topic EINIT without a token is possible? in Intel® Software Guard Extensions (Intel® SGX)

EINIT without a token is possible?

Jason-Liang — Wed, 31 Jul 2024 07:45:16 GMT

As title shown, according EINIT document here
https://www.felixcloutier.com/x86/einit
The token field is mandatory and will fail the check if input token is empty.

However we've tried to call `EINIT` with empty token (actually we are calling `

sgx_encl_init` inside `arch/x86/kernel/cpu/sgx/ioctl.c` with empty token, and it actually succeed, so we have following questions

1. Is this an expected behavior? that `EINIT` can success with an empty token?

2. Can we find the source code of EINIT anywhere? We only find this one (https://insujang.github.io/2017-04-05/intel-sgx-instructions-in-enclave-initialization/), but seems that this should be migrated into linux kernel already, and I cannot find the source code about `EINIT` in linux kernel

here is my kernel version

6.5.0-1024-azure

Thanks!

Re: EINIT without a token is possible?

Scott_R_Intel — Wed, 31 Jul 2024 13:33:40 GMT

Hi Jason.

In the operation flow, see step 5... If the token is not valid (null), the instruction just checks that the MRSIGNER of the enclave being launched matches what's in the IA32_SGX_LEPUBKEYHASH MSRs. Those MSRs are used to allow what is called Flexible Launch Control (FLC), allowing any enclave to launch without a token. EINIT tokens are really only ever used on legacy hardware without the FLC feature and using the old, now unsupported out of tree driver here. The upstreamed Linux SGX kernel driver simply writes the MRSIGNER of any enclave wanting to load into the IA32_SGX_LEPUBKEYHASH MSRs as shown here, thereby allowing any enclave to load without an EINT Token.

Regards.

Re: EINIT without a token is possible?

Jason-Liang — Mon, 12 Aug 2024 03:39:19 GMT

Hi Scott
Thanks for the reply!
I've got another question related to this FLC
So from your response, FLC hardware support means that there are some MSRs that can store the hash of enclave's signer pubkey. And latest SGX in-kernel driver will always try to set correct value to MSRs before launching an enclave

I have following questions

1. Then why DCAP requires FLC support? Is it just because the in-kernel DCAP driver will always try to set correct value to MSRs? Not actually due to any verification mechanism inside DCAP?
2. Then if FLC is disabled, it means that we cannot use in-kernel SGX support?

Thanks!

Re: EINIT without a token is possible?

Scott_R_Intel — Mon, 12 Aug 2024 13:09:24 GMT

Hello again Jason.

Answers below:

Basically, yes. The requirement to allow any enclave to load via FLC without using Intel's Launch Policy List was a requirement of the Linux kernel community. And yes, because the in-kernel driver always tries to set these MSRs, you are required to have the FLC feature or the driver will fail to load.
That is correct. FLC is a requirement to load the upstreamed in-kernel driver.

Regards.

Scott

Re: EINIT without a token is possible?

Jason-Liang — Mon, 12 Aug 2024 14:31:13 GMT

Hi Scott,

Thanks for the answer, no more question from my side
Thanks!