Interrupt enclu execution on main enclave thread exiting #493
Conversation
maxknv
force-pushed
the
max/gh-165-abort-hanged-enclave-thread
branch
from
8226083
to
a1a2e0f
Compare
| }); | ||
| if is_enclu { | ||
| // At enclu instruction - force IP to the next instruction after enclu | ||
| unsafe { (*(_context as *mut ucontext_t)).uc_mcontext.gregs[REG_RIP as usize] += 3 } |
There was a problem hiding this comment.
This causes the enclave execution not to be re-entered, but it does not kill the thread. But what happens in that worker thread in those cases?
There was a problem hiding this comment.
some garbage CoResult will be returned and sending it to IO queue will fail as sysloop is terminated by that moment
There was a problem hiding this comment.
I think you should adjust RAX and potentially other registers as well to something meaningful
There was a problem hiding this comment.
now enclave exiting flag is passed into coenter() to break enclu/AEX loop and special value CoResult::Abort will be returned if an enclave thread was interrupted that way. Why we may still need register adjustments?
There was a problem hiding this comment.
Because you need to guarantee the VDSO code branches properly?
maxknv
force-pushed
the
max/gh-165-abort-hanged-enclave-thread
branch
4 times, most recently
from
739418a
to
a501d3e
Compare
maxknv
changed the title
| }); | ||
| if is_enclu { | ||
| // At enclu instruction - force IP to the next instruction after enclu | ||
| unsafe { (*(_context as *mut ucontext_t)).uc_mcontext.gregs[REG_RIP as usize] += 3 } |
There was a problem hiding this comment.
I think you should adjust RAX and potentially other registers as well to something meaningful
|
|
||
| let hdl = signal::SigHandler::SigAction(handle_sigusr1); | ||
| let sig_action = signal::SigAction::new(hdl, signal::SaFlags::empty(), signal::SigSet::empty()); | ||
| signal::sigaction(signal::SIGUSR1, &sig_action).unwrap(); |
There was a problem hiding this comment.
USR1 is ok, but isn't e.g. HUP more appropriate? Combined with only conditionally rewriting the IP.
There was a problem hiding this comment.
Changed to HUP.
Calling this handler is now conditional for vdso/non-vdso. Is that what you mean by conditional rewriting IP?
maxknv
force-pushed
the
max/gh-165-abort-hanged-enclave-thread
branch
from
f0a9c61
to
5d62085
Compare
intel-sgx/enclave-runner/src/tcs.rs
Outdated
| sgx_result = run.function; | ||
| match sgx_result.try_into() { | ||
| enclu_leaf = run.function; | ||
| match enclu_leaf.try_into() { | ||
| Ok(Enclu::EExit) => { /* normal case */ }, |
There was a problem hiding this comment.
This is no longer the "normal case". When you interrupt the enclave in the signal handler, it explicitly writes $EEXIT to enclu_leaf, even though it should be ERESUME. See the vdso. You need to detect such cases and reenter the enclave. You can check the vdso to see which registers you can use for this.
There was a problem hiding this comment.
added EXITING flag which is tested in the signup handler addresses this issue as well
| // Issuing a signal to return execution control back to the enclave-runner's worker thread. | ||
| // * In non-vdso case execution control is claimed during AEX using special handler provided by AEP address | ||
| // in coenter() function and signal is not required | ||
| unsafe { libc::pthread_kill(handler.as_pthread_t() as _, signal::SIGHUP as _); } |
There was a problem hiding this comment.
Why is this conditional on has_vdso_sgx_enter_enclave?
There was a problem hiding this comment.
there are 2 different solutions for vdso/non-vdso:
with vdso: enclave execution is interrupted by a signal and RIP rewriting.
withouth vdso: enclave execution interrupted using special instruction under AEP, no signal is needed
intel-sgx/enclave-runner/src/tcs.rs
Outdated
| lea 1f(%rip), %rcx // set SGX AEP | ||
| push %rbx // store original rbx value on the stack | ||
| mov {0}, %rbx | ||
| enclu | ||
| 1: pop %rbx // restore original rbx value in case we interrupt enclave during AEX |
There was a problem hiding this comment.
I don't understand the change here. This looks like it's intended for RIP rewriting, but the current signal handler is only enabled with the VDSO.
There was a problem hiding this comment.
first of all, AEP is changed here to check exiting flag on each AEX and interrupt enclu if needed.
secondly, push/pop instructions for RBX just allow for preserving the original value in RBX.
There was a problem hiding this comment.
The comments on %rbx don't add much value. The point here is that due to a limitation of LLVM we can't use rbx as an input to the inline assembly directly, nor can we say it's content is clobbered.
maxknv
changed the title
intel-sgx/enclave-runner/src/tcs.rs
Outdated
| sgx_result = run.function; | ||
| match sgx_result.try_into() { | ||
| enclu_leaf = run.function; | ||
| match enclu_leaf.try_into() { | ||
| Ok(Enclu::EExit) => { /* normal case */ }, |
There was a problem hiding this comment.
Could you also add a comment here that you reach this when the signal handler intervenes and forces the enclave not to be re-entered?
| if has_vdso_sgx_enter_enclave() { | ||
| // * The enclave thread may be in a long-running `AEX/enclu[ERESUME]` loop. | ||
| // Issuing a signal to return execution control back to the enclave-runner's worker thread. | ||
| // * In non-vdso case execution control is claimed during AEX using special handler provided by AEP address |
There was a problem hiding this comment.
What do you mean with "special handler"?
| // Interrupt enclave execution by setting IP to the instruction following the ENCLU to mimic normal ENCLU[EXIT]) | ||
| unsafe { | ||
| (*(_context as *mut ucontext_t)).uc_mcontext.gregs[REG_RIP as usize] += 3; | ||
| (*(_context as *mut ucontext_t)).uc_mcontext.gregs[REG_RAX as usize] = 0; |
There was a problem hiding this comment.
Why 0? This doesn't mimic a normal EEXIT.
There was a problem hiding this comment.
I chose 0 just as some deterministic value... Idk which one is better, both looks not very nice. but ok, ill switch to EExit
| if is_enclu && EXITING.with(|cell| cell.borrow().as_ref().is_some_and(|val| val.load(Ordering::SeqCst) == true)) { | ||
| // Interrupt enclave execution by setting IP to the instruction following the ENCLU to mimic normal ENCLU[EXIT]) | ||
| unsafe { | ||
| (*(_context as *mut ucontext_t)).uc_mcontext.gregs[REG_RIP as usize] += 3; |
There was a problem hiding this comment.
Can you also rename _context to context?
maxknv
force-pushed
the
max/gh-165-abort-hanged-enclave-thread
branch
2 times, most recently
from
3b3ad1a
to
cd0790f
Compare
|
Looks good to me! @mkaynov can you rebase so I can take the final version for a spin? |
maxknv
force-pushed
the
max/gh-165-abort-hanged-enclave-thread
branch
4 times, most recently
from
8268018
to
bbe7c37
Compare
maxknv
force-pushed
the
max/gh-165-abort-hanged-enclave-thread
branch
from
bbe7c37
to
9d998d9
Compare
encluResolves #165