On Thu, Mar 05, 2020 at 11:32:10PM -0600, Dr. Greg wrote:
On Wed, Mar 04, 2020 at 01:36:01AM +0200, Jarkko Sakkinen wrote:
Good evening, I hope the end of the week is going well for everyone.
Add a selftest for SGX. It is a trivial test where a simple enclave copies one 64-bit word of memory between two memory locations given to the enclave as arguments. Use ENCLS[EENTER] to invoke the enclave.
Just as a clarification, are you testing the new driver against signed production class enclaves in .so format that also include metadata layout directives or is the driver just getting tested against the two page toy enclave that copies a word of memory from one memory location to another?
That is the kind of role kselftests to smoke stuff. Obviously it will be refined over time but to do a "hello world" from scratch as an enclave was already quite a big effort.
Our PSW/runtime is currently failing to initialize production class enclaves secondary to a return value of -4 from the ENCLU[EINIT] instruction, which means the measurement of the loaded enclave has failed to match the value in the signature structure.
The same enclave loads fine with the out of kernel driver. Our diagnostics tell us we are feeding identical page streams and permissions to the page add ioctl's of both drivers. The identity modulus signature of the signing key for the enclave is being written to the launch control registers.
We see the same behavior from both our unit test enclaves and the Quoting Enclave from the Intel SGX runtime.
When we ported our runtime loader to the new driver ABI we kept things simple and add only a single page at a time in order to replicate the behavior of the old driver.
Secondly, we were wondering what distribution you are building the self-tests with? Initial indications are that the selftest signing utility doesn't build properly with OpenSSL 1.1.1.
I don't use a distribution. I just build user space with BuildRoot when I test a kernel.
Do you have a build log available to look at?
/Jarkko