• Kai Huang's avatar
    x86/sgx: Wipe out EREMOVE from sgx_free_epc_page() · b0c7459b
    Kai Huang authored
    EREMOVE takes a page and removes any association between that page and
    an enclave. It must be run on a page before it can be added into another
    enclave. Currently, EREMOVE is run as part of pages being freed into the
    SGX page allocator. It is not expected to fail, as it would indicate a
    use-after-free of EPC pages. Rather than add the page back to the pool
    of available EPC pages, the kernel intentionally leaks the page to avoid
    additional errors in the future.
    
    However, KVM does not track how guest pages are used, which means that
    SGX virtualization use of EREMOVE might fail. Specifically, it is
    legitimate that EREMOVE returns SGX_CHILD_PRESENT for EPC assigned to
    KVM guest, because KVM/kernel doesn't track SECS pages.
    
    To allow SGX/KVM to introduce a more permissive EREMOVE helper and
    to let the SGX virtualization code use the allocator directly, break
    out the EREMOVE call from the SGX page allocator. Rename the original
    sgx_free_epc_page() to sgx_encl_free_epc_page(), indicating that
    it is used to free an EPC page assigned to a host enclave. Replace
    sgx_free_epc_page() with sgx_encl_free_epc_page() in all call sites so
    there's no functional change.
    
    At the same time, improve the error message when EREMOVE fails, and
    add documentation to explain to the user what that failure means and
    to suggest to the user what to do when this bug happens in the case it
    happens.
    
     [ bp: Massage commit message, fix typos and sanitize text, simplify. ]
    Signed-off-by: default avatarKai Huang <kai.huang@intel.com>
    Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
    Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
    Link: https://lkml.kernel.org/r/20210325093057.122834-1-kai.huang@intel.com
    b0c7459b
encl.h 2.99 KB