1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* Copyright(c) 2016-20 Intel Corporation. */ |
3 | |
4 | #include <asm/mman.h> |
5 | #include <asm/sgx.h> |
6 | #include <linux/mman.h> |
7 | #include <linux/delay.h> |
8 | #include <linux/file.h> |
9 | #include <linux/hashtable.h> |
10 | #include <linux/highmem.h> |
11 | #include <linux/ratelimit.h> |
12 | #include <linux/sched/signal.h> |
13 | #include <linux/shmem_fs.h> |
14 | #include <linux/slab.h> |
15 | #include <linux/suspend.h> |
16 | #include "driver.h" |
17 | #include "encl.h" |
18 | #include "encls.h" |
19 | |
20 | struct sgx_va_page *sgx_encl_grow(struct sgx_encl *encl, bool reclaim) |
21 | { |
22 | struct sgx_va_page *va_page = NULL; |
23 | void *err; |
24 | |
25 | BUILD_BUG_ON(SGX_VA_SLOT_COUNT != |
26 | (SGX_ENCL_PAGE_VA_OFFSET_MASK >> 3) + 1); |
27 | |
28 | if (!(encl->page_cnt % SGX_VA_SLOT_COUNT)) { |
29 | va_page = kzalloc(size: sizeof(*va_page), GFP_KERNEL); |
30 | if (!va_page) |
31 | return ERR_PTR(error: -ENOMEM); |
32 | |
33 | va_page->epc_page = sgx_alloc_va_page(reclaim); |
34 | if (IS_ERR(ptr: va_page->epc_page)) { |
35 | err = ERR_CAST(ptr: va_page->epc_page); |
36 | kfree(objp: va_page); |
37 | return err; |
38 | } |
39 | |
40 | WARN_ON_ONCE(encl->page_cnt % SGX_VA_SLOT_COUNT); |
41 | } |
42 | encl->page_cnt++; |
43 | return va_page; |
44 | } |
45 | |
46 | void sgx_encl_shrink(struct sgx_encl *encl, struct sgx_va_page *va_page) |
47 | { |
48 | encl->page_cnt--; |
49 | |
50 | if (va_page) { |
51 | sgx_encl_free_epc_page(page: va_page->epc_page); |
52 | list_del(entry: &va_page->list); |
53 | kfree(objp: va_page); |
54 | } |
55 | } |
56 | |
57 | static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs) |
58 | { |
59 | struct sgx_epc_page *secs_epc; |
60 | struct sgx_va_page *va_page; |
61 | struct sgx_pageinfo pginfo; |
62 | struct sgx_secinfo secinfo; |
63 | unsigned long encl_size; |
64 | struct file *backing; |
65 | long ret; |
66 | |
67 | va_page = sgx_encl_grow(encl, reclaim: true); |
68 | if (IS_ERR(ptr: va_page)) |
69 | return PTR_ERR(ptr: va_page); |
70 | else if (va_page) |
71 | list_add(new: &va_page->list, head: &encl->va_pages); |
72 | /* else the tail page of the VA page list had free slots. */ |
73 | |
74 | /* The extra page goes to SECS. */ |
75 | encl_size = secs->size + PAGE_SIZE; |
76 | |
77 | backing = shmem_file_setup(name: "SGX backing" , size: encl_size + (encl_size >> 5), |
78 | VM_NORESERVE); |
79 | if (IS_ERR(ptr: backing)) { |
80 | ret = PTR_ERR(ptr: backing); |
81 | goto err_out_shrink; |
82 | } |
83 | |
84 | encl->backing = backing; |
85 | |
86 | secs_epc = sgx_alloc_epc_page(owner: &encl->secs, reclaim: true); |
87 | if (IS_ERR(ptr: secs_epc)) { |
88 | ret = PTR_ERR(ptr: secs_epc); |
89 | goto err_out_backing; |
90 | } |
91 | |
92 | encl->secs.epc_page = secs_epc; |
93 | |
94 | pginfo.addr = 0; |
95 | pginfo.contents = (unsigned long)secs; |
96 | pginfo.metadata = (unsigned long)&secinfo; |
97 | pginfo.secs = 0; |
98 | memset(&secinfo, 0, sizeof(secinfo)); |
99 | |
100 | ret = __ecreate(pginfo: (void *)&pginfo, secs: sgx_get_epc_virt_addr(page: secs_epc)); |
101 | if (ret) { |
102 | ret = -EIO; |
103 | goto err_out; |
104 | } |
105 | |
106 | if (secs->attributes & SGX_ATTR_DEBUG) |
107 | set_bit(nr: SGX_ENCL_DEBUG, addr: &encl->flags); |
108 | |
109 | encl->secs.encl = encl; |
110 | encl->secs.type = SGX_PAGE_TYPE_SECS; |
111 | encl->base = secs->base; |
112 | encl->size = secs->size; |
113 | encl->attributes = secs->attributes; |
114 | encl->attributes_mask = SGX_ATTR_UNPRIV_MASK; |
115 | |
116 | /* Set only after completion, as encl->lock has not been taken. */ |
117 | set_bit(nr: SGX_ENCL_CREATED, addr: &encl->flags); |
118 | |
119 | return 0; |
120 | |
121 | err_out: |
122 | sgx_encl_free_epc_page(page: encl->secs.epc_page); |
123 | encl->secs.epc_page = NULL; |
124 | |
125 | err_out_backing: |
126 | fput(encl->backing); |
127 | encl->backing = NULL; |
128 | |
129 | err_out_shrink: |
130 | sgx_encl_shrink(encl, va_page); |
131 | |
132 | return ret; |
133 | } |
134 | |
135 | /** |
136 | * sgx_ioc_enclave_create() - handler for %SGX_IOC_ENCLAVE_CREATE |
137 | * @encl: An enclave pointer. |
138 | * @arg: The ioctl argument. |
139 | * |
140 | * Allocate kernel data structures for the enclave and invoke ECREATE. |
141 | * |
142 | * Return: |
143 | * - 0: Success. |
144 | * - -EIO: ECREATE failed. |
145 | * - -errno: POSIX error. |
146 | */ |
147 | static long sgx_ioc_enclave_create(struct sgx_encl *encl, void __user *arg) |
148 | { |
149 | struct sgx_enclave_create create_arg; |
150 | void *secs; |
151 | int ret; |
152 | |
153 | if (test_bit(SGX_ENCL_CREATED, &encl->flags)) |
154 | return -EINVAL; |
155 | |
156 | if (copy_from_user(to: &create_arg, from: arg, n: sizeof(create_arg))) |
157 | return -EFAULT; |
158 | |
159 | secs = kmalloc(PAGE_SIZE, GFP_KERNEL); |
160 | if (!secs) |
161 | return -ENOMEM; |
162 | |
163 | if (copy_from_user(to: secs, from: (void __user *)create_arg.src, PAGE_SIZE)) |
164 | ret = -EFAULT; |
165 | else |
166 | ret = sgx_encl_create(encl, secs); |
167 | |
168 | kfree(objp: secs); |
169 | return ret; |
170 | } |
171 | |
172 | static int sgx_validate_secinfo(struct sgx_secinfo *secinfo) |
173 | { |
174 | u64 perm = secinfo->flags & SGX_SECINFO_PERMISSION_MASK; |
175 | u64 pt = secinfo->flags & SGX_SECINFO_PAGE_TYPE_MASK; |
176 | |
177 | if (pt != SGX_SECINFO_REG && pt != SGX_SECINFO_TCS) |
178 | return -EINVAL; |
179 | |
180 | if ((perm & SGX_SECINFO_W) && !(perm & SGX_SECINFO_R)) |
181 | return -EINVAL; |
182 | |
183 | /* |
184 | * CPU will silently overwrite the permissions as zero, which means |
185 | * that we need to validate it ourselves. |
186 | */ |
187 | if (pt == SGX_SECINFO_TCS && perm) |
188 | return -EINVAL; |
189 | |
190 | if (secinfo->flags & SGX_SECINFO_RESERVED_MASK) |
191 | return -EINVAL; |
192 | |
193 | if (memchr_inv(p: secinfo->reserved, c: 0, size: sizeof(secinfo->reserved))) |
194 | return -EINVAL; |
195 | |
196 | return 0; |
197 | } |
198 | |
199 | static int __sgx_encl_add_page(struct sgx_encl *encl, |
200 | struct sgx_encl_page *encl_page, |
201 | struct sgx_epc_page *epc_page, |
202 | struct sgx_secinfo *secinfo, unsigned long src) |
203 | { |
204 | struct sgx_pageinfo pginfo; |
205 | struct vm_area_struct *vma; |
206 | struct page *src_page; |
207 | int ret; |
208 | |
209 | /* Deny noexec. */ |
210 | vma = find_vma(current->mm, addr: src); |
211 | if (!vma) |
212 | return -EFAULT; |
213 | |
214 | if (!(vma->vm_flags & VM_MAYEXEC)) |
215 | return -EACCES; |
216 | |
217 | ret = get_user_pages(start: src, nr_pages: 1, gup_flags: 0, pages: &src_page); |
218 | if (ret < 1) |
219 | return -EFAULT; |
220 | |
221 | pginfo.secs = (unsigned long)sgx_get_epc_virt_addr(page: encl->secs.epc_page); |
222 | pginfo.addr = encl_page->desc & PAGE_MASK; |
223 | pginfo.metadata = (unsigned long)secinfo; |
224 | pginfo.contents = (unsigned long)kmap_local_page(page: src_page); |
225 | |
226 | ret = __eadd(pginfo: &pginfo, addr: sgx_get_epc_virt_addr(page: epc_page)); |
227 | |
228 | kunmap_local((void *)pginfo.contents); |
229 | put_page(page: src_page); |
230 | |
231 | return ret ? -EIO : 0; |
232 | } |
233 | |
234 | /* |
235 | * If the caller requires measurement of the page as a proof for the content, |
236 | * use EEXTEND to add a measurement for 256 bytes of the page. Repeat this |
237 | * operation until the entire page is measured." |
238 | */ |
239 | static int __sgx_encl_extend(struct sgx_encl *encl, |
240 | struct sgx_epc_page *epc_page) |
241 | { |
242 | unsigned long offset; |
243 | int ret; |
244 | |
245 | for (offset = 0; offset < PAGE_SIZE; offset += SGX_EEXTEND_BLOCK_SIZE) { |
246 | ret = __eextend(secs: sgx_get_epc_virt_addr(page: encl->secs.epc_page), |
247 | addr: sgx_get_epc_virt_addr(page: epc_page) + offset); |
248 | if (ret) { |
249 | if (encls_failed(ret)) |
250 | ENCLS_WARN(ret, "EEXTEND" ); |
251 | |
252 | return -EIO; |
253 | } |
254 | } |
255 | |
256 | return 0; |
257 | } |
258 | |
259 | static int sgx_encl_add_page(struct sgx_encl *encl, unsigned long src, |
260 | unsigned long offset, struct sgx_secinfo *secinfo, |
261 | unsigned long flags) |
262 | { |
263 | struct sgx_encl_page *encl_page; |
264 | struct sgx_epc_page *epc_page; |
265 | struct sgx_va_page *va_page; |
266 | int ret; |
267 | |
268 | encl_page = sgx_encl_page_alloc(encl, offset, secinfo_flags: secinfo->flags); |
269 | if (IS_ERR(ptr: encl_page)) |
270 | return PTR_ERR(ptr: encl_page); |
271 | |
272 | epc_page = sgx_alloc_epc_page(owner: encl_page, reclaim: true); |
273 | if (IS_ERR(ptr: epc_page)) { |
274 | kfree(objp: encl_page); |
275 | return PTR_ERR(ptr: epc_page); |
276 | } |
277 | |
278 | va_page = sgx_encl_grow(encl, reclaim: true); |
279 | if (IS_ERR(ptr: va_page)) { |
280 | ret = PTR_ERR(ptr: va_page); |
281 | goto err_out_free; |
282 | } |
283 | |
284 | mmap_read_lock(current->mm); |
285 | mutex_lock(&encl->lock); |
286 | |
287 | /* |
288 | * Adding to encl->va_pages must be done under encl->lock. Ditto for |
289 | * deleting (via sgx_encl_shrink()) in the error path. |
290 | */ |
291 | if (va_page) |
292 | list_add(new: &va_page->list, head: &encl->va_pages); |
293 | |
294 | /* |
295 | * Insert prior to EADD in case of OOM. EADD modifies MRENCLAVE, i.e. |
296 | * can't be gracefully unwound, while failure on EADD/EXTEND is limited |
297 | * to userspace errors (or kernel/hardware bugs). |
298 | */ |
299 | ret = xa_insert(xa: &encl->page_array, PFN_DOWN(encl_page->desc), |
300 | entry: encl_page, GFP_KERNEL); |
301 | if (ret) |
302 | goto err_out_unlock; |
303 | |
304 | ret = __sgx_encl_add_page(encl, encl_page, epc_page, secinfo, |
305 | src); |
306 | if (ret) |
307 | goto err_out; |
308 | |
309 | /* |
310 | * Complete the "add" before doing the "extend" so that the "add" |
311 | * isn't in a half-baked state in the extremely unlikely scenario |
312 | * the enclave will be destroyed in response to EEXTEND failure. |
313 | */ |
314 | encl_page->encl = encl; |
315 | encl_page->epc_page = epc_page; |
316 | encl_page->type = (secinfo->flags & SGX_SECINFO_PAGE_TYPE_MASK) >> 8; |
317 | encl->secs_child_cnt++; |
318 | |
319 | if (flags & SGX_PAGE_MEASURE) { |
320 | ret = __sgx_encl_extend(encl, epc_page); |
321 | if (ret) |
322 | goto err_out; |
323 | } |
324 | |
325 | sgx_mark_page_reclaimable(page: encl_page->epc_page); |
326 | mutex_unlock(lock: &encl->lock); |
327 | mmap_read_unlock(current->mm); |
328 | return ret; |
329 | |
330 | err_out: |
331 | xa_erase(&encl->page_array, PFN_DOWN(encl_page->desc)); |
332 | |
333 | err_out_unlock: |
334 | sgx_encl_shrink(encl, va_page); |
335 | mutex_unlock(lock: &encl->lock); |
336 | mmap_read_unlock(current->mm); |
337 | |
338 | err_out_free: |
339 | sgx_encl_free_epc_page(page: epc_page); |
340 | kfree(objp: encl_page); |
341 | |
342 | return ret; |
343 | } |
344 | |
345 | /* |
346 | * Ensure user provided offset and length values are valid for |
347 | * an enclave. |
348 | */ |
349 | static int sgx_validate_offset_length(struct sgx_encl *encl, |
350 | unsigned long offset, |
351 | unsigned long length) |
352 | { |
353 | if (!IS_ALIGNED(offset, PAGE_SIZE)) |
354 | return -EINVAL; |
355 | |
356 | if (!length || !IS_ALIGNED(length, PAGE_SIZE)) |
357 | return -EINVAL; |
358 | |
359 | if (offset + length < offset) |
360 | return -EINVAL; |
361 | |
362 | if (offset + length - PAGE_SIZE >= encl->size) |
363 | return -EINVAL; |
364 | |
365 | return 0; |
366 | } |
367 | |
368 | /** |
369 | * sgx_ioc_enclave_add_pages() - The handler for %SGX_IOC_ENCLAVE_ADD_PAGES |
370 | * @encl: an enclave pointer |
371 | * @arg: a user pointer to a struct sgx_enclave_add_pages instance |
372 | * |
373 | * Add one or more pages to an uninitialized enclave, and optionally extend the |
374 | * measurement with the contents of the page. The SECINFO and measurement mask |
375 | * are applied to all pages. |
376 | * |
377 | * A SECINFO for a TCS is required to always contain zero permissions because |
378 | * CPU silently zeros them. Allowing anything else would cause a mismatch in |
379 | * the measurement. |
380 | * |
381 | * mmap()'s protection bits are capped by the page permissions. For each page |
382 | * address, the maximum protection bits are computed with the following |
383 | * heuristics: |
384 | * |
385 | * 1. A regular page: PROT_R, PROT_W and PROT_X match the SECINFO permissions. |
386 | * 2. A TCS page: PROT_R | PROT_W. |
387 | * |
388 | * mmap() is not allowed to surpass the minimum of the maximum protection bits |
389 | * within the given address range. |
390 | * |
391 | * The function deinitializes kernel data structures for enclave and returns |
392 | * -EIO in any of the following conditions: |
393 | * |
394 | * - Enclave Page Cache (EPC), the physical memory holding enclaves, has |
395 | * been invalidated. This will cause EADD and EEXTEND to fail. |
396 | * - If the source address is corrupted somehow when executing EADD. |
397 | * |
398 | * Return: |
399 | * - 0: Success. |
400 | * - -EACCES: The source page is located in a noexec partition. |
401 | * - -ENOMEM: Out of EPC pages. |
402 | * - -EINTR: The call was interrupted before data was processed. |
403 | * - -EIO: Either EADD or EEXTEND failed because invalid source address |
404 | * or power cycle. |
405 | * - -errno: POSIX error. |
406 | */ |
407 | static long sgx_ioc_enclave_add_pages(struct sgx_encl *encl, void __user *arg) |
408 | { |
409 | struct sgx_enclave_add_pages add_arg; |
410 | struct sgx_secinfo secinfo; |
411 | unsigned long c; |
412 | int ret; |
413 | |
414 | if (!test_bit(SGX_ENCL_CREATED, &encl->flags) || |
415 | test_bit(SGX_ENCL_INITIALIZED, &encl->flags)) |
416 | return -EINVAL; |
417 | |
418 | if (copy_from_user(to: &add_arg, from: arg, n: sizeof(add_arg))) |
419 | return -EFAULT; |
420 | |
421 | if (!IS_ALIGNED(add_arg.src, PAGE_SIZE)) |
422 | return -EINVAL; |
423 | |
424 | if (sgx_validate_offset_length(encl, offset: add_arg.offset, length: add_arg.length)) |
425 | return -EINVAL; |
426 | |
427 | if (copy_from_user(to: &secinfo, from: (void __user *)add_arg.secinfo, |
428 | n: sizeof(secinfo))) |
429 | return -EFAULT; |
430 | |
431 | if (sgx_validate_secinfo(secinfo: &secinfo)) |
432 | return -EINVAL; |
433 | |
434 | for (c = 0 ; c < add_arg.length; c += PAGE_SIZE) { |
435 | if (signal_pending(current)) { |
436 | if (!c) |
437 | ret = -ERESTARTSYS; |
438 | |
439 | break; |
440 | } |
441 | |
442 | if (need_resched()) |
443 | cond_resched(); |
444 | |
445 | ret = sgx_encl_add_page(encl, src: add_arg.src + c, offset: add_arg.offset + c, |
446 | secinfo: &secinfo, flags: add_arg.flags); |
447 | if (ret) |
448 | break; |
449 | } |
450 | |
451 | add_arg.count = c; |
452 | |
453 | if (copy_to_user(to: arg, from: &add_arg, n: sizeof(add_arg))) |
454 | return -EFAULT; |
455 | |
456 | return ret; |
457 | } |
458 | |
459 | static int __sgx_get_key_hash(struct crypto_shash *tfm, const void *modulus, |
460 | void *hash) |
461 | { |
462 | SHASH_DESC_ON_STACK(shash, tfm); |
463 | |
464 | shash->tfm = tfm; |
465 | |
466 | return crypto_shash_digest(desc: shash, data: modulus, SGX_MODULUS_SIZE, out: hash); |
467 | } |
468 | |
469 | static int sgx_get_key_hash(const void *modulus, void *hash) |
470 | { |
471 | struct crypto_shash *tfm; |
472 | int ret; |
473 | |
474 | tfm = crypto_alloc_shash(alg_name: "sha256" , type: 0, CRYPTO_ALG_ASYNC); |
475 | if (IS_ERR(ptr: tfm)) |
476 | return PTR_ERR(ptr: tfm); |
477 | |
478 | ret = __sgx_get_key_hash(tfm, modulus, hash); |
479 | |
480 | crypto_free_shash(tfm); |
481 | return ret; |
482 | } |
483 | |
484 | static int sgx_encl_init(struct sgx_encl *encl, struct sgx_sigstruct *sigstruct, |
485 | void *token) |
486 | { |
487 | u64 mrsigner[4]; |
488 | int i, j; |
489 | void *addr; |
490 | int ret; |
491 | |
492 | /* |
493 | * Deny initializing enclaves with attributes (namely provisioning) |
494 | * that have not been explicitly allowed. |
495 | */ |
496 | if (encl->attributes & ~encl->attributes_mask) |
497 | return -EACCES; |
498 | |
499 | /* |
500 | * Attributes should not be enforced *only* against what's available on |
501 | * platform (done in sgx_encl_create) but checked and enforced against |
502 | * the mask for enforcement in sigstruct. For example an enclave could |
503 | * opt to sign with AVX bit in xfrm, but still be loadable on a platform |
504 | * without it if the sigstruct->body.attributes_mask does not turn that |
505 | * bit on. |
506 | */ |
507 | if (sigstruct->body.attributes & sigstruct->body.attributes_mask & |
508 | sgx_attributes_reserved_mask) |
509 | return -EINVAL; |
510 | |
511 | if (sigstruct->body.miscselect & sigstruct->body.misc_mask & |
512 | sgx_misc_reserved_mask) |
513 | return -EINVAL; |
514 | |
515 | if (sigstruct->body.xfrm & sigstruct->body.xfrm_mask & |
516 | sgx_xfrm_reserved_mask) |
517 | return -EINVAL; |
518 | |
519 | ret = sgx_get_key_hash(modulus: sigstruct->modulus, hash: mrsigner); |
520 | if (ret) |
521 | return ret; |
522 | |
523 | mutex_lock(&encl->lock); |
524 | |
525 | /* |
526 | * ENCLS[EINIT] is interruptible because it has such a high latency, |
527 | * e.g. 50k+ cycles on success. If an IRQ/NMI/SMI becomes pending, |
528 | * EINIT may fail with SGX_UNMASKED_EVENT so that the event can be |
529 | * serviced. |
530 | */ |
531 | for (i = 0; i < SGX_EINIT_SLEEP_COUNT; i++) { |
532 | for (j = 0; j < SGX_EINIT_SPIN_COUNT; j++) { |
533 | addr = sgx_get_epc_virt_addr(page: encl->secs.epc_page); |
534 | |
535 | preempt_disable(); |
536 | |
537 | sgx_update_lepubkeyhash(lepubkeyhash: mrsigner); |
538 | |
539 | ret = __einit(sigstruct, token, secs: addr); |
540 | |
541 | preempt_enable(); |
542 | |
543 | if (ret == SGX_UNMASKED_EVENT) |
544 | continue; |
545 | else |
546 | break; |
547 | } |
548 | |
549 | if (ret != SGX_UNMASKED_EVENT) |
550 | break; |
551 | |
552 | msleep_interruptible(SGX_EINIT_SLEEP_TIME); |
553 | |
554 | if (signal_pending(current)) { |
555 | ret = -ERESTARTSYS; |
556 | goto err_out; |
557 | } |
558 | } |
559 | |
560 | if (encls_faulted(ret)) { |
561 | if (encls_failed(ret)) |
562 | ENCLS_WARN(ret, "EINIT" ); |
563 | |
564 | ret = -EIO; |
565 | } else if (ret) { |
566 | pr_debug("EINIT returned %d\n" , ret); |
567 | ret = -EPERM; |
568 | } else { |
569 | set_bit(nr: SGX_ENCL_INITIALIZED, addr: &encl->flags); |
570 | } |
571 | |
572 | err_out: |
573 | mutex_unlock(lock: &encl->lock); |
574 | return ret; |
575 | } |
576 | |
577 | /** |
578 | * sgx_ioc_enclave_init() - handler for %SGX_IOC_ENCLAVE_INIT |
579 | * @encl: an enclave pointer |
580 | * @arg: userspace pointer to a struct sgx_enclave_init instance |
581 | * |
582 | * Flush any outstanding enqueued EADD operations and perform EINIT. The |
583 | * Launch Enclave Public Key Hash MSRs are rewritten as necessary to match |
584 | * the enclave's MRSIGNER, which is calculated from the provided sigstruct. |
585 | * |
586 | * Return: |
587 | * - 0: Success. |
588 | * - -EPERM: Invalid SIGSTRUCT. |
589 | * - -EIO: EINIT failed because of a power cycle. |
590 | * - -errno: POSIX error. |
591 | */ |
592 | static long sgx_ioc_enclave_init(struct sgx_encl *encl, void __user *arg) |
593 | { |
594 | struct sgx_sigstruct *sigstruct; |
595 | struct sgx_enclave_init init_arg; |
596 | void *token; |
597 | int ret; |
598 | |
599 | if (!test_bit(SGX_ENCL_CREATED, &encl->flags) || |
600 | test_bit(SGX_ENCL_INITIALIZED, &encl->flags)) |
601 | return -EINVAL; |
602 | |
603 | if (copy_from_user(to: &init_arg, from: arg, n: sizeof(init_arg))) |
604 | return -EFAULT; |
605 | |
606 | /* |
607 | * 'sigstruct' must be on a page boundary and 'token' on a 512 byte |
608 | * boundary. kmalloc() will give this alignment when allocating |
609 | * PAGE_SIZE bytes. |
610 | */ |
611 | sigstruct = kmalloc(PAGE_SIZE, GFP_KERNEL); |
612 | if (!sigstruct) |
613 | return -ENOMEM; |
614 | |
615 | token = (void *)((unsigned long)sigstruct + PAGE_SIZE / 2); |
616 | memset(token, 0, SGX_LAUNCH_TOKEN_SIZE); |
617 | |
618 | if (copy_from_user(to: sigstruct, from: (void __user *)init_arg.sigstruct, |
619 | n: sizeof(*sigstruct))) { |
620 | ret = -EFAULT; |
621 | goto out; |
622 | } |
623 | |
624 | /* |
625 | * A legacy field used with Intel signed enclaves. These used to mean |
626 | * regular and architectural enclaves. The CPU only accepts these values |
627 | * but they do not have any other meaning. |
628 | * |
629 | * Thus, reject any other values. |
630 | */ |
631 | if (sigstruct->header.vendor != 0x0000 && |
632 | sigstruct->header.vendor != 0x8086) { |
633 | ret = -EINVAL; |
634 | goto out; |
635 | } |
636 | |
637 | ret = sgx_encl_init(encl, sigstruct, token); |
638 | |
639 | out: |
640 | kfree(objp: sigstruct); |
641 | return ret; |
642 | } |
643 | |
644 | /** |
645 | * sgx_ioc_enclave_provision() - handler for %SGX_IOC_ENCLAVE_PROVISION |
646 | * @encl: an enclave pointer |
647 | * @arg: userspace pointer to a struct sgx_enclave_provision instance |
648 | * |
649 | * Allow ATTRIBUTE.PROVISION_KEY for an enclave by providing a file handle to |
650 | * /dev/sgx_provision. |
651 | * |
652 | * Return: |
653 | * - 0: Success. |
654 | * - -errno: Otherwise. |
655 | */ |
656 | static long sgx_ioc_enclave_provision(struct sgx_encl *encl, void __user *arg) |
657 | { |
658 | struct sgx_enclave_provision params; |
659 | |
660 | if (copy_from_user(to: ¶ms, from: arg, n: sizeof(params))) |
661 | return -EFAULT; |
662 | |
663 | return sgx_set_attribute(allowed_attributes: &encl->attributes_mask, attribute_fd: params.fd); |
664 | } |
665 | |
666 | /* |
667 | * Ensure enclave is ready for SGX2 functions. Readiness is checked |
668 | * by ensuring the hardware supports SGX2 and the enclave is initialized |
669 | * and thus able to handle requests to modify pages within it. |
670 | */ |
671 | static int sgx_ioc_sgx2_ready(struct sgx_encl *encl) |
672 | { |
673 | if (!(cpu_feature_enabled(X86_FEATURE_SGX2))) |
674 | return -ENODEV; |
675 | |
676 | if (!test_bit(SGX_ENCL_INITIALIZED, &encl->flags)) |
677 | return -EINVAL; |
678 | |
679 | return 0; |
680 | } |
681 | |
682 | /* |
683 | * Some SGX functions require that no cached linear-to-physical address |
684 | * mappings are present before they can succeed. Collaborate with |
685 | * hardware via ENCLS[ETRACK] to ensure that all cached |
686 | * linear-to-physical address mappings belonging to all threads of |
687 | * the enclave are cleared. See sgx_encl_cpumask() for details. |
688 | * |
689 | * Must be called with enclave's mutex held from the time the |
690 | * SGX function requiring that no cached linear-to-physical mappings |
691 | * are present is executed until this ETRACK flow is complete. |
692 | */ |
693 | static int sgx_enclave_etrack(struct sgx_encl *encl) |
694 | { |
695 | void *epc_virt; |
696 | int ret; |
697 | |
698 | epc_virt = sgx_get_epc_virt_addr(page: encl->secs.epc_page); |
699 | ret = __etrack(addr: epc_virt); |
700 | if (ret) { |
701 | /* |
702 | * ETRACK only fails when there is an OS issue. For |
703 | * example, two consecutive ETRACK was sent without |
704 | * completed IPI between. |
705 | */ |
706 | pr_err_once("ETRACK returned %d (0x%x)" , ret, ret); |
707 | /* |
708 | * Send IPIs to kick CPUs out of the enclave and |
709 | * try ETRACK again. |
710 | */ |
711 | on_each_cpu_mask(mask: sgx_encl_cpumask(encl), func: sgx_ipi_cb, NULL, wait: 1); |
712 | ret = __etrack(addr: epc_virt); |
713 | if (ret) { |
714 | pr_err_once("ETRACK repeat returned %d (0x%x)" , |
715 | ret, ret); |
716 | return -EFAULT; |
717 | } |
718 | } |
719 | on_each_cpu_mask(mask: sgx_encl_cpumask(encl), func: sgx_ipi_cb, NULL, wait: 1); |
720 | |
721 | return 0; |
722 | } |
723 | |
724 | /** |
725 | * sgx_enclave_restrict_permissions() - Restrict EPCM permissions |
726 | * @encl: Enclave to which the pages belong. |
727 | * @modp: Checked parameters from user on which pages need modifying and |
728 | * their new permissions. |
729 | * |
730 | * Return: |
731 | * - 0: Success. |
732 | * - -errno: Otherwise. |
733 | */ |
734 | static long |
735 | sgx_enclave_restrict_permissions(struct sgx_encl *encl, |
736 | struct sgx_enclave_restrict_permissions *modp) |
737 | { |
738 | struct sgx_encl_page *entry; |
739 | struct sgx_secinfo secinfo; |
740 | unsigned long addr; |
741 | unsigned long c; |
742 | void *epc_virt; |
743 | int ret; |
744 | |
745 | memset(&secinfo, 0, sizeof(secinfo)); |
746 | secinfo.flags = modp->permissions & SGX_SECINFO_PERMISSION_MASK; |
747 | |
748 | for (c = 0 ; c < modp->length; c += PAGE_SIZE) { |
749 | addr = encl->base + modp->offset + c; |
750 | |
751 | sgx_reclaim_direct(); |
752 | |
753 | mutex_lock(&encl->lock); |
754 | |
755 | entry = sgx_encl_load_page(encl, addr); |
756 | if (IS_ERR(ptr: entry)) { |
757 | ret = PTR_ERR(ptr: entry) == -EBUSY ? -EAGAIN : -EFAULT; |
758 | goto out_unlock; |
759 | } |
760 | |
761 | /* |
762 | * Changing EPCM permissions is only supported on regular |
763 | * SGX pages. Attempting this change on other pages will |
764 | * result in #PF. |
765 | */ |
766 | if (entry->type != SGX_PAGE_TYPE_REG) { |
767 | ret = -EINVAL; |
768 | goto out_unlock; |
769 | } |
770 | |
771 | /* |
772 | * Apart from ensuring that read-access remains, do not verify |
773 | * the permission bits requested. Kernel has no control over |
774 | * how EPCM permissions can be relaxed from within the enclave. |
775 | * ENCLS[EMODPR] can only remove existing EPCM permissions, |
776 | * attempting to set new permissions will be ignored by the |
777 | * hardware. |
778 | */ |
779 | |
780 | /* Change EPCM permissions. */ |
781 | epc_virt = sgx_get_epc_virt_addr(page: entry->epc_page); |
782 | ret = __emodpr(secinfo: &secinfo, addr: epc_virt); |
783 | if (encls_faulted(ret)) { |
784 | /* |
785 | * All possible faults should be avoidable: |
786 | * parameters have been checked, will only change |
787 | * permissions of a regular page, and no concurrent |
788 | * SGX1/SGX2 ENCLS instructions since these |
789 | * are protected with mutex. |
790 | */ |
791 | pr_err_once("EMODPR encountered exception %d\n" , |
792 | ENCLS_TRAPNR(ret)); |
793 | ret = -EFAULT; |
794 | goto out_unlock; |
795 | } |
796 | if (encls_failed(ret)) { |
797 | modp->result = ret; |
798 | ret = -EFAULT; |
799 | goto out_unlock; |
800 | } |
801 | |
802 | ret = sgx_enclave_etrack(encl); |
803 | if (ret) { |
804 | ret = -EFAULT; |
805 | goto out_unlock; |
806 | } |
807 | |
808 | mutex_unlock(lock: &encl->lock); |
809 | } |
810 | |
811 | ret = 0; |
812 | goto out; |
813 | |
814 | out_unlock: |
815 | mutex_unlock(lock: &encl->lock); |
816 | out: |
817 | modp->count = c; |
818 | |
819 | return ret; |
820 | } |
821 | |
822 | /** |
823 | * sgx_ioc_enclave_restrict_permissions() - handler for |
824 | * %SGX_IOC_ENCLAVE_RESTRICT_PERMISSIONS |
825 | * @encl: an enclave pointer |
826 | * @arg: userspace pointer to a &struct sgx_enclave_restrict_permissions |
827 | * instance |
828 | * |
829 | * SGX2 distinguishes between relaxing and restricting the enclave page |
830 | * permissions maintained by the hardware (EPCM permissions) of pages |
831 | * belonging to an initialized enclave (after SGX_IOC_ENCLAVE_INIT). |
832 | * |
833 | * EPCM permissions cannot be restricted from within the enclave, the enclave |
834 | * requires the kernel to run the privileged level 0 instructions ENCLS[EMODPR] |
835 | * and ENCLS[ETRACK]. An attempt to relax EPCM permissions with this call |
836 | * will be ignored by the hardware. |
837 | * |
838 | * Return: |
839 | * - 0: Success |
840 | * - -errno: Otherwise |
841 | */ |
842 | static long sgx_ioc_enclave_restrict_permissions(struct sgx_encl *encl, |
843 | void __user *arg) |
844 | { |
845 | struct sgx_enclave_restrict_permissions params; |
846 | long ret; |
847 | |
848 | ret = sgx_ioc_sgx2_ready(encl); |
849 | if (ret) |
850 | return ret; |
851 | |
852 | if (copy_from_user(to: ¶ms, from: arg, n: sizeof(params))) |
853 | return -EFAULT; |
854 | |
855 | if (sgx_validate_offset_length(encl, offset: params.offset, length: params.length)) |
856 | return -EINVAL; |
857 | |
858 | if (params.permissions & ~SGX_SECINFO_PERMISSION_MASK) |
859 | return -EINVAL; |
860 | |
861 | /* |
862 | * Fail early if invalid permissions requested to prevent ENCLS[EMODPR] |
863 | * from faulting later when the CPU does the same check. |
864 | */ |
865 | if ((params.permissions & SGX_SECINFO_W) && |
866 | !(params.permissions & SGX_SECINFO_R)) |
867 | return -EINVAL; |
868 | |
869 | if (params.result || params.count) |
870 | return -EINVAL; |
871 | |
872 | ret = sgx_enclave_restrict_permissions(encl, modp: ¶ms); |
873 | |
874 | if (copy_to_user(to: arg, from: ¶ms, n: sizeof(params))) |
875 | return -EFAULT; |
876 | |
877 | return ret; |
878 | } |
879 | |
880 | /** |
881 | * sgx_enclave_modify_types() - Modify type of SGX enclave pages |
882 | * @encl: Enclave to which the pages belong. |
883 | * @modt: Checked parameters from user about which pages need modifying |
884 | * and their new page type. |
885 | * |
886 | * Return: |
887 | * - 0: Success |
888 | * - -errno: Otherwise |
889 | */ |
890 | static long sgx_enclave_modify_types(struct sgx_encl *encl, |
891 | struct sgx_enclave_modify_types *modt) |
892 | { |
893 | unsigned long max_prot_restore; |
894 | enum sgx_page_type page_type; |
895 | struct sgx_encl_page *entry; |
896 | struct sgx_secinfo secinfo; |
897 | unsigned long prot; |
898 | unsigned long addr; |
899 | unsigned long c; |
900 | void *epc_virt; |
901 | int ret; |
902 | |
903 | page_type = modt->page_type & SGX_PAGE_TYPE_MASK; |
904 | |
905 | /* |
906 | * The only new page types allowed by hardware are PT_TCS and PT_TRIM. |
907 | */ |
908 | if (page_type != SGX_PAGE_TYPE_TCS && page_type != SGX_PAGE_TYPE_TRIM) |
909 | return -EINVAL; |
910 | |
911 | memset(&secinfo, 0, sizeof(secinfo)); |
912 | |
913 | secinfo.flags = page_type << 8; |
914 | |
915 | for (c = 0 ; c < modt->length; c += PAGE_SIZE) { |
916 | addr = encl->base + modt->offset + c; |
917 | |
918 | sgx_reclaim_direct(); |
919 | |
920 | mutex_lock(&encl->lock); |
921 | |
922 | entry = sgx_encl_load_page(encl, addr); |
923 | if (IS_ERR(ptr: entry)) { |
924 | ret = PTR_ERR(ptr: entry) == -EBUSY ? -EAGAIN : -EFAULT; |
925 | goto out_unlock; |
926 | } |
927 | |
928 | /* |
929 | * Borrow the logic from the Intel SDM. Regular pages |
930 | * (SGX_PAGE_TYPE_REG) can change type to SGX_PAGE_TYPE_TCS |
931 | * or SGX_PAGE_TYPE_TRIM but TCS pages can only be trimmed. |
932 | * CET pages not supported yet. |
933 | */ |
934 | if (!(entry->type == SGX_PAGE_TYPE_REG || |
935 | (entry->type == SGX_PAGE_TYPE_TCS && |
936 | page_type == SGX_PAGE_TYPE_TRIM))) { |
937 | ret = -EINVAL; |
938 | goto out_unlock; |
939 | } |
940 | |
941 | max_prot_restore = entry->vm_max_prot_bits; |
942 | |
943 | /* |
944 | * Once a regular page becomes a TCS page it cannot be |
945 | * changed back. So the maximum allowed protection reflects |
946 | * the TCS page that is always RW from kernel perspective but |
947 | * will be inaccessible from within enclave. Before doing |
948 | * so, do make sure that the new page type continues to |
949 | * respect the originally vetted page permissions. |
950 | */ |
951 | if (entry->type == SGX_PAGE_TYPE_REG && |
952 | page_type == SGX_PAGE_TYPE_TCS) { |
953 | if (~entry->vm_max_prot_bits & (VM_READ | VM_WRITE)) { |
954 | ret = -EPERM; |
955 | goto out_unlock; |
956 | } |
957 | prot = PROT_READ | PROT_WRITE; |
958 | entry->vm_max_prot_bits = calc_vm_prot_bits(prot, pkey: 0); |
959 | |
960 | /* |
961 | * Prevent page from being reclaimed while mutex |
962 | * is released. |
963 | */ |
964 | if (sgx_unmark_page_reclaimable(page: entry->epc_page)) { |
965 | ret = -EAGAIN; |
966 | goto out_entry_changed; |
967 | } |
968 | |
969 | /* |
970 | * Do not keep encl->lock because of dependency on |
971 | * mmap_lock acquired in sgx_zap_enclave_ptes(). |
972 | */ |
973 | mutex_unlock(lock: &encl->lock); |
974 | |
975 | sgx_zap_enclave_ptes(encl, addr); |
976 | |
977 | mutex_lock(&encl->lock); |
978 | |
979 | sgx_mark_page_reclaimable(page: entry->epc_page); |
980 | } |
981 | |
982 | /* Change EPC type */ |
983 | epc_virt = sgx_get_epc_virt_addr(page: entry->epc_page); |
984 | ret = __emodt(secinfo: &secinfo, addr: epc_virt); |
985 | if (encls_faulted(ret)) { |
986 | /* |
987 | * All possible faults should be avoidable: |
988 | * parameters have been checked, will only change |
989 | * valid page types, and no concurrent |
990 | * SGX1/SGX2 ENCLS instructions since these are |
991 | * protected with mutex. |
992 | */ |
993 | pr_err_once("EMODT encountered exception %d\n" , |
994 | ENCLS_TRAPNR(ret)); |
995 | ret = -EFAULT; |
996 | goto out_entry_changed; |
997 | } |
998 | if (encls_failed(ret)) { |
999 | modt->result = ret; |
1000 | ret = -EFAULT; |
1001 | goto out_entry_changed; |
1002 | } |
1003 | |
1004 | ret = sgx_enclave_etrack(encl); |
1005 | if (ret) { |
1006 | ret = -EFAULT; |
1007 | goto out_unlock; |
1008 | } |
1009 | |
1010 | entry->type = page_type; |
1011 | |
1012 | mutex_unlock(lock: &encl->lock); |
1013 | } |
1014 | |
1015 | ret = 0; |
1016 | goto out; |
1017 | |
1018 | out_entry_changed: |
1019 | entry->vm_max_prot_bits = max_prot_restore; |
1020 | out_unlock: |
1021 | mutex_unlock(lock: &encl->lock); |
1022 | out: |
1023 | modt->count = c; |
1024 | |
1025 | return ret; |
1026 | } |
1027 | |
1028 | /** |
1029 | * sgx_ioc_enclave_modify_types() - handler for %SGX_IOC_ENCLAVE_MODIFY_TYPES |
1030 | * @encl: an enclave pointer |
1031 | * @arg: userspace pointer to a &struct sgx_enclave_modify_types instance |
1032 | * |
1033 | * Ability to change the enclave page type supports the following use cases: |
1034 | * |
1035 | * * It is possible to add TCS pages to an enclave by changing the type of |
1036 | * regular pages (%SGX_PAGE_TYPE_REG) to TCS (%SGX_PAGE_TYPE_TCS) pages. |
1037 | * With this support the number of threads supported by an initialized |
1038 | * enclave can be increased dynamically. |
1039 | * |
1040 | * * Regular or TCS pages can dynamically be removed from an initialized |
1041 | * enclave by changing the page type to %SGX_PAGE_TYPE_TRIM. Changing the |
1042 | * page type to %SGX_PAGE_TYPE_TRIM marks the page for removal with actual |
1043 | * removal done by handler of %SGX_IOC_ENCLAVE_REMOVE_PAGES ioctl() called |
1044 | * after ENCLU[EACCEPT] is run on %SGX_PAGE_TYPE_TRIM page from within the |
1045 | * enclave. |
1046 | * |
1047 | * Return: |
1048 | * - 0: Success |
1049 | * - -errno: Otherwise |
1050 | */ |
1051 | static long sgx_ioc_enclave_modify_types(struct sgx_encl *encl, |
1052 | void __user *arg) |
1053 | { |
1054 | struct sgx_enclave_modify_types params; |
1055 | long ret; |
1056 | |
1057 | ret = sgx_ioc_sgx2_ready(encl); |
1058 | if (ret) |
1059 | return ret; |
1060 | |
1061 | if (copy_from_user(to: ¶ms, from: arg, n: sizeof(params))) |
1062 | return -EFAULT; |
1063 | |
1064 | if (sgx_validate_offset_length(encl, offset: params.offset, length: params.length)) |
1065 | return -EINVAL; |
1066 | |
1067 | if (params.page_type & ~SGX_PAGE_TYPE_MASK) |
1068 | return -EINVAL; |
1069 | |
1070 | if (params.result || params.count) |
1071 | return -EINVAL; |
1072 | |
1073 | ret = sgx_enclave_modify_types(encl, modt: ¶ms); |
1074 | |
1075 | if (copy_to_user(to: arg, from: ¶ms, n: sizeof(params))) |
1076 | return -EFAULT; |
1077 | |
1078 | return ret; |
1079 | } |
1080 | |
1081 | /** |
1082 | * sgx_encl_remove_pages() - Remove trimmed pages from SGX enclave |
1083 | * @encl: Enclave to which the pages belong |
1084 | * @params: Checked parameters from user on which pages need to be removed |
1085 | * |
1086 | * Return: |
1087 | * - 0: Success. |
1088 | * - -errno: Otherwise. |
1089 | */ |
1090 | static long sgx_encl_remove_pages(struct sgx_encl *encl, |
1091 | struct sgx_enclave_remove_pages *params) |
1092 | { |
1093 | struct sgx_encl_page *entry; |
1094 | struct sgx_secinfo secinfo; |
1095 | unsigned long addr; |
1096 | unsigned long c; |
1097 | void *epc_virt; |
1098 | int ret; |
1099 | |
1100 | memset(&secinfo, 0, sizeof(secinfo)); |
1101 | secinfo.flags = SGX_SECINFO_R | SGX_SECINFO_W | SGX_SECINFO_X; |
1102 | |
1103 | for (c = 0 ; c < params->length; c += PAGE_SIZE) { |
1104 | addr = encl->base + params->offset + c; |
1105 | |
1106 | sgx_reclaim_direct(); |
1107 | |
1108 | mutex_lock(&encl->lock); |
1109 | |
1110 | entry = sgx_encl_load_page(encl, addr); |
1111 | if (IS_ERR(ptr: entry)) { |
1112 | ret = PTR_ERR(ptr: entry) == -EBUSY ? -EAGAIN : -EFAULT; |
1113 | goto out_unlock; |
1114 | } |
1115 | |
1116 | if (entry->type != SGX_PAGE_TYPE_TRIM) { |
1117 | ret = -EPERM; |
1118 | goto out_unlock; |
1119 | } |
1120 | |
1121 | /* |
1122 | * ENCLS[EMODPR] is a no-op instruction used to inform if |
1123 | * ENCLU[EACCEPT] was run from within the enclave. If |
1124 | * ENCLS[EMODPR] is run with RWX on a trimmed page that is |
1125 | * not yet accepted then it will return |
1126 | * %SGX_PAGE_NOT_MODIFIABLE, after the trimmed page is |
1127 | * accepted the instruction will encounter a page fault. |
1128 | */ |
1129 | epc_virt = sgx_get_epc_virt_addr(page: entry->epc_page); |
1130 | ret = __emodpr(secinfo: &secinfo, addr: epc_virt); |
1131 | if (!encls_faulted(ret) || ENCLS_TRAPNR(ret) != X86_TRAP_PF) { |
1132 | ret = -EPERM; |
1133 | goto out_unlock; |
1134 | } |
1135 | |
1136 | if (sgx_unmark_page_reclaimable(page: entry->epc_page)) { |
1137 | ret = -EBUSY; |
1138 | goto out_unlock; |
1139 | } |
1140 | |
1141 | /* |
1142 | * Do not keep encl->lock because of dependency on |
1143 | * mmap_lock acquired in sgx_zap_enclave_ptes(). |
1144 | */ |
1145 | mutex_unlock(lock: &encl->lock); |
1146 | |
1147 | sgx_zap_enclave_ptes(encl, addr); |
1148 | |
1149 | mutex_lock(&encl->lock); |
1150 | |
1151 | sgx_encl_free_epc_page(page: entry->epc_page); |
1152 | encl->secs_child_cnt--; |
1153 | entry->epc_page = NULL; |
1154 | xa_erase(&encl->page_array, PFN_DOWN(entry->desc)); |
1155 | sgx_encl_shrink(encl, NULL); |
1156 | kfree(objp: entry); |
1157 | |
1158 | mutex_unlock(lock: &encl->lock); |
1159 | } |
1160 | |
1161 | ret = 0; |
1162 | goto out; |
1163 | |
1164 | out_unlock: |
1165 | mutex_unlock(lock: &encl->lock); |
1166 | out: |
1167 | params->count = c; |
1168 | |
1169 | return ret; |
1170 | } |
1171 | |
1172 | /** |
1173 | * sgx_ioc_enclave_remove_pages() - handler for %SGX_IOC_ENCLAVE_REMOVE_PAGES |
1174 | * @encl: an enclave pointer |
1175 | * @arg: userspace pointer to &struct sgx_enclave_remove_pages instance |
1176 | * |
1177 | * Final step of the flow removing pages from an initialized enclave. The |
1178 | * complete flow is: |
1179 | * |
1180 | * 1) User changes the type of the pages to be removed to %SGX_PAGE_TYPE_TRIM |
1181 | * using the %SGX_IOC_ENCLAVE_MODIFY_TYPES ioctl(). |
1182 | * 2) User approves the page removal by running ENCLU[EACCEPT] from within |
1183 | * the enclave. |
1184 | * 3) User initiates actual page removal using the |
1185 | * %SGX_IOC_ENCLAVE_REMOVE_PAGES ioctl() that is handled here. |
1186 | * |
1187 | * First remove any page table entries pointing to the page and then proceed |
1188 | * with the actual removal of the enclave page and data in support of it. |
1189 | * |
1190 | * VA pages are not affected by this removal. It is thus possible that the |
1191 | * enclave may end up with more VA pages than needed to support all its |
1192 | * pages. |
1193 | * |
1194 | * Return: |
1195 | * - 0: Success |
1196 | * - -errno: Otherwise |
1197 | */ |
1198 | static long sgx_ioc_enclave_remove_pages(struct sgx_encl *encl, |
1199 | void __user *arg) |
1200 | { |
1201 | struct sgx_enclave_remove_pages params; |
1202 | long ret; |
1203 | |
1204 | ret = sgx_ioc_sgx2_ready(encl); |
1205 | if (ret) |
1206 | return ret; |
1207 | |
1208 | if (copy_from_user(to: ¶ms, from: arg, n: sizeof(params))) |
1209 | return -EFAULT; |
1210 | |
1211 | if (sgx_validate_offset_length(encl, offset: params.offset, length: params.length)) |
1212 | return -EINVAL; |
1213 | |
1214 | if (params.count) |
1215 | return -EINVAL; |
1216 | |
1217 | ret = sgx_encl_remove_pages(encl, params: ¶ms); |
1218 | |
1219 | if (copy_to_user(to: arg, from: ¶ms, n: sizeof(params))) |
1220 | return -EFAULT; |
1221 | |
1222 | return ret; |
1223 | } |
1224 | |
1225 | long sgx_ioctl(struct file *filep, unsigned int cmd, unsigned long arg) |
1226 | { |
1227 | struct sgx_encl *encl = filep->private_data; |
1228 | int ret; |
1229 | |
1230 | if (test_and_set_bit(nr: SGX_ENCL_IOCTL, addr: &encl->flags)) |
1231 | return -EBUSY; |
1232 | |
1233 | switch (cmd) { |
1234 | case SGX_IOC_ENCLAVE_CREATE: |
1235 | ret = sgx_ioc_enclave_create(encl, arg: (void __user *)arg); |
1236 | break; |
1237 | case SGX_IOC_ENCLAVE_ADD_PAGES: |
1238 | ret = sgx_ioc_enclave_add_pages(encl, arg: (void __user *)arg); |
1239 | break; |
1240 | case SGX_IOC_ENCLAVE_INIT: |
1241 | ret = sgx_ioc_enclave_init(encl, arg: (void __user *)arg); |
1242 | break; |
1243 | case SGX_IOC_ENCLAVE_PROVISION: |
1244 | ret = sgx_ioc_enclave_provision(encl, arg: (void __user *)arg); |
1245 | break; |
1246 | case SGX_IOC_ENCLAVE_RESTRICT_PERMISSIONS: |
1247 | ret = sgx_ioc_enclave_restrict_permissions(encl, |
1248 | arg: (void __user *)arg); |
1249 | break; |
1250 | case SGX_IOC_ENCLAVE_MODIFY_TYPES: |
1251 | ret = sgx_ioc_enclave_modify_types(encl, arg: (void __user *)arg); |
1252 | break; |
1253 | case SGX_IOC_ENCLAVE_REMOVE_PAGES: |
1254 | ret = sgx_ioc_enclave_remove_pages(encl, arg: (void __user *)arg); |
1255 | break; |
1256 | default: |
1257 | ret = -ENOIOCTLCMD; |
1258 | break; |
1259 | } |
1260 | |
1261 | clear_bit(nr: SGX_ENCL_IOCTL, addr: &encl->flags); |
1262 | return ret; |
1263 | } |
1264 | |