Ubuntu
linux package

[regression] Unable to initialize SGX enclaves with XFRM other than 3

Bug #2034745 reported by Jethro Beekman
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Committed
Undecided
Tim Gardner
Jammy
Fix Committed
Medium
Tim Gardner
Lunar
Fix Committed
Undecided
Tim Gardner

Bug Description

SRU Justification

[Impact]

In 5.15.0-1045, only loading enclaves with XFRM set to 3 works, sgx_encl_init returns EINVAL. The only reason this wouldn't work properly is if sgx_drv_init thinks XSAVE isn't enabled. This works fine in 5.15.0-1043.

Likely cause:
1045 adds this patch: https://github.com/torvalds/linux/commit/b81fac906a8f9e682e513ddd95697ec7a20878d4 . This later patch indicates that the former patch introduced some ordering problems. https://github.com/torvalds/linux/commit/2c66ca3949dc701da7f4c9407f2140ae425683a5 . That later patch isn't applied to 1045.

[Test Plan]

User test results pending, but its a fix commit so should likely be applied regardless.

[Regression Potential]

SGX could continue to fail.

See original description
Tim Gardner (timg-tpi)
affects: linux-signed-azure-5.15 (Ubuntu) → linux-azure (Ubuntu)
Revision history for this message
Tim Gardner (timg-tpi) wrote :

Please try the referenced kernel jammy-azure-5.15.0-1049.56~lp2034745.1.tgz with the fix commit. Note that this kernel is not signed for a UEFI secure boot environment.

Tim Gardner (timg-tpi)
affects: linux-azure (Ubuntu) → linux (Ubuntu)
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 2034745

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Tim Gardner (timg-tpi)
description: updated
Tim Gardner (timg-tpi)
description: updated
Changed in linux (Ubuntu Jammy):
assignee: nobody → Tim Gardner (timg-tpi)
importance: Undecided → Medium
status: New → In Progress
Changed in linux (Ubuntu):
status: Incomplete → Fix Released
Revision history for this message
Gaurav Kumar (gaurav-singh-kumar) wrote :

I tested the changes today and was able to successfully run enclave in debug mode. Thanks a lot Tim.

Revision history for this message
Jethro Beekman (jethrogb) wrote :

Thanks Gaurav

Revision history for this message
Tim Gardner (timg-tpi) wrote :

Patch submitted for review https://lists.ubuntu.com/archives/kernel-team/2023-September/142739.html

Revision history for this message
Fabian Grünbichler (f-gruenbichler) wrote :

FWIW, this not only affects the 5.15/jammy kernel series, but also at least 6.2/lunar: https://github.com/openzfs/zfs/issues/15223 , and also affects non-SGX use cases like OpenZFS features that benefit from AVX support (raidz, encryption, ..)

Revision history for this message
Tim Gardner (timg-tpi) wrote :

Reposted the patch for all affected kernels: https://lists.ubuntu.com/archives/kernel-team/2023-September/142913.html

Roxana Nicolescu (roxanan)
Changed in linux (Ubuntu Lunar):
status: New → Fix Committed
Changed in linux (Ubuntu Jammy):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Lunar):
assignee: nobody → Tim Gardner (timg-tpi)
Roxana Nicolescu (roxanan)
Changed in linux (Ubuntu Focal):
status: New → Fix Committed
assignee: nobody → Tim Gardner (timg-tpi)
Revision history for this message
Daniel Arai (danielarai) wrote :

This also affects 5.4.0 from 5.4.0-158 on. Is this version getting a fix? It's not clear to me from the linked thread which kernel versions are getting fixes, given that focal supports both 5.4 and 5.15 kernels.

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.15.0-88.98 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux' to 'verification-done-jammy-linux'. If the problem still exists, change the tag 'verification-needed-jammy-linux' to 'verification-failed-jammy-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-v2 verification-needed-jammy-linux
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.4.0-166.183 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux' to 'verification-done-focal-linux'. If the problem still exists, change the tag 'verification-needed-focal-linux' to 'verification-failed-focal-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-v2 verification-needed-focal-linux
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/6.2.0-36.37 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lunar-linux' to 'verification-done-lunar-linux'. If the problem still exists, change the tag 'verification-needed-lunar-linux' to 'verification-failed-lunar-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-lunar-linux-v2 verification-needed-lunar-linux
Gaurav Kumar (gaurav-singh-kumar)
tags: added: verification-done-focal-linux
removed: verification-needed-focal-linux
Gaurav Kumar (gaurav-singh-kumar)
tags: added: verification-done-jammy-linux
removed: verification-needed-jammy-linux
Revision history for this message
Gaurav Kumar (gaurav-singh-kumar) wrote :

I verified the issue on kernel linux/5.4.0-166.183, linux/5.15.0-88.98 and linux/6.2.0-36.37 and the issue is fixed. I was able to run enclave in debug mode in all 3 kernels.

tags: added: verification-done-lunar-linux
removed: verification-needed-lunar-linux
Revision history for this message
Daniel Arai (danielarai) wrote :

So it looks like this patch was applied to linux/5.4.0-166.183, linux/5.15.0-88.98, and linux/6.2.0-36.37, but I'm not seeing a request for verification on the jammy-azure-5.15.0-1049 kernel series, and it looks like linux-azure (5.15.0-1049.56) does not include the fix. Can we get the azure kernel fixed as well?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.