Re: [PATCH v1 01/15] nitro_enclaves: Add ioctl interface definition

From: Randy Dunlap
Date: Tue Apr 21 2020 - 14:48:01 EST

Hi--

On 4/21/20 11:41 AM, Andra Paraschiv wrote:
> The Nitro Enclaves driver handles the enclave lifetime management. This
> includes enclave creation, termination and setting up its resources such
> as memory and CPU.
>
> An enclave runs alongside the VM that spawned it. It is abstracted as a
> process running in the VM that launched it. The process interacts with
> the NE driver, that exposes an ioctl interface for creating an enclave
> and setting up its resources.
>
> Include the KVM API as part of the provided ioctl interface, with an
> additional ENCLAVE_START ioctl command that triggers the enclave run.
>
> Signed-off-by: Alexandru Vasile <lexnv@xxxxxxxxxx>
> Signed-off-by: Andra Paraschiv <andraprs@xxxxxxxxxx>
> ---
> include/linux/nitro_enclaves.h | 23 +++++++++++++
> include/uapi/linux/nitro_enclaves.h | 52 +++++++++++++++++++++++++++++
> 2 files changed, 75 insertions(+)
> create mode 100644 include/linux/nitro_enclaves.h
> create mode 100644 include/uapi/linux/nitro_enclaves.h
>

> diff --git a/include/uapi/linux/nitro_enclaves.h b/include/uapi/linux/nitro_enclaves.h
> new file mode 100644
> index 000000000000..b90dfcf6253a
> --- /dev/null
> +++ b/include/uapi/linux/nitro_enclaves.h
> @@ -0,0 +1,52 @@
> +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
> +/*
> + * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
> + *
> + * This program is free software; you can redistribute it and/or modify it
> + * under the terms and conditions of the GNU General Public License,
> + * version 2, as published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program; if not, see <http://www.gnu.org/licenses/>.
> + */
> +
> +#ifndef _UAPI_LINUX_NITRO_ENCLAVES_H_
> +#define _UAPI_LINUX_NITRO_ENCLAVES_H_
> +
> +#include <linux/kvm.h>
> +#include <linux/types.h>
> +
> +/* Nitro Enclaves (NE) Kernel Driver Interface */
> +
> +/**
> + * The command is used to trigger enclave start after the enclave resources,
> + * such as memory and CPU, have been set.
> + *
> + * The enclave start metadata is an in / out data structure. It includes
> + * provided info by the caller - enclave cid and flags - and returns the
> + * slot uid and the cid (if input cid is 0).
> + */
> +#define NE_ENCLAVE_START _IOWR('B', 0x1, struct enclave_start_metadata)

Please document ioctl major ('B' in this case) and range used in
Documentation/userspace-api/ioctl/ioctl-number.rst.

> +
> +/* Setup metadata necessary for enclave start. */
> +struct enclave_start_metadata {
> + /* Flags for the enclave to start with (e.g. debug mode) (in). */
> + __u64 flags;
> +
> + /**
> + * Context ID (CID) for the enclave vsock device. If 0 as input, the
> + * CID is autogenerated by the hypervisor and returned back as output
> + * by the driver (in/out).
> + */
> + __u64 enclave_cid;
> +
> + /* Slot unique id mapped to the enclave to start (out). */
> + __u64 slot_uid;
> +};
> +
> +#endif /* _UAPI_LINUX_NITRO_ENCLAVES_H_ */
>

thanks.
--
~Randy