KVM: x86: Add capability to grant VM access to privileged SGX attribute

mirror of https://github.com/raspberrypi/linux.git synced 2025-12-23 10:12:24 +00:00

Add a capability, KVM_CAP_SGX_ATTRIBUTE, that can be used by userspace
to grant a VM access to a priveleged attribute, with args[0] holding a
file handle to a valid SGX attribute file.

The SGX subsystem restricts access to a subset of enclave attributes to
provide additional security for an uncompromised kernel, e.g. to prevent
malware from using the PROVISIONKEY to ensure its nodes are running
inside a geniune SGX enclave and/or to obtain a stable fingerprint.

To prevent userspace from circumventing such restrictions by running an
enclave in a VM, KVM restricts guest access to privileged attributes by
default.

Cc: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Kai Huang <kai.huang@intel.com>
Message-Id: <0b099d65e933e068e3ea934b0523bab070cb8cea.1618196135.git.kai.huang@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

This commit is contained in:

Sean Christopherson

2021-04-12 16:21:43 +12:00

committed by

Paolo Bonzini

parent 72add915fb

commit fe7e948837

4 changed files with 46 additions and 1 deletions

									
										1

include/uapi/linux/kvm.h
									
												View File
												
				@@ -1079,6 +1079,7 @@ struct kvm_ppc_resize_hpt {

				#define KVM_CAP_X86_BUS_LOCK_EXIT 193

				#define KVM_CAP_PPC_DAWR1 194

				#define KVM_CAP_SET_GUEST_DEBUG2 195

				#define KVM_CAP_SGX_ATTRIBUTE 196

				#ifdef KVM_CAP_IRQ_ROUTING

KVM: x86: Add capability to grant VM access to privileged SGX attribute

1 include/uapi/linux/kvm.h Unescape Escape View File

1

include/uapi/linux/kvm.h

View File