subject:"\[Xen\-devel\] \[PATCH 02\/15\] xen\: vmx\: detect ENCLS VMEXIT"

Re: [Xen-devel] [PATCH 02/15] xen: vmx: detect ENCLS VMEXIT

2017-07-12 Thread Huang, Kai




On 7/13/2017 6:54 AM, Jan Beulich wrote:

Andrew Cooper  07/12/17 1:12 PM >>>

On 09/07/17 10:09, Kai Huang wrote:

If ENCLS VMEXIT is not present then we cannot support SGX virtualization.
This patch detects presence of ENCLS VMEXIT. A Xen boot boolean parameter
'sgx' is also added to manually enable/disable SGX.

Signed-off-by: Kai Huang 


At a minimum, you also need to modify calculate_hvm_max_policy() to hide
SGX if we don't have ENCLS intercept support.


Actually IMO this is not needed, as I added an __initcall(sgx_init) (see 
patch 0003), where I will call setup_clear_cpu_cap(X86_FEATURE_SGX) if 
for any reason boot_sgx_cpuidata (which contains common SGX cpuid info 
shared by all cores) doesn't have valid SGX info. if ENCLS VMEXIT is not 
present, then detect_sgx won't be called for any core so that 
X86_FEATURE_SGX will be cleared in boot_cpu_data. As init_guest_cpuid is 
called after all __initcalls are called, so if ENCLS VMEXIT is not 
present, or sgx is disabled via boot parameter, then even for 
host_policy, it won't have SGX.


Of course if we changed the implementation of __initcall(sgx_init), we 
probably need to explicitly clear SGX here. Anyway clearing SGX here 
doesn't have any harm, so I am completely fine to do it if you think it 
is necessary.




Additionally I think the command line option should default to off initially
and it needs an entry in the command line option doc.


Sure. I'll change default to 0 and change the doc as well.

Thanks,
-Kai


Jan


___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel



___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH 02/15] xen: vmx: detect ENCLS VMEXIT

2017-07-12 Thread Jan Beulich

>>> Andrew Cooper  07/12/17 1:12 PM >>>
>On 09/07/17 10:09, Kai Huang wrote:
>> If ENCLS VMEXIT is not present then we cannot support SGX virtualization.
>> This patch detects presence of ENCLS VMEXIT. A Xen boot boolean parameter
>> 'sgx' is also added to manually enable/disable SGX.
>>
>> Signed-off-by: Kai Huang 
>
>At a minimum, you also need to modify calculate_hvm_max_policy() to hide 
>SGX if we don't have ENCLS intercept support.

Additionally I think the command line option should default to off initially
and it needs an entry in the command line option doc.

Jan


___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH 02/15] xen: vmx: detect ENCLS VMEXIT

2017-07-12 Thread Andrew Cooper


On 09/07/17 10:09, Kai Huang wrote:

If ENCLS VMEXIT is not present then we cannot support SGX virtualization.
This patch detects presence of ENCLS VMEXIT. A Xen boot boolean parameter
'sgx' is also added to manually enable/disable SGX.

Signed-off-by: Kai Huang 


At a minimum, you also need to modify calculate_hvm_max_policy() to hide 
SGX if we don't have ENCLS intercept support.


~Andrew

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[Xen-devel] [PATCH 02/15] xen: vmx: detect ENCLS VMEXIT

2017-07-09 Thread Kai Huang

If ENCLS VMEXIT is not present then we cannot support SGX virtualization.
This patch detects presence of ENCLS VMEXIT. A Xen boot boolean parameter
'sgx' is also added to manually enable/disable SGX.

Signed-off-by: Kai Huang 
---
 xen/arch/x86/hvm/vmx/vmcs.c| 17 +
 xen/include/asm-x86/hvm/vmx/vmcs.h |  3 +++
 2 files changed, 20 insertions(+)

diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
index 8103b20d29..ae7e6f9321 100644
--- a/xen/arch/x86/hvm/vmx/vmcs.c
+++ b/xen/arch/x86/hvm/vmx/vmcs.c
@@ -98,6 +98,9 @@ static void __init parse_ept_param(char *s)
 }
 custom_param("ept", parse_ept_param);
 
+static bool_t __read_mostly opt_sgx_enabled = 1;
+boolean_param("sgx", opt_sgx_enabled);
+
 /* Dynamic (run-time adjusted) execution control flags. */
 u32 vmx_pin_based_exec_control __read_mostly;
 u32 vmx_cpu_based_exec_control __read_mostly;
@@ -138,6 +141,7 @@ static void __init vmx_display_features(void)
 P(cpu_has_vmx_virt_exceptions, "Virtualisation Exceptions");
 P(cpu_has_vmx_pml, "Page Modification Logging");
 P(cpu_has_vmx_tsc_scaling, "TSC Scaling");
+P(cpu_has_vmx_encls, "SGX ENCLS Exiting");
 #undef P
 
 if ( !printed )
@@ -243,6 +247,8 @@ static int vmx_init_vmcs_config(void)
 opt |= SECONDARY_EXEC_UNRESTRICTED_GUEST;
 if ( opt_pml_enabled )
 opt |= SECONDARY_EXEC_ENABLE_PML;
+if ( opt_sgx_enabled )
+opt |= SECONDARY_EXEC_ENABLE_ENCLS;
 
 /*
  * "APIC Register Virtualization" and "Virtual Interrupt Delivery"
@@ -336,6 +342,14 @@ static int vmx_init_vmcs_config(void)
 _vmx_secondary_exec_control &= ~ SECONDARY_EXEC_PAUSE_LOOP_EXITING;
 }
 
+/*
+ * Turn off SGX if ENCLS VMEXIT is not present. Actually on real machine,
+ * if SGX CPUID is present (CPUID.0x7.0x0:EBX.SGX = 1), then ENCLS VMEXIT
+ * will always be present. We do the check anyway here.
+ */
+if ( !(_vmx_secondary_exec_control & SECONDARY_EXEC_ENABLE_ENCLS) )
+opt_sgx_enabled = 0;
+
 min = VM_EXIT_ACK_INTR_ON_EXIT;
 opt = VM_EXIT_SAVE_GUEST_PAT | VM_EXIT_LOAD_HOST_PAT |
   VM_EXIT_CLEAR_BNDCFGS;
@@ -1146,6 +1160,9 @@ static int construct_vmcs(struct vcpu *v)
 /* Disable PML anyway here as it will only be enabled in log dirty mode */
 v->arch.hvm_vmx.secondary_exec_control &= ~SECONDARY_EXEC_ENABLE_PML;
 
+/* Disable ENCLS VMEXIT. It will only be turned on when needed. */
+v->arch.hvm_vmx.secondary_exec_control &= ~SECONDARY_EXEC_ENABLE_ENCLS;
+
 /* Host data selectors. */
 __vmwrite(HOST_SS_SELECTOR, __HYPERVISOR_DS);
 __vmwrite(HOST_DS_SELECTOR, __HYPERVISOR_DS);
diff --git a/xen/include/asm-x86/hvm/vmx/vmcs.h 
b/xen/include/asm-x86/hvm/vmx/vmcs.h
index e3cdfdf576..889091da42 100644
--- a/xen/include/asm-x86/hvm/vmx/vmcs.h
+++ b/xen/include/asm-x86/hvm/vmx/vmcs.h
@@ -232,6 +232,7 @@ extern u32 vmx_vmentry_control;
 #define SECONDARY_EXEC_ENABLE_INVPCID   0x1000
 #define SECONDARY_EXEC_ENABLE_VM_FUNCTIONS  0x2000
 #define SECONDARY_EXEC_ENABLE_VMCS_SHADOWING0x4000
+#define SECONDARY_EXEC_ENABLE_ENCLS 0x8000
 #define SECONDARY_EXEC_ENABLE_PML   0x0002
 #define SECONDARY_EXEC_ENABLE_VIRT_EXCEPTIONS   0x0004
 #define SECONDARY_EXEC_XSAVES   0x0010
@@ -312,6 +313,8 @@ extern u64 vmx_ept_vpid_cap;
 (vmx_secondary_exec_control & SECONDARY_EXEC_XSAVES)
 #define cpu_has_vmx_tsc_scaling \
 (vmx_secondary_exec_control & SECONDARY_EXEC_TSC_SCALING)
+#define cpu_has_vmx_encls \
+(vmx_secondary_exec_control & SECONDARY_EXEC_ENABLE_ENCLS)
 
 #define VMCS_RID_TYPE_MASK  0x8000
 
-- 
2.11.0


___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH 02/15] xen: vmx: detect ENCLS VMEXIT

Re: [Xen-devel] [PATCH 02/15] xen: vmx: detect ENCLS VMEXIT

Re: [Xen-devel] [PATCH 02/15] xen: vmx: detect ENCLS VMEXIT

[Xen-devel] [PATCH 02/15] xen: vmx: detect ENCLS VMEXIT

4 matches

Site Navigation

Mail list logo

Footer information