@@ -6,6 +6,8 @@
struct sgx_pageinfo;
+int sgx_set_attribute(u64 *allowed_attributes, unsigned int attribute_fd);
+
#if IS_ENABLED(CONFIG_KVM_INTEL)
int sgx_ecreate(struct sgx_pageinfo *pageinfo, void __user *secs, int *trapnr);
int sgx_einit(void __user *sigstruct, void __user *token,
@@ -2,6 +2,7 @@
// Copyright(c) 2016-19 Intel Corporation.
#include <asm/mman.h>
+#include <asm/sgx.h>
#include <linux/mman.h>
#include <linux/delay.h>
#include <linux/file.h>
@@ -336,6 +336,7 @@ int sgx_set_attribute(u64 *allowed_attributes, unsigned int attribute_fd)
*allowed_attributes |= SGX_ATTR_PROVISIONKEY;
return 0;
}
+EXPORT_SYMBOL_GPL(sgx_set_attribute);
static void sgx_dev_release(struct device *dev)
{
@@ -96,6 +96,5 @@ void sgx_update_lepubkeyhash_msrs(u64 *lepubkeyhash, bool enforce);
__init int sgx_dev_init(const char *name, struct device *dev,
struct cdev *cdev, const struct file_operations *fops,
int minor);
-int sgx_set_attribute(u64 *allowed_attributes, unsigned int attribute_fd);
#endif /* _X86_SGX_H */
To prevent userspace from circumventing access to the PROVISIONKEY by running an enclave in a VM, KVM will deny access to the PROVISIONKEY unless userspace proves to KVM that it is allowed to access the key. Export sgx_set_attribute() so that it may be used by KVM to verify an SGX attribute file. Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> --- arch/x86/include/asm/sgx.h | 2 ++ arch/x86/kernel/cpu/sgx/driver/ioctl.c | 1 + arch/x86/kernel/cpu/sgx/main.c | 1 + arch/x86/kernel/cpu/sgx/sgx.h | 1 - 4 files changed, 4 insertions(+), 1 deletion(-)