0660",GROUP="sgx" | ||
| SUBSYSTEM=="misc",KERNEL=="sgx_provision",MODE="0660",GROUP="sgx_prv" | ||
| EOF | ||
| udevadm trigger | ||
|
|
||
| Also it will not require :term:`IAS` and kernel maintainers consider | ||
| non-writable :term:`FLC` MSRs as non-functional SGX: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,21 +5,26 @@ | |
| import sys | ||
|
|
||
| DRIVER_VERSIONS = { | ||
| 'sgx_user.h': '/dev/isgx', | ||
| 'include/uapi/asm/sgx_oot.h': '/dev/sgx/enclave', | ||
| 'sgx_in_kernel.h': '/dev/sgx/enclave', | ||
| 'sgx_user.h': '/dev/isgx', # For Non-DCAP, older versions of legacy OOT SGX driver | ||
| 'include/uapi/asm/sgx_oot.h': '/dev/sgx/enclave', # For DCAP driver 1.6+, but below 1.10 | ||
| 'include/sgx_user.h': '/dev/sgx/enclave', # For DCAP driver 1.10+ | ||
| 'include/uapi/asm/sgx.h': '/dev/sgx_enclave', # For upstreamed in-kernel SGX driver, kernel version 5.11+ | ||
| 'sgx_in_kernel.h': '/dev/sgx/enclave', # By default, using sgx_in_kernel.h in current dir of this script | ||
| } | ||
|
|
||
| def find_intel_sgx_driver(isgx_driver_path): | ||
| ''' | ||
| Graphene only needs one header from the Intel SGX Driver: | ||
| - sgx_user.h for non-DCAP, older version of the driver | ||
| (https://github.com/intel/linux-sgx-driver) | ||
| - include/uapi/asm/sgx_oot.h for DCAP 1.6+ version of the driver | ||
| - include/uapi/asm/sgx_oot.h for DCAP 1.6+ version but below 1.10 of the driver | ||
| (https://github.com/intel/SGXDataCenterAttestationPrimitives) | ||
| - include/sgx_user.h for DCAP 1.10+ version of the driver | ||
| (https://github.com/intel/SGXDataCenterAttestationPrimitives) | ||
| - include/uapi/asm/sgx.h for upstreamed SGX in-kernel driver from mainline kernel version 5.11 | ||
| (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git) | ||
| - default sgx_in_kernel.h for in-kernel 32+ version of the driver | ||
| (https://lore.kernel.org/linux-sgx/[email protected]) | ||
| This function returns the required header from the SGX driver. | ||
| ''' | ||
| for header_path, dev_path in DRIVER_VERSIONS.items(): | ||
|
|
@@ -50,7 +55,10 @@ def main(): | |
| except KeyError: | ||
| print( | ||
| 'ISGX_DRIVER_PATH environment variable is undefined. You can define\n' | ||
| 'ISGX_DRIVER_PATH="" to use the default in-kernel driver\'s C header.', | ||
| 'ISGX_DRIVER_PATH="" to use the in-kernel driver\'s C header from version\n' | ||
| '32 (bundled with Graphene but NOT upstreamed). For upstreamed\n' | ||
| 'in-kernel driver (if you are using Linux kernel 5.11+), define\n' | ||
| 'ISGX_DRIVER_PATH="/usr/src/linux-headers-$(uname -r)/arch/x86"\n', | ||
| file=sys.stderr) | ||
| sys.exit(1) | ||
|
|
||
|
|
@@ -66,7 +74,7 @@ def main(): | |
| sys.stdout.write(template.safe_substitute( | ||
| DRIVER_SGX_H=header_path, | ||
| ISGX_FILE=dev_path, | ||
| DEFINE_DCAP=('#define SGX_DCAP 1' if dev_path == '/dev/sgx/enclave' else '') | ||
| DEFINE_DCAP=('#define SGX_DCAP 1' if dev_path != '/dev/isgx' else '') | ||
| )) | ||
|
|
||
|
|
||
|
|
||