Intel SGX Enclave Support in Windows 10 Fall Update (Threshold 2)

More documents

Recommendations

Info

Boot-Time Enclave Support Initialization Once a compatible BIOS has initialized SGX support by enabling the feature in the IA32_FEATURE_CONTROL MSR, and configured the PRMRR MSRs to store the Processor Reserved Memory (PRM) descriptors which still store SGX-related memory, system software must next initialize its own support for SGX. In Windows, this is done both by the boot loader, as well as the kernel’s initialization functions. Boot Loader Enclave Support During boot, Winload (the Windows Boot Loader) will call OslEnumerateEnclavePageRegions, which first checks if CPUID 0000`0012h is supported. Next, it uses CPUID 0000`0007h to obtain the list of CPU feature flags, and checks if bit 2 is set (SGX). If this is the case, it then actually issues CPUID 0000`0012h with sub-function 2. This corresponds to the Intel SGX Resource Enumeration protocol described in the Intel SGX Manual, and returns whether or not an Enclave Page Cache (EPC) is present. If so, the physical address and size of the EPC section is described. By calling BlMmAddEnclavePageRange, the boot loader adds a descriptor to the MemoryDescriptorListHead structure that is stored in the well-known LOADER_PARAMETER_BLOCK that is used to transfer information between the boot loader and the kernel. This descriptor is built with a type value of LoaderEnclaveMemory. The loader then attempts issuing sub-function 3, and so on, until the CPU returns an indicator specifying that no EPC section exists for this index. Early Boot Memory Manager Enclave Support In order for the MiEnclaveRegions AVL tree to be populated, the memory manager calls MiCreateEnclaveRegions during Phase 1 initialization. This receives the LOADER_PARAMETER_BLOCK structure that is well-known to those studying boot loader internals, and parses its MemoryDescriptorListHead, looking for descriptors of type LoaderEnclaveMemory. As the routine does, it builds the AVL tree (allowing quick lookups to see if a region of memory is actually part of an enclave – which we’ll see will be needed in some cases), and it also constructs the descriptors for each physical page that is owned by the hardware enclave. The Windows memory manager stores physical page information in an array called the PFN Database, which is made up of structures called PFN Entry (MMPFN), and enclave pages are no different. Avid Windows Internals readers may remember that these PFN entries are stored in a variety of lists, such as the Free Page List, or the Modified Page List. What about enclave pages? In Windows 10 Update 2, the kernel adds a new Enclave Page List, and a special flag passed to MiInsertPageInFreeOrZeroedList enables functionality to utilize this new list. Internally, however, since the memory manager has actually run out of list identifiers, the kernel actually identifies these pages as being “bad” pages currently suffering an in-page error. This actually makes sense – the memory manager knows never to use bad pages, so calling enclave pages “bad” is another way to keep them at bay. At this point, the MiEnclaveRegions AVL tree describes the physical page regions, while the Enclave Page List describes each page in the PFN database.
Enclave Construction The new Windows 10 update provides an easy-to-use set of APIs that roughly map to the Intel SGX manual’s described mechanisms for enclave construction, and which will ultimately issue the supervisormode (Ring 0) instructions which are required to perform the operations. These new APIs are present in the Enclave API Set documented in enclaveapi.h and implemented in Kernelbase.dll on supported systems. Let’s begin with the APIs for creating an enclave. Checking for Enclave API Hardware Support The first step to using the Enclave API is to first figure out if the hardware supports enclaves. The IsEnclaveTypeSupported API provides this functionality, and accepts as input the enclave type you wish to verify hardware support for: BOOL WINAPI IsEnclaveTypeSupported ( _In_ DWORD flEnclaveType ); This ultimately results in the API reading the EnclaveFeatureMask in the KUSER_SHARED_DATA structure that Windows Internals folks will know is located at the hardcoded address 0x7FFE0000. As of now, the only enclave type supported is the SGX enclave (ENCLAVE_TYPE_SGX), so requesting any other type of enclave will directly fail. In kernel-land, this determination is made by KiSetFeatureBits, which first checks the IA32_FEATURE_ENABLE MSR (0000_03Ah) for the SGX Global Enable Bit (18), which indicates support SGX has been enabled the BIOS. It then issues CPUID 0000_0012h with sub-level 0 (SGX Capability Query) which, as per the Intel CPU documentation, will return 0 for SGX1 support, or 3 for SGX2 support. If SGX1 or higher is supported, the kernel writes 2 for the EnclaveFeatureMask (since this is a bitmask, this means that Enclave Type 1, i.e.: ENCLAVE_TYPE_SGX is supported). Finally, the KF_SGX (0x0000010000000000) is set in the KPRCB FeatureBits field, which is later copied into KeFeatureBits. Creating an Enclave Creating an enclave is much like allocating virtual memory, as you can see from the CreateEnclave prototype below: PVOID WINAPI CreateEnclave ( _In_ HANDLE hProcess, _In_opt_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ SIZE_T dwInitialCommittment, _In_ DWORD flEnclaveType,
Page 1 and 2: Intel SGX Enclave Support in Window
Page 3: Introduction One of the most exciti
Page 7 and 8: This probably looks meaningless to
Page 9 and 10: MiInitializeEnclavePfn is used to s
Page 11 and 12: _In_ PVOID Parameter1, _In_ PVOID P
Page 13 and 14: Continuing on, MiAddPagesToEnclave
Page 15 and 16: The user-mode API does nothing but
Page 17 and 18: Enclave Lifetime Management There a
Page 19 and 20: MiDeleteEnclavePages will first cle
Page 21 and 22: MiFindNextEnclaveBoundary). For any
Page 23 and 24: Index Enclave Leaf Functions EAUG .

Intel SGX Enclave Support in Windows 10 Fall Update (Threshold 2)

Create successful ePaper yourself

Delete template?

Save as template?