/openbmc/linux/Documentation/arch/x86/ |
H A D | sgx.rst | 18 These memory regions are called enclaves. An enclave can be only entered at a 20 at a time. While the enclave is loaded from a regular binary file by using 21 ENCLS functions, only the threads inside the enclave can access its memory. The 34 Enclave Page Cache 37 SGX utilizes an *Enclave Page Cache (EPC)* to store pages that are associated 38 with an enclave. It is contained in a BIOS-reserved region of physical memory. 40 the enclave during enclave construction with special, limited SGX instructions. 42 Only a CPU executing inside an enclave can directly access enclave memory. 43 However, a CPU executing inside an enclave may access normal memory outside the 44 enclave. [all …]
|
/openbmc/linux/include/uapi/linux/ |
H A D | nitro_enclaves.h | 17 * an enclave VM. 21 * enclave. Memory and vCPUs are set for the slot mapped to an enclave. 34 * * Enclave file descriptor - Enclave file descriptor used with 36 * regions, then start the enclave. 50 * NE_ADD_VCPU - The command is used to set a vCPU for an enclave. The vCPU can 54 * be associated with an enclave. 56 * then a CPU is chosen from the enclave CPU pool and returned via 58 * The ioctl can be invoked on the enclave fd, before an enclave 70 * that created the enclave. 77 * * NE_ERR_NOT_IN_INIT_STATE - The enclave is not in init state [all …]
|
/openbmc/linux/Documentation/virt/ |
H A D | ne_overview.rst | 16 application then runs in a separate VM than the primary VM, namely an enclave. 23 The resources that are allocated for the enclave, such as memory and CPUs, are 24 carved out of the primary VM. Each enclave is mapped to a process running in the 29 1. An enclave abstraction process - a user space process running in the primary 31 enclave VM (that's 2 below). 37 maps to an enclave start PCI command. The PCI device commands are then 42 2. The enclave itself - a VM running on the same host as the primary VM that 44 for the enclave VM. An enclave does not have persistent storage attached. 46 The memory regions carved out of the primary VM and given to an enclave need to 49 user space [2][3][7]. The memory size for an enclave needs to be at least [all …]
|
/openbmc/qemu/docs/system/i386/ |
H A D | nitro-enclave.rst | 1 'nitro-enclave' virtual machine (``nitro-enclave``) 4 ``nitro-enclave`` is a machine type which emulates an *AWS nitro enclave* 8 no persistent storage and no external networking. The enclave VMs are based 12 the enclave VM gets a dynamic CID. Enclaves use an EIF (`Enclave Image Format`_) 15 In QEMU, ``nitro-enclave`` is a machine type based on ``microvm`` similar to how 21 must be run alongside nitro-enclave for the vsock communication to work. 23 ``libcbor`` and ``gnutls`` are required dependencies for nitro-enclave machine 26 .. _AWS nitro enclaves: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html 31 Using the nitro-enclave machine type 39 - nitro-enclave.vsock=string (required) (Id of the chardev from '-chardev' option that vhost-user-v… [all …]
|
H A D | sgx.rst | 10 address space as an *enclave*, which is a protected area provides confidentiality 12 enclave memory area from any software not resident in the enclave are prevented, 72 and when enclave fails to unseal sensitive information from outside, it can
|
/openbmc/linux/drivers/virt/nitro_enclaves/ |
H A D | ne_misc_dev.h | 20 * struct ne_mem_region - Entry in the enclave user space memory regions list. 21 * @mem_region_list_entry: Entry in the list of enclave memory regions. 36 * struct ne_enclave - Per-enclave data used for enclave lifetime management. 41 * the enclave process via the poll function. 46 * @mem_regions_list: Enclave user space memory regions list. 47 * @mem_size: Enclave memory size. 48 * @mm : Enclave process abstraction mm data struct. 49 * @nr_mem_regions: Number of memory regions associated with the enclave. 54 * @nr_vcpus: Number of vcpus associated with the enclave. 55 * @numa_node: NUMA node of the enclave memory and CPUs. [all …]
|
H A D | ne_misc_dev.c | 7 * DOC: Enclave lifetime management driver for Nitro Enclaves (NE). 43 * NE_EIF_LOAD_OFFSET - The offset where to copy the Enclave Image Format (EIF) 44 * image in enclave memory. 49 * NE_MIN_ENCLAVE_MEM_SIZE - The minimum memory size an enclave can be launched 55 * NE_MIN_MEM_REGION_SIZE - The minimum size of an enclave memory region. 107 * enclave(s). The cpumasks from the array, indexed 110 * enclave(s). The full CPU cores are part of the 140 * ne_check_enclaves_created() - Verify if at least one enclave has been created. 145 * * True if at least one enclave is created. 332 * CPUs that are given to enclave(s) should not be considered online in ne_setup_cpu_pool() [all …]
|
H A D | ne_pci_dev.h | 106 * NE_VEC_EVENT - MSI-X vector used for out-of-band events e.g. enclave crash. 113 * @ENCLAVE_START: Start an enclave, after setting its resources. 114 * @ENCLAVE_GET_SLOT: Get the slot uid of an enclave. 115 * @ENCLAVE_STOP: Terminate an enclave. 116 * @SLOT_ALLOC : Allocate a slot for an enclave. 117 * @SLOT_FREE: Free the slot allocated for an enclave 118 * @SLOT_ADD_MEM: Add a memory region to an enclave slot. 119 * @SLOT_ADD_VCPU: Add a vCPU to an enclave slot. 148 * @slot_uid: Slot unique id mapped to the enclave to start. 149 * @enclave_cid: Context ID (CID) for the enclave vsock device. [all …]
|
H A D | ne_pci_dev.c | 181 * request sent to the PCI device for enclave lifetime 210 * one enclave is changing state without client interaction. 228 * PCI device and determine for which enclave(s) the out-of-band event in ne_event_work_handler() 249 /* Notify enclave process that the enclave state changed. */ in ne_event_work_handler() 342 * This IRQ gets triggered every time any enclave's state changes. Its in ne_setup_msix()
|
/openbmc/linux/samples/nitro_enclaves/ |
H A D | ne_ioctl_sample.c | 13 * Load the nitro_enclaves module, setting also the enclave CPU pool. The 14 * enclave CPUs need to be full cores from the same NUMA node. CPU 0 and its 16 * cannot be included in the enclave CPU pool. 44 * the enclave CPUs. 110 * NE_SLEEP_TIME - Amount of time in seconds for the process to keep the enclave alive. 115 * NE_DEFAULT_NR_VCPUS - Default number of vCPUs set for an enclave. 126 * an enclave. 131 * NE_IMAGE_LOAD_HEARTBEAT_CID - Vsock CID for enclave image loading heartbeat logic. 135 * NE_IMAGE_LOAD_HEARTBEAT_PORT - Vsock port for enclave image loading heartbeat logic. 139 * NE_IMAGE_LOAD_HEARTBEAT_VALUE - Heartbeat value for enclave image loading. [all …]
|
/openbmc/linux/arch/x86/include/asm/ |
H A D | sgx.h | 72 * %SGX_INVALID_EINITTOKEN: EINITTOKEN is invalid and enclave signer's 94 * Save State Area (SSA) is a stack inside the enclave used to store processor 109 * %SGX_ATTR_INIT: Enclave can be entered (is initialized). 111 * %SGX_ATTR_MODE64BIT: Tell that this a 64-bit enclave. 117 * EINIT as an authorization to run an enclave. 150 * struct sgx_secs - SGX Enclave Control Structure (SECS) 155 * @attributes: attributes for enclave 157 * @mrenclave: SHA256-hash of the enclave contents 164 * SGX Enclave Control Structure (SECS) is a special enclave page that is not 166 * range and other global attributes for the enclave and it is the first EPC [all …]
|
/openbmc/linux/arch/x86/kernel/cpu/sgx/ |
H A D | encl.c | 27 * reclaimer_writing_to_pcmd() - Query if any enclave page associated with 29 * @encl: Enclave to which PCMD page belongs 30 * @start_addr: Address of enclave page using first entry within the PCMD page 32 * When an enclave page is reclaimed some Paging Crypto MetaData (PCMD) is 33 * stored. The PCMD data of a reclaimed enclave page contains enough 35 * it is loaded back into the Enclave Page Cache (EPC). 37 * The backing storage to which enclave pages are reclaimed is laid out as 39 * Encrypted enclave pages:SECS page:PCMD pages 42 * PAGE_SIZE/sizeof(struct sgx_pcmd) enclave pages. 46 * a check if an enclave page sharing the PCMD page is in the process of being [all …]
|
H A D | ioctl.c | 137 * @encl: An enclave pointer. 140 * Allocate kernel data structures for the enclave and invoke ECREATE. 312 * the enclave will be destroyed in response to EEXTEND failure. in sgx_encl_add_page() 347 * an enclave. 370 * @encl: an enclave pointer 373 * Add one or more pages to an uninitialized enclave, and optionally extend the 391 * The function deinitializes kernel data structures for enclave and returns 394 * - Enclave Page Cache (EPC), the physical memory holding enclaves, has 502 * the mask for enforcement in sigstruct. For example an enclave could in sgx_encl_init() 579 * @encl: an enclave pointer [all …]
|
H A D | encls.h | 139 /* Initialize an EPC page into an SGX Enclave Control Structure (SECS) page. */ 145 /* Hash a 256 byte region of an enclave page to SECS:MRENCLAVE. */ 152 * Associate an EPC page to an enclave either as a REG or TCS page 160 /* Finalize enclave build, initialize enclave for user code execution. */ 166 /* Disassociate EPC page from its enclave and mark it as unused. */ 172 /* Copy data to an EPC page belonging to a debug enclave. */ 178 /* Copy data from an EPC page belonging to a debug enclave. */ 197 /* Make EPC page inaccessible to enclave, ready to be written to memory. */ 230 /* Zero a page of EPC memory and add it to an initialized enclave. */
|
H A D | main.c | 192 * has reset the count for threads inside the enclave by using ETRACK, and 228 * enclave. Note, it's imperative that the cpu in sgx_encl_ewb() 230 * miss cpus that entered the enclave between in sgx_encl_ewb() 285 * reclaim them to the enclave's private shmem files. Skip the pages, which have 385 * sgx_reclaim_direct() should be called (without enclave's mutex held) 693 * the task. Hardware has already exited the SGX enclave and in arch_memory_failure() 694 * will not allow re-entry to an enclave that has a memory in arch_memory_failure() 696 * enclave is broken. in arch_memory_failure() 855 * Bare-metal driver requires to update them to hash of enclave's signer 882 * @allowed_attributes: Pointer to allowed enclave attributes [all …]
|
/openbmc/linux/arch/x86/include/uapi/asm/ |
H A D | sgx.h | 88 * @offset: starting page offset (page aligned relative to enclave base 107 * @offset: starting page offset (page aligned relative to enclave base 124 * @offset: starting page offset (page aligned relative to enclave base 130 * enclave if the system supports SGX2. First, the %SGX_IOC_ENCLAVE_MODIFY_TYPES 132 * succeeds ENCLU[EACCEPT] should be run from within the enclave and then 148 * The register parameters contain the snapshot of their values at enclave 162 * @tcs: TCS used to enter the enclave 189 * a vDSO function to enter an SGX enclave. 201 * state in accordance with the x86-64 ABI is the responsibility of the enclave 203 * code without careful consideration by both the enclave and its runtime. [all …]
|
/openbmc/linux/tools/testing/selftests/sgx/ |
H A D | main.c | 31 * about an enclave page. &enum sgx_secinfo_page_state specifies the 134 * Return the offset in the enclave where the TCS segment can be found. 152 * Return the offset in the enclave where the data segment can be found. 170 FIXTURE(enclave) { in FIXTURE() argument 188 TH_LOG("Failed to load the test enclave."); in setup_test_encl() 199 * An enclave consumer only must do this. in setup_test_encl() 246 TH_LOG("Failed to initialize the test enclave."); in setup_test_encl() 253 FIXTURE_SETUP(enclave) in FIXTURE_SETUP() argument 257 FIXTURE_TEARDOWN(enclave) in FIXTURE_TEARDOWN() argument 282 TEST_F(enclave, unclobbered_vdso) in TEST_F() argument [all …]
|
H A D | test_encl_bootstrap.S | 44 # inside the enclave for TCS #1 and one page into the enclave for 58 push %rbx # push the enclave base address 62 pop %rbx # pop the enclave base address
|
H A D | load.c | 53 perror("enclave executable open()"); in encl_map_bin() 59 perror("enclave executable stat()"); in encl_map_bin() 65 perror("enclave executable mmap()"); in encl_map_bin() 134 * Parse the enclave code's symbol table to locate and return address of
|
/openbmc/openbmc/meta-arm/meta-arm-bsp/documentation/corstone1000/ |
H A D | software-architecture.rst | 39 different types of systems: Secure Enclave, Host and External System. 48 The Secure Enclave System, provides PSA Root of Trust (RoT) and 51 secure flash. Software running on the Secure Enclave is isolated via 54 On system power on, the Secure Enclave boots first. Its software 57 Secure Enclave follows Firmware Framework for M class 66 The Host Subsystem is taken out of reset by the Secure Enclave system 108 the Secure Enclave starts executing BL1_1 code from the ROM which is the RoT 131 the runtime executable of the Secure Enclave which initializes itself and, at the end, 161 it also has hardware isolated Secure Enclave environment to run such secure 165 these services which are running on a Secure Enclave instead of the [all …]
|
/openbmc/qemu/include/hw/i386/ |
H A D | nitro_enclave.h | 2 * AWS nitro-enclave machine 37 /* Enclave identifier */ 58 #define TYPE_NITRO_ENCLAVE_MACHINE MACHINE_TYPE_NAME("nitro-enclave")
|
/openbmc/openbmc/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/ |
H A D | 0028-corstone1000-boot-index-from-active.patch | 6 In our platform, the Secure Enclave is the one who control 29 + * in our platform, the Secure Enclave is the one who control
|
/openbmc/linux/Documentation/firmware-guide/acpi/apei/ |
H A D | einj.rst | 190 address. But the h/w prevents any software outside of an SGX enclave 191 from accessing enclave pages (even BIOS SMM mode). 194 1) Determine physical address of enclave page 197 3) Enter the enclave
|
/openbmc/qemu/hw/i386/ |
H A D | nitro_enclave.c | 2 * AWS nitro-enclave machine 147 /* First 16 PCRs are locked from boot and reserved for nitro enclave */ in nitro_enclave_machine_reset() 306 mc->desc = "AWS Nitro Enclave"; in nitro_enclave_class_init() 326 "Set enclave identifier"); in nitro_enclave_class_init()
|
/openbmc/linux/Documentation/admin-guide/hw-vuln/ |
H A D | special-register-buffer-data-sampling.rst | 92 enclaves (including execution of RDRAND or RDSEED inside an enclave, as well 104 enclave on that logical processor. Opting out of the mitigation for a 108 Note that inside of an Intel SGX enclave, the mitigation is applied regardless
|