From patchwork Wed Mar 18 01:12:07 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
X-Patchwork-Id: 1257114
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (no SPF record)
	smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19;
	helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 48hsTQ1YZDz9sSR;
	Wed, 18 Mar 2020 12:12:23 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1jENFo-0007si-RQ; Wed, 18 Mar 2020 01:12:16 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
	(envelope-from <marcelo.cerri@canonical.com>) id 1jENFl-0007sb-Sg
	for kernel-team@lists.ubuntu.com; Wed, 18 Mar 2020 01:12:13 +0000
Received: from mail-qt1-f197.google.com ([209.85.160.197])
	by youngberry.canonical.com with esmtps
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
	(envelope-from <marcelo.cerri@canonical.com>) id 1jENFl-0001p4-H9
	for kernel-team@lists.ubuntu.com; Wed, 18 Mar 2020 01:12:13 +0000
Received: by mail-qt1-f197.google.com with SMTP id a21so23628526qto.0
	for <kernel-team@lists.ubuntu.com>;
	Tue, 17 Mar 2020 18:12:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=+aTJTjqvpYok3yyN7h7zyDFm4GkAsfZLpkIWnX6CbJs=;
	b=rCu4iW1/zbxPaIyX+gash4lxZB2OqJwDTAgnVxXTMJG2b5JUFcR9K8CPTqK6JN2MdK
	DmSkfIlp57dLfHos/jEu5h6FZs1TBrQ6wIT1Bo1XXOrFHsonc+9a0ihBe7ft4zBJ9q7r
	TFHzwc3GRM1MVNyD3YSEuAwa1FX/nDZnamAre2wBeYlNQlvKvsyVrg7ojhzddEtMOALF
	wods21JncpveSip37ISxIYMG8/H+1Otg5Kkg+PmUAt20KflEIVKKpkGz2zPhn7uDLLaL
	wxjKAVqrwRWNbvwGq8PRgw9Xf9zIwQLC0/Ul11Yrfo/Ybm9qouCt6JQ2R6SKpNcQ4Guj
	teOg==
X-Gm-Message-State: ANhLgQ2tJ3QuuO9uAWQqU93sIa1YmDLt0e3my1u+7GP+7k4DS/BOLeUS
	v0dTNONYNu36/H1att6Mp0oO+Aipxsxb4+O8geqPpMh4EZghkWh76hsrahxTIGklKrPk62YeCfs
	HpQPbAmGT0m8gk1a8QmHsBRRmWXfzJhNkuvhrupHC
X-Received: by 2002:a05:620a:b19:: with SMTP id
	t25mr1739914qkg.293.1584493931937;
	Tue, 17 Mar 2020 18:12:11 -0700 (PDT)
X-Google-Smtp-Source: 
 ADFU+vv0bUyC15yTVyRgcasbtO8ymaLtUwGTfLWMQJCXI+qglhS0r/JDS26R12kzyjjnsgPUPBy2nA==
X-Received: by 2002:a05:620a:b19:: with SMTP id
	t25mr1739873qkg.293.1584493931338;
	Tue, 17 Mar 2020 18:12:11 -0700 (PDT)
Received: from gallifrey.lan ([201.53.229.174])
	by smtp.gmail.com with ESMTPSA id
	i1sm3512620qtg.31.2020.03.17.18.12.09
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Tue, 17 Mar 2020 18:12:10 -0700 (PDT)
From: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [{xenial, bionic, eoan,
	focal}:linux-azure][PATCH] UBUNTU: SAUCE: linux-azure: Update SGX to
	version LD_1.22
Date: Tue, 17 Mar 2020 22:12:07 -0300
Message-Id: <20200318011207.4949-1-marcelo.cerri@canonical.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

BugLink: https://bugs.launchpad.net/bugs/1867820

Update the SGX driver with the version from Intel's DCAP
repository[1], version LD_1.22 (commit id a69366583342).

Also remove the README.md file since it's not shipped by the kernel.

[1] https://github.com/intel/SGXDataCenterAttestationPrimitives.git

Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
---
 ubuntu/sgx/Makefile      |   9 ++++
 ubuntu/sgx/README.md     | 114 ---------------------------------------
 ubuntu/sgx/sgx_encl.c    |   4 +-
 ubuntu/sgx/sgx_main.c    |   2 +-
 ubuntu/sgx/sgx_version.h |   2 +-
 5 files changed, 13 insertions(+), 118 deletions(-)
 delete mode 100644 ubuntu/sgx/README.md

diff --git a/ubuntu/sgx/Makefile b/ubuntu/sgx/Makefile
index 9dcb2b159657..4401e9d8e71d 100644
--- a/ubuntu/sgx/Makefile
+++ b/ubuntu/sgx/Makefile
@@ -66,12 +66,21 @@ intel_sgx-y := \
 else
 
 KDIR := /lib/modules/$(shell uname -r)/build
+
+INKERNEL_SGX :=$(shell cat $(KDIR)/.config | grep "CONFIG_INTEL_SGX=y")
+ifneq ($(INKERNEL_SGX),)
+default:
+	$(error Can't install DCAP SGX driver with inkernel SGX support)
+
+else
+
 PWD  := $(shell pwd)
 
 default:
 	$(MAKE) -C $(KDIR) M=$(PWD) CFLAGS_MODULE="-I$(PWD) -I$(PWD)/include" modules
 
 endif
+endif
 
 clean:
 	rm -vrf *.o *.ko *.order *.symvers *.mod.c .tmp_versions .*.cmd *.o.ur-safe
diff --git a/ubuntu/sgx/README.md b/ubuntu/sgx/README.md
deleted file mode 100644
index e459167a8937..000000000000
--- a/ubuntu/sgx/README.md
+++ /dev/null
@@ -1,114 +0,0 @@
-Intel(R) Software Guard Extensions for Linux\* OS
-================================================
-
-# SGX Linux Driver with Launch Enclave(LE) for Intel(R) SGX DCAP
-
-Introduction
-------------
-This Intel(R) SGX driver package is for Intel(R) SGX DCAP and is derived from the upstream version of the SGX driver, including the in-driver Launch Enclave.
-
-
-Documentation
--------------
-- [Intel(R) SGX for Linux\* OS](https://01.org/intel-softwareguard-extensions) project home page on [01.org](http://01.org)
-- [Intel(R) SGX Programming Reference](https://software.intel.com/sites/default/files/managed/48/88/329298-002.pdf)
-
-
-Build and Install the Intel(R) SGX Driver
------------------------------------------
-### Prerequisites         
-- Ensure that you have the following required operating systems:  
-  * Ubuntu* 16.04 LTS Desktop 64bits - minimal kernel 4.10
-  * Ubuntu* 16.04 LTS Server 64bits - minimal kernel 4.10
-  * Ubuntu* 18.04 LTS Desktop 64bits
-  * Ubuntu* 18.04 LTS Server 64bits
-- Ensure that you have the following required hardware:  
-  * 8th Generation Intel(R) Core(TM) Processor or newer with **Flexible Launch Control** and **Intel(R) AES New Instructions** support*
-  * Intel(R) Atom(TM) Processor with **Flexible Launch Control** and **Intel(R) AES New Instructions** support*
-- Configure the system with the **SGX hardware enabled** option.
-- Ensure that the version of installed kernel headers matches the active kernel version on the system.
-   * To check if matching kernel headers are installed:
-        ```
-        $ dpkg-query -s linux-headers-$(uname -r)
-        ```
-   * To install matching headers:
-        ```
-        $ sudo apt-get install linux-headers-$(uname -r)
-        ```
-- OpenSSL is required for the Launch Enclave signing.
-   * To install OpenSSl:
- 		```
-        $ sudo apt-get install libssl-dev
-        ```
-  
-**Note:** Refer to the *"Intel® SGX Resource Enumeration Leaves"* section in the [Intel SGX Programming reference guide](https://software.intel.com/sites/default/files/managed/48/88/329298-002.pdf) to make sure your cpu has the SGX feature.
-
-
-### Build the Intel(R) SGX Driver 
-The driver build process is also building and integrating the Launch Enclave as part of the build process.
-As the Launch Enclave must be signed, the driver build process supports two methods of build:
-- Single step / debug:     
-  In this method the LE is built and signed as part of the driver build process, the private key may be provided to the build command or auto-generated during the build
-- Two steps / production:      
-  In this method the first step builds the Launch Enclave and generates the signing materials, which should be signed by some signing entity separately. In the second step the signature and the public key are used to continue the build and generate the driver.
-
-These build options are provided to support the above two build methods:
-- sign:     
-   Build option for the single step build process. It builds the Launch Enclave, signs it and integrate it into the driver. The private key may be provided to the build command by specifying ```SGX_LE_SIGNING_KEY_PATH=<path/to/private/key>``` (default: ./sgx_signing_key.pem), if the key does not exist it will be generated.
-- gendata:     
-   Build option for the first step in the two steps process. It builds the Launch Enclave and prepared the signing materials for it. The output of the build may be defined by specifying ```SGX_LE_SIGNING_MATERIAL=<path/to/signing/material>``` (default: ./signing_material.bin).
-- usesig:    
-   Build option for the second step in the two steps process. It gets the signature file and the public key, and uses them to integrate with the driver build. 
-   The signature file **must** be provided by specifying ```SIG_FILE=<path/to/signature>```.  
-   In addition the public key file may be specified by using ```SGX_LE_PUBLIC_KEY_PATH=<path/to/public/key>``` (default: ./sgx_public_key.pem).
-
-#### Build Intel(R) SGX Driver Using Single Step Process
-
-The following is an example for a single step make command:
-```
-$ make sign SGX_LE_SIGNING_KEY_PATH=~/my_private_key.pem 
-```
-**Note:** The **SGX_LE_SIGNING_KEY_PATH** is NOT a mandatory parameter. 
-
-#### Build Intel(R) SGX Driver Using Two Steps Process
-The following lines are an example for two steps make process:
-```
-$ make gendata SGX_LE_SIGNING_MATERIAL=~/signing_material.bin
-$ [sign the generated signing material]
-$ make usesig SIG_FILE=~/signature_file.bin SGX_LE_PUBLIC_KEY_PATH=~/my_public_key.pem
-```
-**Note:**  The **SGX_LE_SIGNING_MATERIAL** and **SGX_LE_PUBLIC_KEY_PATH** are NOT mandatory parameters.  
-**Note:**  To generate "Intel signed" compatible sigstruct file, add **INTEL_SIGNED=1** for each of the make commands.  
-
-#### Build Intel(R) SGX Driver using a pre-built Permissive LE  
-The Permissive LE (PLE) includes two headers representing the binary content of the PLE (sgx_le_blob.h) and the sigstruct (sgx_le_ss.h) located in the ```driver/le/enclave``` directory.  
-If these files exist, the PLE will not be built and they will be integrated into the driver build. Use a single step make command to complete the driver build and integrate the PLE into it:
-```
-$ make 
-```
-
-**Note:** To ensure execution of the PLE build when **NOT** using pre-built PLE, clean all the previously built content before any other build command:
-```
-$ make clean
-``` 
-
-### Install the Intel(R) SGX Driver
-The Intel(R) SGX driver supports DKMS installation, to install the driver follow the following steps:  
-- Ensure that the DKMS package is installed, or install it using:
-  ``` $ sudo apt-get install dkms  ```
-- With root priviledge, copy the sources to ``/usr/src/sgx-<version>/`` 
-	- ``<version>`` should match the version specified in the dkms.conf file 
-- Follow the following steps to add and install the driver into the DKMS tree:
-```
-$ sudo dkms add -m sgx -v <version>
-$ sudo dkms build -m sgx -v <version>
-$ sudo dkms install -m sgx -v <version>
-$ sudo /sbin/modprobe intel_sgx
-```
-### Uninstall the Intel(R) SGX Driver
-To uninstall the Intel(R) SGX driver, enter the following commands with root privilege: 
-```
-$ sudo /sbin/modprobe -r intel_sgx
-$ sudo dkms remove -m sgx -v <version> --all
-```
-You should also remove the sources from ``/usr/src/sgx-<version>/``
diff --git a/ubuntu/sgx/sgx_encl.c b/ubuntu/sgx/sgx_encl.c
index 99b89657ca70..dfbd77d2e829 100644
--- a/ubuntu/sgx/sgx_encl.c
+++ b/ubuntu/sgx/sgx_encl.c
@@ -287,7 +287,7 @@ static u32 sgx_calc_ssaframesize(u32 miscselect, u64 xfrm)
 	int i;
 
 	for (i = 2; i < 64; i++) {
-		if (!((1 << i) & xfrm))
+		if (!((1ULL << i) & xfrm))
 			continue;
 
 		size = SGX_SSA_GPRS_SIZE + sgx_xsave_size_tbl[i];
@@ -881,7 +881,7 @@ int sgx_encl_init(struct sgx_encl *encl, struct sgx_sigstruct *sigstruct,
 
 	/* Check that the required attributes have been authorized. */
 	if (encl->attributes & ~encl->allowed_attributes)
-		return -EINVAL;
+		return -EACCES;
 
 	flush_work(&encl->add_page_work);
 
diff --git a/ubuntu/sgx/sgx_main.c b/ubuntu/sgx/sgx_main.c
index 65e0bbe2af1a..9f3a1eac66ce 100644
--- a/ubuntu/sgx/sgx_main.c
+++ b/ubuntu/sgx/sgx_main.c
@@ -366,7 +366,7 @@ static int sgx_dev_init(struct device *parent)
 
 		for (i = 2; i < 64; i++) {
 			cpuid_count(0x0D, i, &eax, &ebx, &ecx, &edx);
-			if ((1 << i) & sgx_xfrm_mask)
+			if ((1ULL << i) & sgx_xfrm_mask)
 				sgx_xsave_size_tbl[i] = eax + ebx;
 		}
 	}
diff --git a/ubuntu/sgx/sgx_version.h b/ubuntu/sgx/sgx_version.h
index eb550a6e6627..07e3f0e8c048 100644
--- a/ubuntu/sgx/sgx_version.h
+++ b/ubuntu/sgx/sgx_version.h
@@ -55,6 +55,6 @@
 #define _SGX_VERSION_H
 
 #define DRV_DESCRIPTION "Intel SGX Driver"
-#define DRV_VERSION "1.20"
+#define DRV_VERSION "1.22"
 
 #endif /* _SGX_VERSION_H */