sgx.c File Reference

#include <asm/sgx.h>
#include "cpuid.h"
#include "kvm_cache_regs.h"
#include "nested.h"
#include "sgx.h"
#include "vmx.h"
#include "x86.h"

Include dependency graph for sgx.c:

Go to the source code of this file.

Macros
#define	pr_fmt(fmt)   KBUILD_MODNAME ": " fmt

Functions
	module_param_named (sgx, enable_sgx, bool, 0444)
static int	sgx_get_encls_gva (struct kvm_vcpu *vcpu, unsigned long offset, int size, int alignment, gva_t *gva)
static void	sgx_handle_emulation_failure (struct kvm_vcpu *vcpu, u64 addr, unsigned int size)
static int	sgx_read_hva (struct kvm_vcpu *vcpu, unsigned long hva, void *data, unsigned int size)
static int	sgx_gva_to_gpa (struct kvm_vcpu *vcpu, gva_t gva, bool write, gpa_t *gpa)
static int	sgx_gpa_to_hva (struct kvm_vcpu *vcpu, gpa_t gpa, unsigned long *hva)
static int	sgx_inject_fault (struct kvm_vcpu *vcpu, gva_t gva, int trapnr)
static int	__handle_encls_ecreate (struct kvm_vcpu *vcpu, struct sgx_pageinfo *pageinfo, unsigned long secs_hva, gva_t secs_gva)
static int	handle_encls_ecreate (struct kvm_vcpu *vcpu)
static int	handle_encls_einit (struct kvm_vcpu *vcpu)
static bool	encls_leaf_enabled_in_guest (struct kvm_vcpu *vcpu, u32 leaf)
static bool	sgx_enabled_in_guest_bios (struct kvm_vcpu *vcpu)
int	handle_encls (struct kvm_vcpu *vcpu)
void	setup_default_sgx_lepubkeyhash (void)
void	vcpu_setup_sgx_lepubkeyhash (struct kvm_vcpu *vcpu)
static bool	sgx_intercept_encls_ecreate (struct kvm_vcpu *vcpu)
void	vmx_write_encls_bitmap (struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)

Variables
bool __read_mostly	enable_sgx = 1
static u64 sgx_pubkey_hash[4]	__ro_after_init

Macro Definition Documentation

pr_fmt

#define pr_fmt

(

fmt

)

KBUILD_MODNAME ": " fmt

Definition at line 3 of file sgx.c.

Function Documentation

__handle_encls_ecreate()

static int __handle_encls_ecreate ( struct kvm_vcpu *  vcpu, struct sgx_pageinfo *  pageinfo, unsigned long  secs_hva, gva_t  secs_gva  )

static

Definition at line 141 of file sgx.c.

{
    struct sgx_secs *contents = (struct sgx_secs *)pageinfo->contents;
    struct kvm_cpuid_entry2 *sgx_12_0, *sgx_12_1;
    u64 attributes, xfrm, size;
    u32 miscselect;
    u8 max_size_log2;
    int trapnr, ret;
 
    sgx_12_0 = kvm_find_cpuid_entry_index(vcpu, 0x12, 0);
    sgx_12_1 = kvm_find_cpuid_entry_index(vcpu, 0x12, 1);
    if (!sgx_12_0 || !sgx_12_1) {
        kvm_prepare_emulation_failure_exit(vcpu);
        return 0;
    }
 
    miscselect = contents->miscselect;
    attributes = contents->attributes;
    xfrm = contents->xfrm;
    size = contents->size;
 
    /* Enforce restriction of access to the PROVISIONKEY. */
    if (!vcpu->kvm->arch.sgx_provisioning_allowed &&
        (attributes & SGX_ATTR_PROVISIONKEY)) {
        if (sgx_12_1->eax & SGX_ATTR_PROVISIONKEY)
            pr_warn_once("SGX PROVISIONKEY advertised but not allowed\n");
        kvm_inject_gp(vcpu, 0);
        return 1;
    }
 
    /*
     * Enforce CPUID restrictions on MISCSELECT, ATTRIBUTES and XFRM.  Note
     * that the allowed XFRM (XFeature Request Mask) isn't strictly bound
     * by the supported XCR0.  FP+SSE *must* be set in XFRM, even if XSAVE
     * is unsupported, i.e. even if XCR0 itself is completely unsupported.
     */
    if ((u32)miscselect & ~sgx_12_0->ebx ||
        (u32)attributes & ~sgx_12_1->eax ||
        (u32)(attributes >> 32) & ~sgx_12_1->ebx ||
        (u32)xfrm & ~sgx_12_1->ecx ||
        (u32)(xfrm >> 32) & ~sgx_12_1->edx ||
        xfrm & ~(vcpu->arch.guest_supported_xcr0 | XFEATURE_MASK_FPSSE) ||
        (xfrm & XFEATURE_MASK_FPSSE) != XFEATURE_MASK_FPSSE) {
        kvm_inject_gp(vcpu, 0);
        return 1;
    }
 
    /* Enforce CPUID restriction on max enclave size. */
    max_size_log2 = (attributes & SGX_ATTR_MODE64BIT) ? sgx_12_0->edx >> 8 :
                                sgx_12_0->edx;
    if (size >= BIT_ULL(max_size_log2)) {
        kvm_inject_gp(vcpu, 0);
        return 1;
    }
 
    /*
     * sgx_virt_ecreate() returns:
     *  1) 0:   ECREATE was successful
     *  2) -EFAULT: ECREATE was run but faulted, and trapnr was set to the
     *      exception number.
     *  3) -EINVAL: access_ok() on @secs_hva failed. This should never
     *      happen as KVM checks host addresses at memslot creation.
     *      sgx_virt_ecreate() has already warned in this case.
     */
    ret = sgx_virt_ecreate(pageinfo, (void __user *)secs_hva, &trapnr);
    if (!ret)
        return kvm_skip_emulated_instruction(vcpu);
    if (ret == -EFAULT)
        return sgx_inject_fault(vcpu, secs_gva, trapnr);
 
    return ret;
}

Here is the call graph for this function:

Here is the caller graph for this function:

encls_leaf_enabled_in_guest()

static bool encls_leaf_enabled_in_guest ( struct kvm_vcpu *  vcpu, u32  leaf  )

inlinestatic

Definition at line 359 of file sgx.c.

{
    /*
     * ENCLS generates a #UD if SGX1 isn't supported, i.e. this point will
     * be reached if and only if the SGX1 leafs are enabled.
     */
    if (leaf >= ECREATE && leaf <= ETRACK)
        return true;
 
    if (leaf >= EAUG && leaf <= EMODT)
        return guest_cpuid_has(vcpu, X86_FEATURE_SGX2);
 
    return false;
}

Here is the call graph for this function:

Here is the caller graph for this function:

handle_encls()

int handle_encls

(

struct kvm_vcpu *

vcpu

)

Definition at line 381 of file sgx.c.

{
    u32 leaf = (u32)kvm_rax_read(vcpu);
 
    if (!enable_sgx || !guest_cpuid_has(vcpu, X86_FEATURE_SGX) ||
        !guest_cpuid_has(vcpu, X86_FEATURE_SGX1)) {
        kvm_queue_exception(vcpu, UD_VECTOR);
    } else if (!encls_leaf_enabled_in_guest(vcpu, leaf) ||
           !sgx_enabled_in_guest_bios(vcpu) || !is_paging(vcpu)) {
        kvm_inject_gp(vcpu, 0);
    } else {
        if (leaf == ECREATE)
            return handle_encls_ecreate(vcpu);
        if (leaf == EINIT)
            return handle_encls_einit(vcpu);
        WARN_ONCE(1, "unexpected exit on ENCLS[%u]", leaf);
        vcpu->run->exit_reason = KVM_EXIT_UNKNOWN;
        vcpu->run->hw.hardware_exit_reason = EXIT_REASON_ENCLS;
        return 0;
    }
    return 1;
}

Here is the call graph for this function:

handle_encls_ecreate()

static int handle_encls_ecreate ( struct kvm_vcpu *  vcpu )

static

Definition at line 217 of file sgx.c.

{
    gva_t pageinfo_gva, secs_gva;
    gva_t metadata_gva, contents_gva;
    gpa_t metadata_gpa, contents_gpa, secs_gpa;
    unsigned long metadata_hva, contents_hva, secs_hva;
    struct sgx_pageinfo pageinfo;
    struct sgx_secs *contents;
    struct x86_exception ex;
    int r;
 
    if (sgx_get_encls_gva(vcpu, kvm_rbx_read(vcpu), 32, 32, &pageinfo_gva) ||
        sgx_get_encls_gva(vcpu, kvm_rcx_read(vcpu), 4096, 4096, &secs_gva))
        return 1;
 
    /*
     * Copy the PAGEINFO to local memory, its pointers need to be
     * translated, i.e. we need to do a deep copy/translate.
     */
    r = kvm_read_guest_virt(vcpu, pageinfo_gva, &pageinfo,
                sizeof(pageinfo), &ex);
    if (r == X86EMUL_PROPAGATE_FAULT) {
        kvm_inject_emulated_page_fault(vcpu, &ex);
        return 1;
    } else if (r != X86EMUL_CONTINUE) {
        sgx_handle_emulation_failure(vcpu, pageinfo_gva,
                         sizeof(pageinfo));
        return 0;
    }
 
    if (sgx_get_encls_gva(vcpu, pageinfo.metadata, 64, 64, &metadata_gva) ||
        sgx_get_encls_gva(vcpu, pageinfo.contents, 4096, 4096,
                  &contents_gva))
        return 1;
 
    /*
     * Translate the SECINFO, SOURCE and SECS pointers from GVA to GPA.
     * Resume the guest on failure to inject a #PF.
     */
    if (sgx_gva_to_gpa(vcpu, metadata_gva, false, &metadata_gpa) ||
        sgx_gva_to_gpa(vcpu, contents_gva, false, &contents_gpa) ||
        sgx_gva_to_gpa(vcpu, secs_gva, true, &secs_gpa))
        return 1;
 
    /*
     * ...and then to HVA.  The order of accesses isn't architectural, i.e.
     * KVM doesn't have to fully process one address at a time.  Exit to
     * userspace if a GPA is invalid.
     */
    if (sgx_gpa_to_hva(vcpu, metadata_gpa, &metadata_hva) ||
        sgx_gpa_to_hva(vcpu, contents_gpa, &contents_hva) ||
        sgx_gpa_to_hva(vcpu, secs_gpa, &secs_hva))
        return 0;
 
    /*
     * Copy contents into kernel memory to prevent TOCTOU attack. E.g. the
     * guest could do ECREATE w/ SECS.SGX_ATTR_PROVISIONKEY=0, and
     * simultaneously set SGX_ATTR_PROVISIONKEY to bypass the check to
     * enforce restriction of access to the PROVISIONKEY.
     */
    contents = (struct sgx_secs *)__get_free_page(GFP_KERNEL_ACCOUNT);
    if (!contents)
        return -ENOMEM;
 
    /* Exit to userspace if copying from a host userspace address fails. */
    if (sgx_read_hva(vcpu, contents_hva, (void *)contents, PAGE_SIZE)) {
        free_page((unsigned long)contents);
        return 0;
    }
 
    pageinfo.metadata = metadata_hva;
    pageinfo.contents = (u64)contents;
 
    r = __handle_encls_ecreate(vcpu, &pageinfo, secs_hva, secs_gva);
 
    free_page((unsigned long)contents);
 
    return r;
}

Here is the call graph for this function:

Here is the caller graph for this function:

handle_encls_einit()

static int handle_encls_einit ( struct kvm_vcpu *  vcpu )

static

Definition at line 297 of file sgx.c.

{
    unsigned long sig_hva, secs_hva, token_hva, rflags;
    struct vcpu_vmx *vmx = to_vmx(vcpu);
    gva_t sig_gva, secs_gva, token_gva;
    gpa_t sig_gpa, secs_gpa, token_gpa;
    int ret, trapnr;
 
    if (sgx_get_encls_gva(vcpu, kvm_rbx_read(vcpu), 1808, 4096, &sig_gva) ||
        sgx_get_encls_gva(vcpu, kvm_rcx_read(vcpu), 4096, 4096, &secs_gva) ||
        sgx_get_encls_gva(vcpu, kvm_rdx_read(vcpu), 304, 512, &token_gva))
        return 1;
 
    /*
     * Translate the SIGSTRUCT, SECS and TOKEN pointers from GVA to GPA.
     * Resume the guest on failure to inject a #PF.
     */
    if (sgx_gva_to_gpa(vcpu, sig_gva, false, &sig_gpa) ||
        sgx_gva_to_gpa(vcpu, secs_gva, true, &secs_gpa) ||
        sgx_gva_to_gpa(vcpu, token_gva, false, &token_gpa))
        return 1;
 
    /*
     * ...and then to HVA.  The order of accesses isn't architectural, i.e.
     * KVM doesn't have to fully process one address at a time.  Exit to
     * userspace if a GPA is invalid.  Note, all structures are aligned and
     * cannot split pages.
     */
    if (sgx_gpa_to_hva(vcpu, sig_gpa, &sig_hva) ||
        sgx_gpa_to_hva(vcpu, secs_gpa, &secs_hva) ||
        sgx_gpa_to_hva(vcpu, token_gpa, &token_hva))
        return 0;
 
    ret = sgx_virt_einit((void __user *)sig_hva, (void __user *)token_hva,
                 (void __user *)secs_hva,
                 vmx->msr_ia32_sgxlepubkeyhash, &trapnr);
 
    if (ret == -EFAULT)
        return sgx_inject_fault(vcpu, secs_gva, trapnr);
 
    /*
     * sgx_virt_einit() returns -EINVAL when access_ok() fails on @sig_hva,
     * @token_hva or @secs_hva. This should never happen as KVM checks host
     * addresses at memslot creation. sgx_virt_einit() has already warned
     * in this case, so just return.
     */
    if (ret < 0)
        return ret;
 
    rflags = vmx_get_rflags(vcpu) & ~(X86_EFLAGS_CF | X86_EFLAGS_PF |
                      X86_EFLAGS_AF | X86_EFLAGS_SF |
                      X86_EFLAGS_OF);
    if (ret)
        rflags |= X86_EFLAGS_ZF;
    else
        rflags &= ~X86_EFLAGS_ZF;
    vmx_set_rflags(vcpu, rflags);
 
    kvm_rax_write(vcpu, ret);
    return kvm_skip_emulated_instruction(vcpu);
}

Here is the call graph for this function:

Here is the caller graph for this function:

module_param_named()

module_param_named	(	sgx	,
		enable_sgx	,
		bool	,
		0444
	)

setup_default_sgx_lepubkeyhash()

void setup_default_sgx_lepubkeyhash

(

void

)

Definition at line 404 of file sgx.c.

{
    /*
     * Use Intel's default value for Skylake hardware if Launch Control is
     * not supported, i.e. Intel's hash is hardcoded into silicon, or if
     * Launch Control is supported and enabled, i.e. mimic the reset value
     * and let the guest write the MSRs at will.  If Launch Control is
     * supported but disabled, then use the current MSR values as the hash
     * MSRs exist but are read-only (locked and not writable).
     */
    if (!enable_sgx || boot_cpu_has(X86_FEATURE_SGX_LC) ||
        rdmsrl_safe(MSR_IA32_SGXLEPUBKEYHASH0, &sgx_pubkey_hash[0])) {
        sgx_pubkey_hash[0] = 0xa6053e051270b7acULL;
        sgx_pubkey_hash[1] = 0x6cfbe8ba8b3b413dULL;
        sgx_pubkey_hash[2] = 0xc4916d99f2b3735dULL;
        sgx_pubkey_hash[3] = 0xd4f8c05909f9bb3bULL;
    } else {
        /* MSR_IA32_SGXLEPUBKEYHASH0 is read above */
        rdmsrl(MSR_IA32_SGXLEPUBKEYHASH1, sgx_pubkey_hash[1]);
        rdmsrl(MSR_IA32_SGXLEPUBKEYHASH2, sgx_pubkey_hash[2]);
        rdmsrl(MSR_IA32_SGXLEPUBKEYHASH3, sgx_pubkey_hash[3]);
    }
}

Here is the caller graph for this function:

sgx_enabled_in_guest_bios()

static bool sgx_enabled_in_guest_bios ( struct kvm_vcpu *  vcpu )

inlinestatic

Definition at line 374 of file sgx.c.

{
    const u64 bits = FEAT_CTL_SGX_ENABLED | FEAT_CTL_LOCKED;
 
    return (to_vmx(vcpu)->msr_ia32_feature_control & bits) == bits;
}

Here is the call graph for this function:

Here is the caller graph for this function:

sgx_get_encls_gva()

static int sgx_get_encls_gva ( struct kvm_vcpu *  vcpu, unsigned long  offset, int  size, int  alignment, gva_t *  gva  )

static

Definition at line 24 of file sgx.c.

{
    struct kvm_segment s;
    bool fault;
 
    /* Skip vmcs.GUEST_DS retrieval for 64-bit mode to avoid VMREADs. */
    *gva = offset;
    if (!is_64_bit_mode(vcpu)) {
        vmx_get_segment(vcpu, &s, VCPU_SREG_DS);
        *gva += s.base;
    }
 
    if (!IS_ALIGNED(*gva, alignment)) {
        fault = true;
    } else if (likely(is_64_bit_mode(vcpu))) {
        *gva = vmx_get_untagged_addr(vcpu, *gva, 0);
        fault = is_noncanonical_address(*gva, vcpu);
    } else {
        *gva &= 0xffffffff;
        fault = (s.unusable) ||
            (s.type != 2 && s.type != 3) ||
            (*gva > s.limit) ||
            ((s.base != 0 || s.limit != 0xffffffff) &&
            (((u64)*gva + size - 1) > s.limit + 1));
    }
    if (fault)
        kvm_inject_gp(vcpu, 0);
    return fault ? -EINVAL : 0;
}

Here is the call graph for this function:

Here is the caller graph for this function:

sgx_gpa_to_hva()

static int sgx_gpa_to_hva ( struct kvm_vcpu *  vcpu, gpa_t  gpa, unsigned long *  hva  )

static

Definition at line 92 of file sgx.c.

{
    *hva = kvm_vcpu_gfn_to_hva(vcpu, PFN_DOWN(gpa));
    if (kvm_is_error_hva(*hva)) {
        sgx_handle_emulation_failure(vcpu, gpa, 1);
        return -EFAULT;
    }
 
    *hva |= gpa & ~PAGE_MASK;
 
    return 0;
}

Here is the call graph for this function:

Here is the caller graph for this function:

sgx_gva_to_gpa()

static int sgx_gva_to_gpa ( struct kvm_vcpu *  vcpu, gva_t  gva, bool  write, gpa_t *  gpa  )

static

Definition at line 74 of file sgx.c.

{
    struct x86_exception ex;
 
    if (write)
        *gpa = kvm_mmu_gva_to_gpa_write(vcpu, gva, &ex);
    else
        *gpa = kvm_mmu_gva_to_gpa_read(vcpu, gva, &ex);
 
    if (*gpa == INVALID_GPA) {
        kvm_inject_emulated_page_fault(vcpu, &ex);
        return -EFAULT;
    }
 
    return 0;
}

Here is the call graph for this function:

Here is the caller graph for this function:

sgx_handle_emulation_failure()

static void sgx_handle_emulation_failure ( struct kvm_vcpu *  vcpu, u64  addr, unsigned int  size  )

static

Definition at line 55 of file sgx.c.

{
    uint64_t data[2] = { addr, size };
 
    __kvm_prepare_emulation_failure_exit(vcpu, data, ARRAY_SIZE(data));
}

Here is the call graph for this function:

Here is the caller graph for this function:

sgx_inject_fault()

static int sgx_inject_fault ( struct kvm_vcpu *  vcpu, gva_t  gva, int  trapnr  )

static

Definition at line 105 of file sgx.c.

{
    struct x86_exception ex;
 
    /*
     * A non-EPCM #PF indicates a bad userspace HVA.  This *should* check
     * for PFEC.SGX and not assume any #PF on SGX2 originated in the EPC,
     * but the error code isn't (yet) plumbed through the ENCLS helpers.
     */
    if (trapnr == PF_VECTOR && !boot_cpu_has(X86_FEATURE_SGX2)) {
        kvm_prepare_emulation_failure_exit(vcpu);
        return 0;
    }
 
    /*
     * If the guest thinks it's running on SGX2 hardware, inject an SGX
     * #PF if the fault matches an EPCM fault signature (#GP on SGX1,
     * #PF on SGX2).  The assumption is that EPCM faults are much more
     * likely than a bad userspace address.
     */
    if ((trapnr == PF_VECTOR || !boot_cpu_has(X86_FEATURE_SGX2)) &&
        guest_cpuid_has(vcpu, X86_FEATURE_SGX2)) {
        memset(&ex, 0, sizeof(ex));
        ex.vector = PF_VECTOR;
        ex.error_code = PFERR_PRESENT_MASK | PFERR_WRITE_MASK |
                PFERR_SGX_MASK;
        ex.address = gva;
        ex.error_code_valid = true;
        ex.nested_page_fault = false;
        kvm_inject_emulated_page_fault(vcpu, &ex);
    } else {
        kvm_inject_gp(vcpu, 0);
    }
    return 1;
}

Here is the call graph for this function:

Here is the caller graph for this function:

sgx_intercept_encls_ecreate()

static bool sgx_intercept_encls_ecreate ( struct kvm_vcpu *  vcpu )

static

Definition at line 440 of file sgx.c.

{
    struct kvm_cpuid_entry2 *guest_cpuid;
    u32 eax, ebx, ecx, edx;
 
    if (!vcpu->kvm->arch.sgx_provisioning_allowed)
        return true;
 
    guest_cpuid = kvm_find_cpuid_entry_index(vcpu, 0x12, 0);
    if (!guest_cpuid)
        return true;
 
    cpuid_count(0x12, 0, &eax, &ebx, &ecx, &edx);
    if (guest_cpuid->ebx != ebx || guest_cpuid->edx != edx)
        return true;
 
    guest_cpuid = kvm_find_cpuid_entry_index(vcpu, 0x12, 1);
    if (!guest_cpuid)
        return true;
 
    cpuid_count(0x12, 1, &eax, &ebx, &ecx, &edx);
    if (guest_cpuid->eax != eax || guest_cpuid->ebx != ebx ||
        guest_cpuid->ecx != ecx || guest_cpuid->edx != edx)
        return true;
 
    return false;
}

Here is the call graph for this function:

Here is the caller graph for this function:

sgx_read_hva()

static int sgx_read_hva ( struct kvm_vcpu *  vcpu, unsigned long  hva, void *  data, unsigned int  size  )

static

Definition at line 63 of file sgx.c.

{
    if (__copy_from_user(data, (void __user *)hva, size)) {
        sgx_handle_emulation_failure(vcpu, hva, size);
        return -EFAULT;
    }
 
    return 0;
}

Here is the call graph for this function:

Here is the caller graph for this function:

vcpu_setup_sgx_lepubkeyhash()

void vcpu_setup_sgx_lepubkeyhash

(

struct kvm_vcpu *

vcpu

)

Definition at line 428 of file sgx.c.

{
    struct vcpu_vmx *vmx = to_vmx(vcpu);
 
    memcpy(vmx->msr_ia32_sgxlepubkeyhash, sgx_pubkey_hash,
           sizeof(sgx_pubkey_hash));
}

Here is the call graph for this function:

Here is the caller graph for this function:

vmx_write_encls_bitmap()

void vmx_write_encls_bitmap	(	struct kvm_vcpu *	vcpu,
		struct vmcs12 *	vmcs12
	)

Definition at line 468 of file sgx.c.

{
    /*
     * There is no software enable bit for SGX that is virtualized by
     * hardware, e.g. there's no CR4.SGXE, so when SGX is disabled in the
     * guest (either by the host or by the guest's BIOS) but enabled in the
     * host, trap all ENCLS leafs and inject #UD/#GP as needed to emulate
     * the expected system behavior for ENCLS.
     */
    u64 bitmap = -1ull;
 
    /* Nothing to do if hardware doesn't support SGX */
    if (!cpu_has_vmx_encls_vmexit())
        return;
 
    if (guest_cpuid_has(vcpu, X86_FEATURE_SGX) &&
        sgx_enabled_in_guest_bios(vcpu)) {
        if (guest_cpuid_has(vcpu, X86_FEATURE_SGX1)) {
            bitmap &= ~GENMASK_ULL(ETRACK, ECREATE);
            if (sgx_intercept_encls_ecreate(vcpu))
                bitmap |= (1 << ECREATE);
        }
 
        if (guest_cpuid_has(vcpu, X86_FEATURE_SGX2))
            bitmap &= ~GENMASK_ULL(EMODT, EAUG);
 
        /*
         * Trap and execute EINIT if launch control is enabled in the
         * host using the guest's values for launch control MSRs, even
         * if the guest's values are fixed to hardware default values.
         * The MSRs are not loaded/saved on VM-Enter/VM-Exit as writing
         * the MSRs is extraordinarily expensive.
         */
        if (boot_cpu_has(X86_FEATURE_SGX_LC))
            bitmap |= (1 << EINIT);
 
        if (!vmcs12 && is_guest_mode(vcpu))
            vmcs12 = get_vmcs12(vcpu);
        if (vmcs12 && nested_cpu_has_encls_exit(vmcs12))
            bitmap |= vmcs12->encls_exiting_bitmap;
    }
    vmcs_write64(ENCLS_EXITING_BITMAP, bitmap);
}

Here is the call graph for this function:

Here is the caller graph for this function:

Variable Documentation

__ro_after_init

u64 sgx_pubkey_hash [4] __ro_after_init

static

Definition at line 18 of file sgx.c.

enable_sgx

bool __read_mostly enable_sgx = 1

Definition at line 14 of file sgx.c.