Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

EINIT without a token is possible?

Jason-Liang
Novice
453 Views

As title shown, according EINIT document here
https://www.felixcloutier.com/x86/einit
The token field is mandatory and will fail the check if input token is empty.

However we've tried to call `EINIT` with empty token (actually we are calling `

sgx_encl_init` inside `arch/x86/kernel/cpu/sgx/ioctl.c` with empty token, and it actually succeed, so we have following questions
 
1. Is this an expected behavior? that `EINIT` can success with an empty token?
2. Can we find the source code of EINIT anywhere? We only find this one (https://insujang.github.io/2017-04-05/intel-sgx-instructions-in-enclave-initialization/), but seems that this should be migrated into linux kernel already, and I cannot find the source code about `EINIT` in linux kernel
 
here is my kernel version 

6.5.0-1024-azure

 
Thanks!
0 Kudos
4 Replies
Scott_R_Intel
Employee
409 Views

Hi Jason.

 

In the operation flow, see step 5... If the token is not valid (null), the instruction just checks that the MRSIGNER of the enclave being launched matches what's in the IA32_SGX_LEPUBKEYHASH MSRs. Those MSRs are used to allow what is called Flexible Launch Control (FLC), allowing any enclave to launch without a token. EINIT tokens are really only ever used on legacy hardware without the FLC feature and using the old, now unsupported out of tree driver here. The upstreamed Linux SGX kernel driver simply writes the MRSIGNER of any enclave wanting to load into the IA32_SGX_LEPUBKEYHASH MSRs as shown here, thereby allowing any enclave to load without an EINT Token.

 

Regards.

Jason-Liang
Novice
265 Views

Hi Scott
    Thanks for the reply!
I've got another question related to this FLC
So from your response, FLC hardware support means that there are some MSRs that can store the hash of enclave's signer pubkey. And latest SGX in-kernel driver will always try to set correct value to MSRs before launching an enclave

I have following questions

1. Then why DCAP requires FLC support? Is it just because the in-kernel DCAP driver will always try to set correct value to MSRs? Not actually due to any verification mechanism inside DCAP?
2. Then if FLC is disabled, it means that we cannot use in-kernel SGX support?

Thanks!

0 Kudos
Scott_R_Intel
Employee
242 Views

Hello again Jason.

Answers below:

  1. Basically, yes.  The requirement to allow any enclave to load via FLC without using Intel's Launch Policy List was a requirement of the Linux kernel community.  And yes, because the in-kernel driver always tries to set these MSRs, you are required to have the FLC feature or the driver will fail to load.
  2. That is correct.  FLC is a requirement to load the upstreamed in-kernel driver.

Regards.

Scott

Jason-Liang
Novice
233 Views

Hi Scott,

    Thanks for the answer, no more question from my side
Thanks!

0 Kudos
Reply