All running enclaves and cryptographic assets (such as internal SGX
encryption keys) are assumed to be compromised whenever an SGX-related
microcode update occurs. To mitigate this assumed compromise the new
supervisor SGX instruction ENCLS[EUPDATESVN] can generate fresh
cryptographic assets.
Before executing EUPDATESVN, all SGX memory must be marked as unused.
This requirement ensures that no potentially compromised enclave
survives the update and allows the system to safely regenerate
cryptographic assets.
Add the method to perform ENCLS[EUPDATESVN]. However, until the
follow up patch that wires calling sgx_update_svn() from
sgx_inc_usage_count(), this code is not reachable.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
---
arch/x86/include/asm/sgx.h | 31 +++++++-------
arch/x86/kernel/cpu/sgx/encls.h | 5 +++
arch/x86/kernel/cpu/sgx/main.c | 73 +++++++++++++++++++++++++++++++++
3 files changed, 94 insertions(+), 15 deletions(-)
diff --git a/arch/x86/include/asm/sgx.h b/arch/x86/include/asm/sgx.h
index 2da5b3b117a1..0e13678f9cbd 100644
--- a/arch/x86/include/asm/sgx.h
+++ b/arch/x86/include/asm/sgx.h
@@ -28,21 +28,22 @@
#define SGX_CPUID_EPC_MASK GENMASK(3, 0)
enum sgx_encls_function {
- ECREATE = 0x00,
- EADD = 0x01,
- EINIT = 0x02,
- EREMOVE = 0x03,
- EDGBRD = 0x04,
- EDGBWR = 0x05,
- EEXTEND = 0x06,
- ELDU = 0x08,
- EBLOCK = 0x09,
- EPA = 0x0A,
- EWB = 0x0B,
- ETRACK = 0x0C,
- EAUG = 0x0D,
- EMODPR = 0x0E,
- EMODT = 0x0F,
+ ECREATE = 0x00,
+ EADD = 0x01,
+ EINIT = 0x02,
+ EREMOVE = 0x03,
+ EDGBRD = 0x04,
+ EDGBWR = 0x05,
+ EEXTEND = 0x06,
+ ELDU = 0x08,
+ EBLOCK = 0x09,
+ EPA = 0x0A,
+ EWB = 0x0B,
+ ETRACK = 0x0C,
+ EAUG = 0x0D,
+ EMODPR = 0x0E,
+ EMODT = 0x0F,
+ EUPDATESVN = 0x18,
};
/**
diff --git a/arch/x86/kernel/cpu/sgx/encls.h b/arch/x86/kernel/cpu/sgx/encls.h
index 99004b02e2ed..d9160c89a93d 100644
--- a/arch/x86/kernel/cpu/sgx/encls.h
+++ b/arch/x86/kernel/cpu/sgx/encls.h
@@ -233,4 +233,9 @@ static inline int __eaug(struct sgx_pageinfo *pginfo, void *addr)
return __encls_2(EAUG, pginfo, addr);
}
+/* Attempt to update CPUSVN at runtime. */
+static inline int __eupdatesvn(void)
+{
+ return __encls_ret_1(EUPDATESVN, "");
+}
#endif /* _X86_ENCLS_H */
diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c
index 3a5cbd1c170e..d8c42524b590 100644
--- a/arch/x86/kernel/cpu/sgx/main.c
+++ b/arch/x86/kernel/cpu/sgx/main.c
@@ -16,6 +16,7 @@
#include <linux/vmalloc.h>
#include <asm/msr.h>
#include <asm/sgx.h>
+#include <asm/archrandom.h>
#include "driver.h"
#include "encl.h"
#include "encls.h"
@@ -917,6 +918,78 @@ int sgx_set_attribute(unsigned long *allowed_attributes,
}
EXPORT_SYMBOL_GPL(sgx_set_attribute);
+/* Counter to count the active SGX users */
+static int sgx_usage_count;
+
+/**
+ * sgx_update_svn() - Attempt to call ENCLS[EUPDATESVN].
+ * This instruction attempts to update CPUSVN to the
+ * currently loaded microcode update SVN and generate new
+ * cryptographic assets.
+ * Return:
+ * 0: Success or not supported
+ * -EAGAIN: Can be safely retried, failure is due to lack of
+ * entropy in RNG.
+ * -EIO: Unexpected error, retries are not advisable.
+ */
+static int __maybe_unused sgx_update_svn(void)
+{
+ int ret;
+
+ /*
+ * If EUPDATESVN is not available, it is ok to
+ * silently skip it to comply with legacy behavior.
+ */
+ if (!cpu_feature_enabled(X86_FEATURE_SGX_EUPDATESVN))
+ return 0;
+
+ /*
+ * EPC is guaranteed to be empty when there are no users.
+ * Ensure we are on our first user before proceeding further.
+ */
+ WARN(sgx_usage_count != 1, "Elevated usage count when calling EUPDATESVN\n");
+
+ for (int i = 0; i < RDRAND_RETRY_LOOPS; i++) {
+ ret = __eupdatesvn();
+
+ /* Stop on success or unexpected errors: */
+ if (ret != SGX_INSUFFICIENT_ENTROPY)
+ break;
+ }
+
+ switch (ret) {
+ /*
+ * SVN successfully updated.
+ * Let users know when the update was successful.
+ */
+ case 0:
+ pr_info("SVN updated successfully\n");
+ return 0;
+ /*
+ * SVN update failed since the current SVN is
+ * not newer than CPUSVN. This is the most
+ * common case and indicates no harm.
+ */
+ case SGX_NO_UPDATE:
+ return 0;
+ /*
+ * SVN update failed due to lack of entropy in DRNG.
+ * Indicate to userspace that it should retry.
+ */
+ case SGX_INSUFFICIENT_ENTROPY:
+ return -EAGAIN;
+ default:
+ break;
+ }
+
+ /*
+ * EUPDATESVN was called when EPC is empty, all other error
+ * codes are unexpected.
+ */
+ ENCLS_WARN(ret, "EUPDATESVN");
+ return -EIO;
+}
+
int sgx_inc_usage_count(void)
{
return 0;
--
2.45.2On Wed, 2025-08-06 at 11:11 +0300, Elena Reshetova wrote:
> All running enclaves and cryptographic assets (such as internal SGX
> encryption keys) are assumed to be compromised whenever an SGX-related
> microcode update occurs. To mitigate this assumed compromise the new
> supervisor SGX instruction ENCLS[EUPDATESVN] can generate fresh
> cryptographic assets.
>
> Before executing EUPDATESVN, all SGX memory must be marked as unused.
> This requirement ensures that no potentially compromised enclave
> survives the update and allows the system to safely regenerate
> cryptographic assets.
>
> Add the method to perform ENCLS[EUPDATESVN]. However, until the
> follow up patch that wires calling sgx_update_svn() from
> sgx_inc_usage_count(), this code is not reachable.
Please check the text wrap.
>
> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> ---
> arch/x86/include/asm/sgx.h | 31 +++++++-------
> arch/x86/kernel/cpu/sgx/encls.h | 5 +++
> arch/x86/kernel/cpu/sgx/main.c | 73 +++++++++++++++++++++++++++++++++
> 3 files changed, 94 insertions(+), 15 deletions(-)
>
> diff --git a/arch/x86/include/asm/sgx.h b/arch/x86/include/asm/sgx.h
> index 2da5b3b117a1..0e13678f9cbd 100644
> --- a/arch/x86/include/asm/sgx.h
> +++ b/arch/x86/include/asm/sgx.h
> @@ -28,21 +28,22 @@
> #define SGX_CPUID_EPC_MASK GENMASK(3, 0)
>
> enum sgx_encls_function {
> - ECREATE = 0x00,
> - EADD = 0x01,
> - EINIT = 0x02,
> - EREMOVE = 0x03,
> - EDGBRD = 0x04,
> - EDGBWR = 0x05,
> - EEXTEND = 0x06,
> - ELDU = 0x08,
> - EBLOCK = 0x09,
> - EPA = 0x0A,
> - EWB = 0x0B,
> - ETRACK = 0x0C,
> - EAUG = 0x0D,
> - EMODPR = 0x0E,
> - EMODT = 0x0F,
> + ECREATE = 0x00,
> + EADD = 0x01,
> + EINIT = 0x02,
> + EREMOVE = 0x03,
> + EDGBRD = 0x04,
> + EDGBWR = 0x05,
> + EEXTEND = 0x06,
> + ELDU = 0x08,
> + EBLOCK = 0x09,
> + EPA = 0x0A,
> + EWB = 0x0B,
> + ETRACK = 0x0C,
> + EAUG = 0x0D,
> + EMODPR = 0x0E,
> + EMODT = 0x0F,
> + EUPDATESVN = 0x18,
> };
>
> /**
> diff --git a/arch/x86/kernel/cpu/sgx/encls.h b/arch/x86/kernel/cpu/sgx/encls.h
> index 99004b02e2ed..d9160c89a93d 100644
> --- a/arch/x86/kernel/cpu/sgx/encls.h
> +++ b/arch/x86/kernel/cpu/sgx/encls.h
> @@ -233,4 +233,9 @@ static inline int __eaug(struct sgx_pageinfo *pginfo, void *addr)
> return __encls_2(EAUG, pginfo, addr);
> }
>
> +/* Attempt to update CPUSVN at runtime. */
> +static inline int __eupdatesvn(void)
> +{
> + return __encls_ret_1(EUPDATESVN, "");
> +}
> #endif /* _X86_ENCLS_H */
> diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c
> index 3a5cbd1c170e..d8c42524b590 100644
> --- a/arch/x86/kernel/cpu/sgx/main.c
> +++ b/arch/x86/kernel/cpu/sgx/main.c
> @@ -16,6 +16,7 @@
> #include <linux/vmalloc.h>
> #include <asm/msr.h>
> #include <asm/sgx.h>
> +#include <asm/archrandom.h>
> #include "driver.h"
> #include "encl.h"
> #include "encls.h"
> @@ -917,6 +918,78 @@ int sgx_set_attribute(unsigned long *allowed_attributes,
> }
> EXPORT_SYMBOL_GPL(sgx_set_attribute);
>
> +/* Counter to count the active SGX users */
> +static int sgx_usage_count;
> +
> +/**
> + * sgx_update_svn() - Attempt to call ENCLS[EUPDATESVN].
Add a newline would make the comment more readable.
> + * This instruction attempts to update CPUSVN to the
> + * currently loaded microcode update SVN and generate new
> + * cryptographic assets.
Ditto here.
> + * Return:
> + * 0: Success or not supported
> + * -EAGAIN: Can be safely retried, failure is due to lack of
> + * entropy in RNG.
> + * -EIO: Unexpected error, retries are not advisable.
> + */
You may want to make the description of the return code vertically
aligned. And looking at the k-doc documentation, the format of the return
codes could be improved:
* Return:
* * %0: - Success or not supported
* * %-EAGAIN: - ...
* * %-EIO: - ...
Please see "Return values" part of:
https://docs.kernel.org/doc-guide/kernel-doc.html
Or you can switch to use normal comment. It's a static function anyway.
> +static int __maybe_unused sgx_update_svn(void)
> +{
> + int ret;
> +
> + /*
> + * If EUPDATESVN is not available, it is ok to
> + * silently skip it to comply with legacy behavior.
> + */
> + if (!cpu_feature_enabled(X86_FEATURE_SGX_EUPDATESVN))
> + return 0;
> +
> + /*
> + * EPC is guaranteed to be empty when there are no users.
> + * Ensure we are on our first user before proceeding further.
> + */
> + WARN(sgx_usage_count != 1, "Elevated usage count when calling EUPDATESVN\n");
I am not sure whether this is needed. Wouldn't the ENCLS_WARN() at the
end catch this case and the user is able to figure out what went wrong
from the error code?
Besides that, in _this_ patch, what prevents sgx_usage_count from being
concurrently updated is still unknown. It's kinda weird to just use it
here w/o seeing the actual mutex.
> +
> + for (int i = 0; i < RDRAND_RETRY_LOOPS; i++) {
> + ret = __eupdatesvn();
> +
> + /* Stop on success or unexpected errors: */
> + if (ret != SGX_INSUFFICIENT_ENTROPY)
> + break;
> + }
> +
> + switch (ret) {
> + /*
> + * SVN successfully updated.
> + * Let users know when the update was successful.
> + */
This is ugly. I would just put the comment inside the 'case'.
> + case 0:
> + pr_info("SVN updated successfully\n");
> + return 0;
> + /*
> + * SVN update failed since the current SVN is
> + * not newer than CPUSVN. This is the most
> + * common case and indicates no harm.
> + */
> + case SGX_NO_UPDATE:
> + return 0;
> + /*
> + * SVN update failed due to lack of entropy in DRNG.
> + * Indicate to userspace that it should retry.
> + */
> + case SGX_INSUFFICIENT_ENTROPY:
> + return -EAGAIN;
> + default:
> + break;
> + }
Ditto for all the comments above.
> -----Original Message-----
> From: Huang, Kai <kai.huang@intel.com>
> Sent: Thursday, August 7, 2025 3:15 AM
> To: Reshetova, Elena <elena.reshetova@intel.com>; Hansen, Dave
> <dave.hansen@intel.com>
> Cc: seanjc@google.com; mingo@kernel.org; Scarlata, Vincent R
> <vincent.r.scarlata@intel.com>; x86@kernel.org; jarkko@kernel.org;
> Annapurve, Vishal <vannapurve@google.com>; linux-kernel@vger.kernel.org;
> Mallick, Asit K <asit.k.mallick@intel.com>; Aktas, Erdem
> <erdemaktas@google.com>; Cai, Chong <chongc@google.com>; Bondarevska,
> Nataliia <bondarn@google.com>; linux-sgx@vger.kernel.org; Raynor, Scott
> <scott.raynor@intel.com>
> Subject: Re: [PATCH v11 4/5] x86/sgx: Implement ENCLS[EUPDATESVN]
>
> On Wed, 2025-08-06 at 11:11 +0300, Elena Reshetova wrote:
> > All running enclaves and cryptographic assets (such as internal SGX
> > encryption keys) are assumed to be compromised whenever an SGX-related
> > microcode update occurs. To mitigate this assumed compromise the new
> > supervisor SGX instruction ENCLS[EUPDATESVN] can generate fresh
> > cryptographic assets.
> >
> > Before executing EUPDATESVN, all SGX memory must be marked as unused.
> > This requirement ensures that no potentially compromised enclave
> > survives the update and allows the system to safely regenerate
> > cryptographic assets.
> >
> > Add the method to perform ENCLS[EUPDATESVN]. However, until the
> > follow up patch that wires calling sgx_update_svn() from
> > sgx_inc_usage_count(), this code is not reachable.
>
> Please check the text wrap.
>
Yes, will do.
> >
> > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> > ---
> > arch/x86/include/asm/sgx.h | 31 +++++++-------
> > arch/x86/kernel/cpu/sgx/encls.h | 5 +++
> > arch/x86/kernel/cpu/sgx/main.c | 73
> +++++++++++++++++++++++++++++++++
> > 3 files changed, 94 insertions(+), 15 deletions(-)
> >
> > diff --git a/arch/x86/include/asm/sgx.h b/arch/x86/include/asm/sgx.h
> > index 2da5b3b117a1..0e13678f9cbd 100644
> > --- a/arch/x86/include/asm/sgx.h
> > +++ b/arch/x86/include/asm/sgx.h
> > @@ -28,21 +28,22 @@
> > #define SGX_CPUID_EPC_MASK GENMASK(3, 0)
> >
> > enum sgx_encls_function {
> > - ECREATE = 0x00,
> > - EADD = 0x01,
> > - EINIT = 0x02,
> > - EREMOVE = 0x03,
> > - EDGBRD = 0x04,
> > - EDGBWR = 0x05,
> > - EEXTEND = 0x06,
> > - ELDU = 0x08,
> > - EBLOCK = 0x09,
> > - EPA = 0x0A,
> > - EWB = 0x0B,
> > - ETRACK = 0x0C,
> > - EAUG = 0x0D,
> > - EMODPR = 0x0E,
> > - EMODT = 0x0F,
> > + ECREATE = 0x00,
> > + EADD = 0x01,
> > + EINIT = 0x02,
> > + EREMOVE = 0x03,
> > + EDGBRD = 0x04,
> > + EDGBWR = 0x05,
> > + EEXTEND = 0x06,
> > + ELDU = 0x08,
> > + EBLOCK = 0x09,
> > + EPA = 0x0A,
> > + EWB = 0x0B,
> > + ETRACK = 0x0C,
> > + EAUG = 0x0D,
> > + EMODPR = 0x0E,
> > + EMODT = 0x0F,
> > + EUPDATESVN = 0x18,
> > };
> >
> > /**
> > diff --git a/arch/x86/kernel/cpu/sgx/encls.h
> b/arch/x86/kernel/cpu/sgx/encls.h
> > index 99004b02e2ed..d9160c89a93d 100644
> > --- a/arch/x86/kernel/cpu/sgx/encls.h
> > +++ b/arch/x86/kernel/cpu/sgx/encls.h
> > @@ -233,4 +233,9 @@ static inline int __eaug(struct sgx_pageinfo *pginfo,
> void *addr)
> > return __encls_2(EAUG, pginfo, addr);
> > }
> >
> > +/* Attempt to update CPUSVN at runtime. */
> > +static inline int __eupdatesvn(void)
> > +{
> > + return __encls_ret_1(EUPDATESVN, "");
> > +}
> > #endif /* _X86_ENCLS_H */
> > diff --git a/arch/x86/kernel/cpu/sgx/main.c
> b/arch/x86/kernel/cpu/sgx/main.c
> > index 3a5cbd1c170e..d8c42524b590 100644
> > --- a/arch/x86/kernel/cpu/sgx/main.c
> > +++ b/arch/x86/kernel/cpu/sgx/main.c
> > @@ -16,6 +16,7 @@
> > #include <linux/vmalloc.h>
> > #include <asm/msr.h>
> > #include <asm/sgx.h>
> > +#include <asm/archrandom.h>
> > #include "driver.h"
> > #include "encl.h"
> > #include "encls.h"
> > @@ -917,6 +918,78 @@ int sgx_set_attribute(unsigned long
> *allowed_attributes,
> > }
> > EXPORT_SYMBOL_GPL(sgx_set_attribute);
> >
> > +/* Counter to count the active SGX users */
> > +static int sgx_usage_count;
> > +
> > +/**
> > + * sgx_update_svn() - Attempt to call ENCLS[EUPDATESVN].
>
> Add a newline would make the comment more readable.
Ok
>
> > + * This instruction attempts to update CPUSVN to the
> > + * currently loaded microcode update SVN and generate new
> > + * cryptographic assets.
>
> Ditto here.
Ok
>
> > + * Return:
> > + * 0: Success or not supported
> > + * -EAGAIN: Can be safely retried, failure is due to lack of
> > + * entropy in RNG.
> > + * -EIO: Unexpected error, retries are not advisable.
> > + */
>
> You may want to make the description of the return code vertically
> aligned. And looking at the k-doc documentation, the format of the return
> codes could be improved:
>
> * Return:
> * * %0: - Success or not supported
> * * %-EAGAIN: - ...
> * * %-EIO: - ...
>
> Please see "Return values" part of:
>
> https://docs.kernel.org/doc-guide/kernel-doc.html
>
> Or you can switch to use normal comment. It's a static function anyway.
Ok, will fix the formatting issues.
>
>
> > +static int __maybe_unused sgx_update_svn(void)
> > +{
> > + int ret;
> > +
> > + /*
> > + * If EUPDATESVN is not available, it is ok to
> > + * silently skip it to comply with legacy behavior.
> > + */
> > + if (!cpu_feature_enabled(X86_FEATURE_SGX_EUPDATESVN))
> > + return 0;
> > +
> > + /*
> > + * EPC is guaranteed to be empty when there are no users.
> > + * Ensure we are on our first user before proceeding further.
> > + */
> > + WARN(sgx_usage_count != 1, "Elevated usage count when calling
> EUPDATESVN\n");
>
> I am not sure whether this is needed. Wouldn't the ENCLS_WARN() at the
> end catch this case and the user is able to figure out what went wrong
> from the error code?
Dave has made a suggestion to include this check, so I have added it.
>
> Besides that, in _this_ patch, what prevents sgx_usage_count from being
> concurrently updated is still unknown. It's kinda weird to just use it
> here w/o seeing the actual mutex.
In this patch it is fully useless, because sgx_usage_count is never incremented
from zero and this function is also never called. But I didn’t want to move this
addition to the following patch since it would look as one-add to this function.
>
> > +
> > + for (int i = 0; i < RDRAND_RETRY_LOOPS; i++) {
> > + ret = __eupdatesvn();
> > +
> > + /* Stop on success or unexpected errors: */
> > + if (ret != SGX_INSUFFICIENT_ENTROPY)
> > + break;
> > + }
> > +
> > + switch (ret) {
> > + /*
> > + * SVN successfully updated.
> > + * Let users know when the update was successful.
> > + */
>
> This is ugly. I would just put the comment inside the 'case'.
Ok, will move.
>
> > + case 0:
> > + pr_info("SVN updated successfully\n");
> > + return 0;
> > + /*
> > + * SVN update failed since the current SVN is
> > + * not newer than CPUSVN. This is the most
> > + * common case and indicates no harm.
> > + */
> > + case SGX_NO_UPDATE:
> > + return 0;
> > + /*
> > + * SVN update failed due to lack of entropy in DRNG.
> > + * Indicate to userspace that it should retry.
> > + */
> > + case SGX_INSUFFICIENT_ENTROPY:
> > + return -EAGAIN;
> > + default:
> > + break;
> > + }
>
> Ditto for all the comments above.
Ok, will move inside.
Best Regards,
Elena.
On Fri, 2025-08-08 at 10:59 +0000, Reshetova, Elena wrote: > > > + /* > > > + * EPC is guaranteed to be empty when there are no users. > > > + * Ensure we are on our first user before proceeding further. > > > + */ > > > + WARN(sgx_usage_count != 1, "Elevated usage count when calling > > EUPDATESVN\n"); > > > > I am not sure whether this is needed. Wouldn't the ENCLS_WARN() at the > > end catch this case and the user is able to figure out what went wrong > > from the error code? > > Dave has made a suggestion to include this check, so I have added it. Sorry I didn't read careful enough and missed that. > > > > > Besides that, in _this_ patch, what prevents sgx_usage_count from being > > concurrently updated is still unknown. It's kinda weird to just use it > > here w/o seeing the actual mutex. > > In this patch it is fully useless, because sgx_usage_count is never incremented > from zero and this function is also never called. But I didn’t want to move this > addition to the following patch since it would look as one-add to this function. Sure np.
On 8/8/25 03:59, Reshetova, Elena wrote: >> I am not sure whether this is needed. Wouldn't the ENCLS_WARN() at the >> end catch this case and the user is able to figure out what went wrong >> from the error code? > Dave has made a suggestion to include this check, so I have added it. If it's important enough to write a comment for it, it's important enough to write a line of code for it.
© 2016 - 2025 Red Hat, Inc.