Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PAL/Linux-SGX] Add AEX-Notify enabling code #2034

Open
wants to merge 1 commit into
base: dimakuv/aex-notify-part2
Choose a base branch
from
Open

[PAL/Linux-SGX] Add AEX-Notify enabling code #2034

wants to merge 1 commit into from

Conversation

dimakuv
Copy link
Contributor

@dimakuv dimakuv commented Oct 15, 2024
edited
Loading

Description of the changes

Part 3 in AEX-Notify series.

This is a preparatory PR for AEX-Notify support. This PR:

  • Introduces the sgx.experimental_enable_aex_notify manifest option.
  • Adds architectural flags/bits for SECS, TCS, SSA data structures.
  • Adds a Gramine startup check whether AEX-Notify hardware feature is supported by the platform.
  • Adds dynamic enablement/disablement of AEX-Notify feature per enclave thread (enable on thread creation, disable on thread termination).

See also related PRs and discussions:

How to test this PR?

CI is enough to test that old flows are not broken.

Testing new manifest option sgx.experimental_enable_aex_notify manually:

  • Add sgx.experimental_enable_aex_notify = true to HelloWorld CI example
  • Test on different platforms

Platform with no AEX-Notify hardware feature

gramine/CI-Examples/helloworld$ gramine-sgx helloworld

Gramine is starting. Parsing TOML manifest file, this may take some time...
error: AEX-Notify hardware feature is not supported.
error: Cannot enable AEX-Notify on this platform (hardware doesn't support it)
error: Parsing manifest failed
error: load_enclave() failed with error: Invalid argument (EINVAL)

Platform with AEX-Notify hardware feature but old Linux

(Linux kernel received AEX-Notify support in v6.2. Below I'm testing with Linux v5.15.)

gramine/CI-Examples/helloworld$ gramine-sgx helloworld

Gramine is starting. Parsing TOML manifest file, this may take some time...
error: Enclave initialization IOCTL failed: Permission denied (EACCES)
error: Initializing enclave failed: Permission denied (EACCES)
error: load_enclave() failed with error: Permission denied (EACCES)

If you wonder why Linux v5.15 enclave init fails with EACCES, check these sources:

And compare with Linux v6.2:

Platform with AEX-Notify hardware feature and new Linux

No changes from the master branch, as AEX-Notify is detected and on-enclave-startup enabled, but not dynamically enabled for enclave threads (see the #ifdef in the code).

gramine/CI-Examples/helloworld$ gramine-sgx helloworld

Gramine is starting. Parsing TOML manifest file, this may take some time...
...
Hello, world

This change is Reviewable

@dimakuv
[PAL/Linux-SGX] Add AEX-Notify enabling code
1f34f81 
This is a preparatory commit for AEX-Notify support. This commit:
- Introduces the `sgx.experimental_enable_aex_notify` manifest option.
- Adds architectural flags/bits for SECS, TCS, SSA data structures.
- Adds a Gramine startup check whether AEX-Notify hardware feature is
  supported by the platform.
- Adds dynamic enablement/disablement of AEX-Notify feature per enclave
  thread (enable on thread creation, disable on thread termination).
  Currently per-thread enablement is commented out, as otherwise Gramine
  would segfault (as in-enclave code doesn't yet implement AEX-Notify).

Signed-off-by: Dmitrii Kuvaiskii <[email protected]>
dimakuv
dimakuv commented Oct 16, 2024
View reviewed changes
Copy link
Contributor Author

@dimakuv dimakuv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: 0 of 14 files reviewed, 1 unresolved discussion, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel)

pal/src/host/linux-sgx/pal_exception.c line 39 at r1 (raw file):

     *        in-enclave runtime doesn't yet implement AEX-Notify flows.
     */
    GET_ENCLAVE_TCB(gpr)->aexnotify = 1U;

Need to add an explanatory comment that AEX-Notify is enabled only for SSA[0] (regular context), and is always disabled for SSA[1] (stage-1 signal handling context).

The disablement of AEX-Notify for SSA[1] is implicit (that particular bit in the SSA's GPR region is by default zero), so we need to at least add a comment explaining this.

And this disablement is important for the stage-1 signal handling flows, which happen in enclave_entry.S. So for future developers, need to add such a comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@dimakuv