Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rely on /dev/sgx_{enclave,provision} instead of /dev/sgx/{enclave,provision} #772

Closed
veehaitch opened this issue Jan 10, 2022 · 2 comments
Closed

Rely on /dev/sgx_{enclave,provision} instead of /dev/sgx/{enclave,provision} #772

veehaitch opened this issue Jan 10, 2022 · 2 comments

Comments

@veehaitch
Copy link
Contributor

veehaitch commented Jan 10, 2022
edited
Loading

The in-tree Linux kernel SGX driver creates the enclave device at /dev/sgx_enclave and the provisioning device at /dev/sgx_provision. In contrast, the out-of-tree DCAP driver used to create those devices nested below an sgx subdirectory, i.e., /dev/sgx/enclave and /dev/sgx/provision.

For backward compatibility, linux-sgx today ships udev rules to create symlinks from /dev/sgx/enclave to /dev/sgx_enclave and /dev/sgx/provision to /dev/sgx_provision. This seems reasonable; however, most—if not all—of the linux-sgx code still seems to reference the enclave and provision devices below /dev/sgx/:

linux-sgx/psw/urts/linux/edmm_utility.cpp

Line 102 in 2ee53db

int hdev = open("/dev/sgx/enclave", O_RDWR); //attempt to open the in-kernel driver

linux-sgx/psw/urts/linux/edmm_utility.cpp

Line 152 in 2ee53db

*hdevice = open("/dev/sgx/enclave", O_RDWR); //attempt to open the in-kernel driver

linux-sgx/psw/enclave_common/sgx_enclave_common.cpp

Lines 472 to 474 in 2ee53db

if (s_driver_type == SGX_DRIVER_IN_KERNEL)
{
hdev_prov = open("/dev/sgx/provision", O_RDWR);

The comments suggest that the in-tree Linux driver creates the devices within /dev/sgx/ which is clearly not the case.

The current behavior causes all SGX applications to fail if the executing host uses the in-tree driver without a symbolic link /dev/sgx/enclave -> ../sgx_enclave.

This is very relevant as systemd decided to not provide a symlink: systemd/systemd#18944 (comment). Also, NixOS does not install any of the udev rules provided in this repository (too permissive). As far as I can tell, the SDK/PSW routines should try opening /dev/sgx_{enclave,provision} instead of /dev/sgx/{enclave,provision}*. At least, they should also try the actual path of the SGX kernel devices, i.e., /dev/sgx_enclave and /dev/sgx_provision.
@veehaitch veehaitch mentioned this issue Jan 10, 2022
Merged
13 tasks
@lzha101
Copy link
Contributor

lzha101 commented Jan 11, 2022

Thanks for reporting this issue. We have already updated the related modules to fix this in the internal repo some time ago. It will be included in the next release. Please stay tuned.

@veehaitch veehaitch mentioned this issue Jan 11, 2022
Merged
13 tasks
@jbern0rd jbern0rd mentioned this issue Aug 4, 2022
Merged
@shamsasari shamsasari mentioned this issue Sep 6, 2022
Merged
@mythi mythi mentioned this issue Oct 5, 2022
Open
@haitaohuang
Copy link
Contributor

this should already be resolved with new behavior that supports /dev/sgx_x nodes directly. symlink is optional and for backward compatibility only

@mythi mythi mentioned this issue Sep 7, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@haitaohuang @veehaitch @lzha101