[PAL/Linux-SGX] AEX-Notify 3/5: Add AEX-Notify enabling code #2034
Conversation
dimakuv
force-pushed
the
dimakuv/aex-notify-part3
branch
2 times, most recently
from
7215e29
to
1f34f81
Compare
There was a problem hiding this comment.
Reviewable status: 0 of 14 files reviewed, 1 unresolved discussion, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel)
pal/src/host/linux-sgx/pal_exception.c line 39 at r1 (raw file):
* in-enclave runtime doesn't yet implement AEX-Notify flows. */ GET_ENCLAVE_TCB(gpr)->aexnotify = 1U;
Need to add an explanatory comment that AEX-Notify is enabled only for SSA[0] (regular context), and is always disabled for SSA[1] (stage-1 signal handling context).
The disablement of AEX-Notify for SSA[1] is implicit (that particular bit in the SSA's GPR region is by default zero), so we need to at least add a comment explaining this.
And this disablement is important for the stage-1 signal handling flows, which happen in enclave_entry.S. So for future developers, need to add such a comment.
This is a preparatory commit for AEX-Notify support. This commit: - Introduces the `sgx.experimental_enable_aex_notify` manifest option. - Adds architectural flags/bits for SECS, TCS, SSA data structures. - Adds a Gramine startup check whether AEX-Notify hardware feature is supported by the platform. - Adds dynamic enablement/disablement of AEX-Notify feature per enclave thread (enable on thread creation, disable on thread termination). Currently per-thread enablement is commented out, as otherwise Gramine would segfault (as in-enclave code doesn't yet implement AEX-Notify). Signed-off-by: Dmitrii Kuvaiskii <dmitrii.kuvaiskii@intel.com>
dimakuv
force-pushed
the
dimakuv/aex-notify-part2
branch
from
bca2d41
to
438a1bb
Compare
dimakuv
changed the title
dimakuv
force-pushed
the
dimakuv/aex-notify-part3
branch
from
1f34f81
to
ec264ec
Compare
There was a problem hiding this comment.
Reviewable status: 0 of 14 files reviewed, 1 unresolved discussion, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel)
a discussion (no related file):
Must be applied on top of #2032. Blocking.
pal/src/host/linux-sgx/pal_exception.c line 39 at r1 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Need to add an explanatory comment that AEX-Notify is enabled only for SSA[0] (regular context), and is always disabled for SSA[1] (stage-1 signal handling context).
The disablement of AEX-Notify for SSA[1] is implicit (that particular bit in the SSA's GPR region is by default zero), so we need to at least add a comment explaining this.
And this disablement is important for the stage-1 signal handling flows, which happen in
enclave_entry.S. So for future developers, need to add such a comment.
Done
Description of the changes
Part 3 in AEX-Notify series.
This is a preparatory PR for AEX-Notify support. This PR:
sgx.experimental_enable_aex_notifymanifest option.See also related PRs and discussions:
How to test this PR?
CI is enough to test that old flows are not broken.
Testing new manifest option
sgx.experimental_enable_aex_notifymanually:sgx.experimental_enable_aex_notify = trueto HelloWorld CI examplePlatform with no AEX-Notify hardware feature
Platform with AEX-Notify hardware feature but old Linux
(Linux kernel received AEX-Notify support in v6.2. Below I'm testing with Linux v5.15.)
If you wonder why Linux v5.15 enclave init fails with EACCES, check these sources:
And compare with Linux v6.2:
Platform with AEX-Notify hardware feature and new Linux
No changes from the master branch, as AEX-Notify is detected and on-enclave-startup enabled, but not dynamically enabled for enclave threads (see the
#ifdefin the code).This change is