Re: [PATCH v25 21/21] docs: x86/sgx: Document SGX micro architecture and kernel internals

[Jarkko Sakkinen]

On Wed, Feb 05, 2020 at 09:54:31AM -0800, Randy Dunlap wrote:
> Hi,
> I have some Documentation edits. Please see inline below...
>
> or just: ``grep sgx /proc/cpuinfo

Makes sense.

> > +key set into MSRs, which would then generate launch tokens for other enclaves.
> > +This would only make sense with read-only MSRs, and thus the option has been
> > +discluded.
> 
> I can't find "discluded" in a dictionary.

Should be "discarded".

> "MAC" can mean a lots of different things.  Which one is this?

Message authentication code. I open

I rewrote the whole local attestation section:

"In local attestation an enclave creates a **REPORT** data structure
with **ENCLS[EREPORT]**, which describes the origin of an enclave. In
particular, it contains a AES-CMAC of the enclave contents signed with a
report key unique to each processor. All enclaves have access to this
key.

This mechanism can also be used in addition as a communication channel
as the **REPORT** data structure includes a 64-byte field for variable
information."

> > +* ECDSA based scheme, which 3rd party to act as an attestation service.
> 
>                          which uses a 3rd party
> or
>                          using a 3rd party

It should be "allows a 3rd party".

> > +Intel provides an open source *quoting enclave (QE)* and *provisioning
> > +certification enclave (PCE)* for the ECDSA based scheme. The latter acts as
> > +the CA for the local QE's. Intel also a precompiled binary version of the PCE
> 
>                                     also provides [??]

I rewrote it as:

"Intel provides a proprietary binary version of the PCE. This is a
necessity when the software needs to prove to be running inside a legit
enclave on real hardware."

Thank you for the comments.

/Jarkko