Home
last modified time | relevance | path

Searched full:enclave (Results 1 – 25 of 61) sorted by relevance

123

/openbmc/linux/Documentation/arch/x86/
H A Dsgx.rst18 These memory regions are called enclaves. An enclave can be only entered at a
20 at a time. While the enclave is loaded from a regular binary file by using
21 ENCLS functions, only the threads inside the enclave can access its memory. The
34 Enclave Page Cache
37 SGX utilizes an *Enclave Page Cache (EPC)* to store pages that are associated
38 with an enclave. It is contained in a BIOS-reserved region of physical memory.
40 the enclave during enclave construction with special, limited SGX instructions.
42 Only a CPU executing inside an enclave can directly access enclave memory.
43 However, a CPU executing inside an enclave may access normal memory outside the
44 enclave.
[all …]
/openbmc/linux/include/uapi/linux/
H A Dnitro_enclaves.h17 * an enclave VM.
21 * enclave. Memory and vCPUs are set for the slot mapped to an enclave.
34 * * Enclave file descriptor - Enclave file descriptor used with
36 * regions, then start the enclave.
50 * NE_ADD_VCPU - The command is used to set a vCPU for an enclave. The vCPU can
54 * be associated with an enclave.
56 * then a CPU is chosen from the enclave CPU pool and returned via
58 * The ioctl can be invoked on the enclave fd, before an enclave
70 * that created the enclave.
77 * * NE_ERR_NOT_IN_INIT_STATE - The enclave is not in init state
[all …]
/openbmc/linux/Documentation/virt/
H A Dne_overview.rst16 application then runs in a separate VM than the primary VM, namely an enclave.
23 The resources that are allocated for the enclave, such as memory and CPUs, are
24 carved out of the primary VM. Each enclave is mapped to a process running in the
29 1. An enclave abstraction process - a user space process running in the primary
31 enclave VM (that's 2 below).
37 maps to an enclave start PCI command. The PCI device commands are then
42 2. The enclave itself - a VM running on the same host as the primary VM that
44 for the enclave VM. An enclave does not have persistent storage attached.
46 The memory regions carved out of the primary VM and given to an enclave need to
49 user space [2][3][7]. The memory size for an enclave needs to be at least
[all …]
/openbmc/qemu/docs/system/i386/
H A Dnitro-enclave.rst1 'nitro-enclave' virtual machine (``nitro-enclave``)
4 ``nitro-enclave`` is a machine type which emulates an *AWS nitro enclave*
8 no persistent storage and no external networking. The enclave VMs are based
12 the enclave VM gets a dynamic CID. Enclaves use an EIF (`Enclave Image Format`_)
15 In QEMU, ``nitro-enclave`` is a machine type based on ``microvm`` similar to how
21 must be run alongside nitro-enclave for the vsock communication to work.
23 ``libcbor`` and ``gnutls`` are required dependencies for nitro-enclave machine
26 .. _AWS nitro enclaves: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html
31 Using the nitro-enclave machine type
39 - nitro-enclave.vsock=string (required) (Id of the chardev from '-chardev' option that vhost-user-v…
[all …]
H A Dsgx.rst10 address space as an *enclave*, which is a protected area provides confidentiality
12 enclave memory area from any software not resident in the enclave are prevented,
72 and when enclave fails to unseal sensitive information from outside, it can
/openbmc/linux/drivers/virt/nitro_enclaves/
H A Dne_misc_dev.h20 * struct ne_mem_region - Entry in the enclave user space memory regions list.
21 * @mem_region_list_entry: Entry in the list of enclave memory regions.
36 * struct ne_enclave - Per-enclave data used for enclave lifetime management.
41 * the enclave process via the poll function.
46 * @mem_regions_list: Enclave user space memory regions list.
47 * @mem_size: Enclave memory size.
48 * @mm : Enclave process abstraction mm data struct.
49 * @nr_mem_regions: Number of memory regions associated with the enclave.
54 * @nr_vcpus: Number of vcpus associated with the enclave.
55 * @numa_node: NUMA node of the enclave memory and CPUs.
[all …]
H A Dne_misc_dev.c7 * DOC: Enclave lifetime management driver for Nitro Enclaves (NE).
43 * NE_EIF_LOAD_OFFSET - The offset where to copy the Enclave Image Format (EIF)
44 * image in enclave memory.
49 * NE_MIN_ENCLAVE_MEM_SIZE - The minimum memory size an enclave can be launched
55 * NE_MIN_MEM_REGION_SIZE - The minimum size of an enclave memory region.
107 * enclave(s). The cpumasks from the array, indexed
110 * enclave(s). The full CPU cores are part of the
140 * ne_check_enclaves_created() - Verify if at least one enclave has been created.
145 * * True if at least one enclave is created.
332 * CPUs that are given to enclave(s) should not be considered online in ne_setup_cpu_pool()
[all …]
H A Dne_pci_dev.h106 * NE_VEC_EVENT - MSI-X vector used for out-of-band events e.g. enclave crash.
113 * @ENCLAVE_START: Start an enclave, after setting its resources.
114 * @ENCLAVE_GET_SLOT: Get the slot uid of an enclave.
115 * @ENCLAVE_STOP: Terminate an enclave.
116 * @SLOT_ALLOC : Allocate a slot for an enclave.
117 * @SLOT_FREE: Free the slot allocated for an enclave
118 * @SLOT_ADD_MEM: Add a memory region to an enclave slot.
119 * @SLOT_ADD_VCPU: Add a vCPU to an enclave slot.
148 * @slot_uid: Slot unique id mapped to the enclave to start.
149 * @enclave_cid: Context ID (CID) for the enclave vsock device.
[all …]
H A Dne_pci_dev.c181 * request sent to the PCI device for enclave lifetime
210 * one enclave is changing state without client interaction.
228 * PCI device and determine for which enclave(s) the out-of-band event in ne_event_work_handler()
249 /* Notify enclave process that the enclave state changed. */ in ne_event_work_handler()
342 * This IRQ gets triggered every time any enclave's state changes. Its in ne_setup_msix()
/openbmc/linux/samples/nitro_enclaves/
H A Dne_ioctl_sample.c13 * Load the nitro_enclaves module, setting also the enclave CPU pool. The
14 * enclave CPUs need to be full cores from the same NUMA node. CPU 0 and its
16 * cannot be included in the enclave CPU pool.
44 * the enclave CPUs.
110 * NE_SLEEP_TIME - Amount of time in seconds for the process to keep the enclave alive.
115 * NE_DEFAULT_NR_VCPUS - Default number of vCPUs set for an enclave.
126 * an enclave.
131 * NE_IMAGE_LOAD_HEARTBEAT_CID - Vsock CID for enclave image loading heartbeat logic.
135 * NE_IMAGE_LOAD_HEARTBEAT_PORT - Vsock port for enclave image loading heartbeat logic.
139 * NE_IMAGE_LOAD_HEARTBEAT_VALUE - Heartbeat value for enclave image loading.
[all …]
/openbmc/linux/arch/x86/include/asm/
H A Dsgx.h72 * %SGX_INVALID_EINITTOKEN: EINITTOKEN is invalid and enclave signer's
94 * Save State Area (SSA) is a stack inside the enclave used to store processor
109 * %SGX_ATTR_INIT: Enclave can be entered (is initialized).
111 * %SGX_ATTR_MODE64BIT: Tell that this a 64-bit enclave.
117 * EINIT as an authorization to run an enclave.
150 * struct sgx_secs - SGX Enclave Control Structure (SECS)
155 * @attributes: attributes for enclave
157 * @mrenclave: SHA256-hash of the enclave contents
164 * SGX Enclave Control Structure (SECS) is a special enclave page that is not
166 * range and other global attributes for the enclave and it is the first EPC
[all …]
/openbmc/linux/arch/x86/kernel/cpu/sgx/
H A Dencl.c27 * reclaimer_writing_to_pcmd() - Query if any enclave page associated with
29 * @encl: Enclave to which PCMD page belongs
30 * @start_addr: Address of enclave page using first entry within the PCMD page
32 * When an enclave page is reclaimed some Paging Crypto MetaData (PCMD) is
33 * stored. The PCMD data of a reclaimed enclave page contains enough
35 * it is loaded back into the Enclave Page Cache (EPC).
37 * The backing storage to which enclave pages are reclaimed is laid out as
39 * Encrypted enclave pages:SECS page:PCMD pages
42 * PAGE_SIZE/sizeof(struct sgx_pcmd) enclave pages.
46 * a check if an enclave page sharing the PCMD page is in the process of being
[all …]
H A Dioctl.c137 * @encl: An enclave pointer.
140 * Allocate kernel data structures for the enclave and invoke ECREATE.
312 * the enclave will be destroyed in response to EEXTEND failure. in sgx_encl_add_page()
347 * an enclave.
370 * @encl: an enclave pointer
373 * Add one or more pages to an uninitialized enclave, and optionally extend the
391 * The function deinitializes kernel data structures for enclave and returns
394 * - Enclave Page Cache (EPC), the physical memory holding enclaves, has
502 * the mask for enforcement in sigstruct. For example an enclave could in sgx_encl_init()
579 * @encl: an enclave pointer
[all …]
H A Dencls.h139 /* Initialize an EPC page into an SGX Enclave Control Structure (SECS) page. */
145 /* Hash a 256 byte region of an enclave page to SECS:MRENCLAVE. */
152 * Associate an EPC page to an enclave either as a REG or TCS page
160 /* Finalize enclave build, initialize enclave for user code execution. */
166 /* Disassociate EPC page from its enclave and mark it as unused. */
172 /* Copy data to an EPC page belonging to a debug enclave. */
178 /* Copy data from an EPC page belonging to a debug enclave. */
197 /* Make EPC page inaccessible to enclave, ready to be written to memory. */
230 /* Zero a page of EPC memory and add it to an initialized enclave. */
H A Dmain.c192 * has reset the count for threads inside the enclave by using ETRACK, and
228 * enclave. Note, it's imperative that the cpu in sgx_encl_ewb()
230 * miss cpus that entered the enclave between in sgx_encl_ewb()
285 * reclaim them to the enclave's private shmem files. Skip the pages, which have
385 * sgx_reclaim_direct() should be called (without enclave's mutex held)
693 * the task. Hardware has already exited the SGX enclave and in arch_memory_failure()
694 * will not allow re-entry to an enclave that has a memory in arch_memory_failure()
696 * enclave is broken. in arch_memory_failure()
855 * Bare-metal driver requires to update them to hash of enclave's signer
882 * @allowed_attributes: Pointer to allowed enclave attributes
[all …]
/openbmc/linux/arch/x86/include/uapi/asm/
H A Dsgx.h88 * @offset: starting page offset (page aligned relative to enclave base
107 * @offset: starting page offset (page aligned relative to enclave base
124 * @offset: starting page offset (page aligned relative to enclave base
130 * enclave if the system supports SGX2. First, the %SGX_IOC_ENCLAVE_MODIFY_TYPES
132 * succeeds ENCLU[EACCEPT] should be run from within the enclave and then
148 * The register parameters contain the snapshot of their values at enclave
162 * @tcs: TCS used to enter the enclave
189 * a vDSO function to enter an SGX enclave.
201 * state in accordance with the x86-64 ABI is the responsibility of the enclave
203 * code without careful consideration by both the enclave and its runtime.
[all …]
/openbmc/linux/tools/testing/selftests/sgx/
H A Dmain.c31 * about an enclave page. &enum sgx_secinfo_page_state specifies the
134 * Return the offset in the enclave where the TCS segment can be found.
152 * Return the offset in the enclave where the data segment can be found.
170 FIXTURE(enclave) { in FIXTURE() argument
188 TH_LOG("Failed to load the test enclave."); in setup_test_encl()
199 * An enclave consumer only must do this. in setup_test_encl()
246 TH_LOG("Failed to initialize the test enclave."); in setup_test_encl()
253 FIXTURE_SETUP(enclave) in FIXTURE_SETUP() argument
257 FIXTURE_TEARDOWN(enclave) in FIXTURE_TEARDOWN() argument
282 TEST_F(enclave, unclobbered_vdso) in TEST_F() argument
[all …]
H A Dtest_encl_bootstrap.S44 # inside the enclave for TCS #1 and one page into the enclave for
58 push %rbx # push the enclave base address
62 pop %rbx # pop the enclave base address
H A Dload.c53 perror("enclave executable open()"); in encl_map_bin()
59 perror("enclave executable stat()"); in encl_map_bin()
65 perror("enclave executable mmap()"); in encl_map_bin()
134 * Parse the enclave code's symbol table to locate and return address of
/openbmc/openbmc/meta-arm/meta-arm-bsp/documentation/corstone1000/
H A Dsoftware-architecture.rst39 different types of systems: Secure Enclave, Host and External System.
48 The Secure Enclave System, provides PSA Root of Trust (RoT) and
51 secure flash. Software running on the Secure Enclave is isolated via
54 On system power on, the Secure Enclave boots first. Its software
57 Secure Enclave follows Firmware Framework for M class
66 The Host Subsystem is taken out of reset by the Secure Enclave system
108 the Secure Enclave starts executing BL1_1 code from the ROM which is the RoT
131 the runtime executable of the Secure Enclave which initializes itself and, at the end,
161 it also has hardware isolated Secure Enclave environment to run such secure
165 these services which are running on a Secure Enclave instead of the
[all …]
/openbmc/qemu/include/hw/i386/
H A Dnitro_enclave.h2 * AWS nitro-enclave machine
37 /* Enclave identifier */
58 #define TYPE_NITRO_ENCLAVE_MACHINE MACHINE_TYPE_NAME("nitro-enclave")
/openbmc/openbmc/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/
H A D0028-corstone1000-boot-index-from-active.patch6 In our platform, the Secure Enclave is the one who control
29 + * in our platform, the Secure Enclave is the one who control
/openbmc/linux/Documentation/firmware-guide/acpi/apei/
H A Deinj.rst190 address. But the h/w prevents any software outside of an SGX enclave
191 from accessing enclave pages (even BIOS SMM mode).
194 1) Determine physical address of enclave page
197 3) Enter the enclave
/openbmc/qemu/hw/i386/
H A Dnitro_enclave.c2 * AWS nitro-enclave machine
147 /* First 16 PCRs are locked from boot and reserved for nitro enclave */ in nitro_enclave_machine_reset()
306 mc->desc = "AWS Nitro Enclave"; in nitro_enclave_class_init()
326 "Set enclave identifier"); in nitro_enclave_class_init()
/openbmc/linux/Documentation/admin-guide/hw-vuln/
H A Dspecial-register-buffer-data-sampling.rst92 enclaves (including execution of RDRAND or RDSEED inside an enclave, as well
104 enclave on that logical processor. Opting out of the mitigation for a
108 Note that inside of an Intel SGX enclave, the mitigation is applied regardless

123