x86/sgx: Add helper to update SGX_LEPUBKEYHASHn MSRs

mainline inclusion from mainline-5.13 commit 73916b6a category: feature bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I5EZEK CVE: NA Intel-SIG: commit 73916b6a x86/sgx: Add helper to update SGX_LEPUBKEYHASHn MSRs. Backport for SGX virtualization support -------------------------------- Add a helper to update SGX_LEPUBKEYHASHn MSRs. SGX virtualization also needs to update those MSRs based on guest's "virtual" SGX_LEPUBKEYHASHn before EINIT from guest. Signed-off-by: N Kai Huang <kai.huang@intel.com> Signed-off-by: N Borislav Petkov <bp@suse.de> Acked-by: N Dave Hansen <dave.hansen@intel.com> Acked-by: N Jarkko Sakkinen <jarkko@kernel.org> Link: https://lkml.kernel.org/r/dfb7cd39d4dd62ea27703b64afdd8bccb579f623.1616136308.git.kai.huang@intel.comSigned-off-by: N Fan Du <fan.du@intel.com> Signed-off-by: N Zhiquan Li <zhiquan1.li@intel.com>

x86/sgx: Add helper to update SGX_LEPUBKEYHASHn MSRs
mainline inclusion from mainline-5.13 commit 73916b6a category: feature bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I5EZEK CVE: NA Intel-SIG: commit 73916b6a x86/sgx: Add helper to update SGX_LEPUBKEYHASHn MSRs. Backport for SGX virtualization support -------------------------------- Add a helper to update SGX_LEPUBKEYHASHn MSRs. SGX virtualization also needs to update those MSRs based on guest's "virtual" SGX_LEPUBKEYHASHn before EINIT from guest. Signed-off-by: N Kai Huang <kai.huang@intel.com> Signed-off-by: N Borislav Petkov <bp@suse.de> Acked-by: N Dave Hansen <dave.hansen@intel.com> Acked-by: N Jarkko Sakkinen <jarkko@kernel.org> Link: https://lkml.kernel.org/r/dfb7cd39d4dd62ea27703b64afdd8bccb579f623.1616136308.git.kai.huang@intel.comSigned-off-by: N Fan Du <fan.du@intel.com> Signed-off-by: N Zhiquan Li <zhiquan1.li@intel.com>
74ecbf21 · Kai Huang · Zhiquan Li · 42413c8a · 74ecbf21 · 74ecbf21
Showing with 20 addition and 3 deletion

arch/x86/kernel/cpu/sgx/ioctl.c arch/x86/kernel/cpu/sgx/ioctl.c +2 -3

arch/x86/kernel/cpu/sgx/main.c arch/x86/kernel/cpu/sgx/main.c +16 -0

arch/x86/kernel/cpu/sgx/sgx.h arch/x86/kernel/cpu/sgx/sgx.h +2 -0

未找到文件。
--- a/arch/x86/kernel/cpu/sgx/ioctl.c
+++ b/arch/x86/kernel/cpu/sgx/ioctl.c
@@ -495,7 +495,7 @@ static int sgx_encl_init(struct sgx_encl *encl, struct sgx_sigstruct *sigstruct,
 			 void *token)
 {
 	u64 mrsigner[4];
-	int i, j, k;
+	int i, j;
 	void *addr;
 	int ret;
@@ -544,8 +544,7 @@ static int sgx_encl_init(struct sgx_encl *encl, struct sgx_sigstruct *sigstruct,
 			preempt_disable();
-			for (k = 0; k < 4; k++)
+			sgx_update_lepubkeyhash(mrsigner);
-				wrmsrl(MSR_IA32_SGXLEPUBKEYHASH0 + k, mrsigner[k]);
 			ret = __einit(sigstruct, token, addr);

--- a/arch/x86/kernel/cpu/sgx/main.c
+++ b/arch/x86/kernel/cpu/sgx/main.c
@@ -727,6 +727,22 @@ static bool __init sgx_page_cache_init(void)
 	return true;
 }
+/*
+ * Update the SGX_LEPUBKEYHASH MSRs to the values specified by caller.
+ * Bare-metal driver requires to update them to hash of enclave's signer
+ * before EINIT. KVM needs to update them to guest's virtual MSR values
+ * before doing EINIT from guest.
+ */
+void sgx_update_lepubkeyhash(u64 *lepubkeyhash)
+{
+	int i;
+	WARN_ON_ONCE(preemptible());
+	for (i = 0; i < 4; i++)
+		wrmsrl(MSR_IA32_SGXLEPUBKEYHASH0 + i, lepubkeyhash[i]);
+}
 static int __init sgx_init(void)
 {
 	int ret;

--- a/arch/x86/kernel/cpu/sgx/sgx.h
+++ b/arch/x86/kernel/cpu/sgx/sgx.h
@@ -93,4 +93,6 @@ static inline int __init sgx_vepc_init(void)
 }
 #endif
+void sgx_update_lepubkeyhash(u64 *lepubkeyhash);
 #endif /* _X86_SGX_H */