Latest revision as of 16:12, 25 October 2024

Intel SGX Software Stack

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

The Intel SGX technology enables creation of execution enclaves, whose memory is encrypted and thus protected from all other code running on the machine, including SMM, firmware, kernel and userspace. This proposal is to introduce the SGX host software stack to Fedora, to enable applications and features which have a dependency on SGX technology.

Owner

Name: Daniel Berrange
Email: berrange@redhat.com

Current status

Targeted release: Fedora Linux 42
Last updated: 2024-10-25
[Announced]
[<will be assigned by the Wrangler> Discussion thread]
FESCo issue: <will be assigned by the Wrangler>
Tracker bug: <will be assigned by the Wrangler>
Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

The Intel SGX technology enables creation of execution enclaves, whose memory is encrypted and thus protected from all other code running on the machine, including SMM, firmware, kernel and userspace. While it has many potential use cases, this proposal is focused around the infrastructure needed to enable support for attestation of TDX confidential virtual machines.

The SGX software stack compromises a number of components

Support for developing new enclaves
- Header files for the enclave code (a minimalist C library, C++ library, crypto and some other misc libraries)
- Static library archives for the enclave code.
- Build helper tools (for signing enclaves, generating code enclave API entrypoints)
Support for developing applications that use enclaves
- Header files for platform code
- Dynamic libraries for platform code
Support for deploying applications that use enclaves
- Enclave service daemon - assists unprivileged applications in loading enclaves
- Registration tools - assists platform administrator in acquiring certificates to identity the platform
- Quote generation daemon - assists QEMU in acquiring signed attestation reports for TDX VMs.

The code and binaries related to the host OS platform components will be installed in the normal filesystem locations common to all Fedora packages.

For the purposes of packaging, the enclaves will be treated as cross-compilation target. While the build architecture is x86_64, the runtime has custom C / C++ libraries that must be used, and separate code loader.

With this in mind, all enclave related code and binaries are proposed to be installed at /usr/x86_64-intel-sgx, specifically under lib64 and include sub-directories.

The generated binary packages will generally all have an 'sgx-' prefix to their name, with enclave related packages having an more specialized 'sgx-enclave-' name prefix.

Feedback

Benefit to Fedora

As a general purpose infrastructure technology, SGX can be applied to / used by a wide variety of scenarios / applications.

The primary goal in introducing SGX into Fedora, however, is to support the Fedora KVM virtualization stack when it introduces confidential virtual machines running with Intel TDX. The TDX attestation implementation in currently integrated with Intel CPUs is built on the SGX technology. Attestation is the means by which a guest VM owner, can prove that their VM machine is running in confidential mode on genuine Intel hardware, as opposed to being in "blue pill" environment.

Scope

Proposal owners

Add at least the following source packages to Fedora:

CppMicroServices - a C++ runtime library for building microservices daemons
sgx-srpm-macros - define some common macros for where SGX content will live in the filesystem tree
linux-sgx - provide the SGX platform development headers & libraries, runtime libraries, and supporting daemons

Assuming that pre-built, signed SGX architectural enclaves will be shipped, the following additional package is proposed:

linux-sgx-enclavesXXX - one (or more) packages containing architectural enclaves

Not every architectural enclave binary is re-issued on every release. New signed builds are only made available when there is a CVE fix, or a feature enhancement. At time of writing the SGX 2.25 release included new builds for every enclave. A future 2.26 release may only update a subset. Hence at some points in time, Fedora may have more than one linux-sgx-encalvesXXX package present.

If it is required to perform a reproducible build of the above architectural enclave binaries, to prove the binaries match the claimed sources, the following toolchain packages are needed:

sgx-compat-gccXXX - one (or more) specific GCC versions, built with targetted configure arguments, to match the GCC configuration required for enclave reproducible build.
sgx-compat-binutilsXXX - one (or more) specific binutils versions, built with targetted configure arguments, to match the GCC configuration required for enclave reproducible build.
sgx-compat-nasmXXX - one (or more) specific NASM versions, built with targetted configure arguments, to match the GCC configuration required for enclave reproducible build.
sgx-compat-glibc-headersXXX - one (or more) specific GCC versions, built with targetted configure arguments, to match the GCC configuration required for enclave reproducible build.
sgx-compat-kernel-headersXXX - one (or more) specific GCC versions, built with targetted configure arguments, to match the GCC configuration required for enclave reproducible build.

At time of writing, with the SGX 2.25 release, the versions required to perform a fully reproducible build will be

gcc: 8.5.0, 9.5.0
binutils: 2.38, 2.40
nasm: 2.16.01
glibc: 2.38
kernel: 5.17

Note, while Fedora already ships builds fo gcc, binutils, etc, performing reproducible builds requires specific versions, configured with particular choice of build options. Hence the intention to ship parallel packages, which are exclusively intended for use in reproducing enclaves. There will be no support for using these toolchain packages for any other situation in Fedora.

Note: the fact that two versions are needed for binutils and GCC, is an upstream an upstream bug

Note: the enclaves are supposed to be built exclusively against the SGX SDK which provides its own C runtime headers. Thus the fact that it has a requirement for header files from glibc & kernel is also likely another upstream bug.

The full set of proposed source RPMs and their corresponding binary RPM outputs can be see from Copr:

https://copr.fedorainfracloud.org/coprs/berrange/sgx-ng/monitor/

Note, the pre-built, signed architectural enclaves are not always re-created on each SGX release.

Other developers

It is not anticipated that other package maintainers need do anything to support introduction of SGX. The kernel is already built with the SGX feature enabled.

systemd ships with udev rules to enable creation of some of the required device nodes. The SGX package contains addon udev rules for remaining device nodes. The latter may be contributed upstream to systemd in future, and would flow back into Fedora in a normal systemd update.

Release engineering

N/A - does not impact deliverables for releng

Policies and guidelines

A decision is needed around the handling of the pre-built, signed SGX enclaves. There are some relevant parallels in the guidelines for firmware as well as current practice wrt shim and CPU microcode.

Normal Fedora practice requires building everything from source. There is a general exception to this for firmware blobs, which don't need to be built from source and don't need to be under an OSS compliant license as long as the binaries can be freely distributed. Hardware firmware binaries almost always include a digital signature from the vendor, to ensure that only trusted firmware is loaded onto the device. Thus even if source code is available for a given firmware binary, Fedora would still need to be shipping it as a pre-built vendor supplied signed binary.

Another example of shipping pre-built vendor binaries would be CPU microcode. This could be considered firmware for the core CPU, and again are vendor supplied, signed binaries, with no source code available.

A slightly different reference point is in the handling of shim, where Fedora builds a binary from known good source, possibly with local pathes, and sends it off for signing by Microsoft, packaging the binary that is sent back. Microsoft has various requirements before it will permit signing a vendor's shim.

Consider if Fedora built a pristine shim release, with a designated toolchain version, using a reproducible build process. There would be no need to send the binary to Microsoft for signing, as the binary built in Fedora would match a standard pre-published signed binary from that shim release + toolchain. This is the situation SGX architectural enclaves are in. The main difference between the shim & SGX scenarios is that Fedora has the ability to add arbitrary local patches to shim & build with arbitrary toolchain versions of its choosing. This would not be possible when following a vendor specified reproducible build process.

In the shim case, it is often (but not always) possible for users to enroll their own certificates in UEFI to bless shim signatures from vendors other than Microsoft. IOW, a user often has the ability to build & customize shim themselves signing with their own keys. In the case of SGX enclaves, this is possible for 7, out of the 8 architectural enclaves, however the most fundamental enclave (pce) must always have an Intel signature to bootstrap the hardware root of trust.

In summary, the architectural enclaves meet the definition of firmware documented in the Fedora licensing guidelines:

https://docs.fedoraproject.org/en-US/legal/license-approval/#_technical_firmware_requirements

Thus it should be permissible to ship the pre-built, signed binaries with no policy changes.

The shim model also gives impetus to the idea of it being acceptable to ship pre-built binaries, provided a reproducible build process can prove the binaries match the source under Fedora approved licenses.

Ultimately it is suggested to consider a hybrid between the two views. Treat the SGX enclaves as firmware, but none the less require a reproducible build process, to prove the binaries correspond to the claim OSS code.

It is further suggested that this not be limited to SGX enclaves, instead expand the existing firmware exception guidance, to require a reproducible build is performed if the pre-built signed firmware binaries have complete & corresponding soruce available with a supported reproducible build process.

The intent is to prove that the signed vendor firmware actually matches the published code whenever practical. This would apply to all SGX architectural enclaves, but also potentially to other distributed firmware with available source.

Trademark approval

N/A

Alignment with the Fedora Strategy

This aligns with

"Reaching the world". Including SGX will make the Fedora support for hosting Intel TDX confidential virtual machines feature complete, by enabling attestation by the guest owner
"Innovation & leadership in technology". SGX is a general purpose infrastructure technology which enables application developers to build systems to securely run sensitive workloads.

Upgrade/compatibility impact

This is a new package set which should not have any upgrade impact, as it will not initially be a dependency of other software. In future it may be pulled in automatically as a dependency in certain KVM deployment scenarios. Even when installed, using anything related to SGX first requires host firmware changes to enable use of the technology. The systemd services provided have their unit files conditionalized on the existence of /dev/sgx_enclave device nodes.

Early Testing (Optional)

Do you require 'QA Blueprint' support? N

The proposed new packages are available for testing via Copr, until such time as they are reviewed & built in Fedora koji:

https://copr.fedorainfracloud.org/coprs/berrange/sgx-ng/

These should work on any Intel Xeon class platform

How To Test

Document how to validate a single-socket system by obtaining PCK certificates automatically
Document how to configure a multi-socket system to enable its registration with Intel services, and request a PCK certificate

User Experience

Initially minimal user experience impact, since on its own it doesn't deliver noticeable end user features, as it is not believed that any existing applications in Fedora are able to leverage SGX.

The initial user benefit will be that users can bootstrap trust in SGX on their Fedora host. This will facilitate users in deploying 3rd party applications of their choosing that utilize SGX.

At a later time, when support for Intel TDX is integrated into KVM and QEMU, the immediate Fedora user benefit will significantly expand.

Dependencies

The primary functional dependency for use of SGX is kernel support, which has existed in Fedora for some time. See "CONFIG_X86_SGX=y" in the kconfig files.

This change proposal does not rely on work by another other package maintainers, but new packages will require reviewer attention.

Contingency Plan

Contingency mechanism: The new packages have no ill effects on existing Fedora usage. Any outstanding work can be postponed to a later release if required.
Contingency deadline: Beta free
Blocks release? No

Documentation

Documentation will be provided to describe:

Configuring hardware UEFI to enable use of SGX
Obtaining PCK certificates for a host from the Intel trusted services API

A subsequent change proposal will cover usage of SGX with TDX confidential virtual machines.

Release Notes

@@ Line 46: / Line 46: @@
 ** Registration tools - assists platform administrator in acquiring certificates to identity the platform
 ** Quote generation daemon - assists QEMU in acquiring signed attestation reports for TDX VMs.
+The code and binaries related to the host OS platform components will be installed in the normal filesystem locations common to all Fedora packages.
+For the purposes of packaging, the enclaves will be treated as cross-compilation target. While the build architecture is x86_64, the runtime has custom C / C++ libraries that must be used, and separate code loader.
+With this in mind, all enclave related code and binaries are proposed to be installed at '''/usr/x86_64-intel-sgx''', specifically under ''lib64'' and ''include'' sub-directories.
+The generated binary packages will generally all have an 'sgx-' prefix to their name, with enclave related packages having an more specialized 'sgx-enclave-' name prefix.
 == Feedback ==
@@ Line 58: / Line 66: @@
 === Proposal owners===
-Add the following packages to Fedora
+Add at least the following source packages to Fedora:
 * '''CppMicroServices''' - a C++ runtime library for building microservices daemons
 * '''sgx-srpm-macros''' - define some common macros for where SGX content will live in the filesystem tree
+* '''linux-sgx''' - provide the SGX platform development headers & libraries, runtime libraries, and supporting daemons
+Assuming that pre-built, signed SGX architectural enclaves will be shipped, the following additional package is proposed:
+* '''linux-sgx-enclavesXXX''' - one (or more) packages containing architectural enclaves
+Not every architectural enclave binary is re-issued on every release. New signed builds are only made available when there is a CVE fix, or a feature enhancement. At time of writing the SGX 2.25 release included new builds for every enclave. A future 2.26 release may only update a subset. Hence at some points in time, Fedora may have more than one '''linux-sgx-encalvesXXX''' package present.
+If it is required to perform a reproducible build of the above architectural enclave binaries, to prove the binaries match the claimed sources, the following toolchain packages are needed:
 * '''sgx-compat-gccXXX''' - one (or more) '''specific''' GCC versions, built with ''targetted configure arguments'', to match the GCC configuration required for enclave reproducible build.
 * '''sgx-compat-binutilsXXX''' - one (or more) '''specific''' binutils versions, built with ''targetted configure arguments'', to match the GCC configuration required for enclave reproducible build.
@@ Line 67: / Line 85: @@
 * '''sgx-compat-glibc-headersXXX''' - one (or more) '''specific''' GCC versions, built with ''targetted configure arguments'', to match the GCC configuration required for enclave reproducible build.
 * '''sgx-compat-kernel-headersXXX''' - one (or more) '''specific''' GCC versions, built with ''targetted configure arguments'', to match the GCC configuration required for enclave reproducible build.
-* '''linux-sgx-enclavesXXX''' - one (or more) packages for performing a reproducible build of architectural enclaves
-* '''linux-sgx''' - provide the SGX platform development headers & libraries, runtime libraries, and supporting daemons
-The pre-built, signed architectural enclaves are not always re-created on each SGX release. New binaries are only issued if there was a required feature change, or a security fix required. Thus the package for the reproducible enclave builds is separated out from the general SGX package. Furthermore, to perform a reproducible build of the full set of enclaves, requires potentially more than one '''linux-sgx-enclavesXXX''' package. For example SGX 2.23 and 2.24 releases only updated the ''''qve'''' enclave, all other enclaves remained on version 2.22. This in turn creates the requirement for multiple '''GCC'''/'''binutils'''/'''nasm''' versions, at some points.  The current newest 2.25 release has updated all enclaves, so initially only a single ''''linux-sgx-enclaves-2_25'''' is expected to be required.
+At time of writing, with the SGX 2.25 release, the versions required to perform a fully reproducible build will be
+* '''gcc''': 8.5.0, 9.5.0
+* '''binutils''': 2.38, 2.40
+* '''nasm''': 2.16.01
+* '''glibc''': 2.38
+* '''kernel''': 5.17
+Note, while Fedora already ships builds fo gcc, binutils, etc, performing reproducible builds requires specific versions, configured with particular choice of build options. Hence the intention to ship parallel packages, which are '''exclusively''' intended for use in reproducing enclaves. There will be no support for using these toolchain packages for any other situation in Fedora.
+Note: the fact that two versions are needed for binutils and GCC, is an upstream [https://github.com/intel/linux-sgx/issues/1045 an upstream bug]
+Note: the enclaves are supposed to be built exclusively against the SGX SDK which provides its own C runtime headers. Thus the fact that it has a requirement for header files from glibc & kernel is also [https://github.com/intel/linux-sgx/pull/1062 likely another upstream bug].
+The full set of proposed source RPMs and their corresponding binary RPM outputs can be see from Copr:
-NB, [https://github.com/intel/linux-sgx/issues/1045 an upstream bug] has resulted in different parts of the enclave code being built with different GCC/binutils versions. This should be resolved in future releases:
+https://copr.fedorainfracloud.org/coprs/berrange/sgx-ng/monitor/
-NB, The requirement for glibc and kernel header packages is [https://github.com/intel/linux-sgx/pull/1062 likely another upstream bug]. The enclave code should be build exclusively against the SGX runtime, which is a completely custom C library. This is being investigated upstream.
+Note, the pre-built, signed architectural enclaves are not always re-created on each SGX release.
 === Other developers===
-The kernel functionality required for SGX is already present in Fedora kernel packages, so no work by other maintainers is anticipated.
+It is not anticipated that other package maintainers need do anything to support introduction of SGX. The kernel is already built with the SGX feature enabled.
+systemd ships with udev rules to enable creation of some of the required device nodes. The SGX package contains addon udev rules for remaining device nodes. The latter may be contributed upstream to systemd in future, and would flow back into Fedora in a normal systemd update.
 ===Release engineering===
@@ Line 86: / Line 118: @@
 ===Policies and guidelines===
-* '''Architectural enclaves'''.
+A decision is needed around the handling of the pre-built, signed SGX enclaves. There are some relevant parallels in the guidelines for firmware as well as current practice wrt shim and CPU microcode.
-** Prebuilt binaries signed by Intel to be permitted under the existing firmware exception
-** Given the availability of complete corresponding source code & a supported reproducible build process, all pre-built binaries MUST be verified through a reproducible build performed in Fedora, using a fully open source toolchain.
+Normal Fedora practice requires building everything from source. There is a general exception to this for firmware blobs, which don't need to be built from source and don't need to be under an OSS compliant license as long as the binaries can be freely distributed. Hardware firmware binaries almost always include a digital signature from the vendor, to ensure that only trusted firmware is loaded onto the device. Thus even if source code is available for a given firmware binary, Fedora would still need to be shipping it as a pre-built vendor supplied signed binary.
+Another example of shipping pre-built vendor binaries would be CPU microcode. This could be considered firmware for the core CPU, and again are vendor supplied, signed binaries, with no source code available.
+A slightly different reference point is in the handling of ''shim'', where Fedora builds a binary from known good source, possibly with local pathes, and sends it off for signing by Microsoft, packaging the binary that is sent back. Microsoft has various requirements before it will permit signing a vendor's shim.
+Consider if Fedora built a pristine shim release, with a designated toolchain version, using a reproducible build process. There would be no need to send the binary to Microsoft for signing, as the binary built in Fedora would match a standard pre-published signed binary from that shim release + toolchain. This is the situation SGX architectural enclaves are in. The main difference between the shim & SGX scenarios is that Fedora has the ability to add arbitrary local patches to shim & build with arbitrary toolchain versions of its choosing. This would not be possible when following a vendor specified reproducible build process.
+In the shim case, it is often (but not always) possible for users to enroll their own certificates in UEFI to bless shim signatures from vendors other than Microsoft. IOW, a user often has the ability to build & customize shim themselves signing with their own keys. In the case of SGX enclaves, this is possible for 7, out of the 8 architectural enclaves, however the most fundamental enclave (''pce'') must always have an Intel signature to bootstrap the hardware root of trust.
+'''In summary''', the architectural enclaves meet the definition of firmware documented in the Fedora licensing guidelines:
+* https://docs.fedoraproject.org/en-US/legal/license-approval/#_technical_firmware_requirements
+Thus it should be permissible to ship the pre-built, signed binaries with no policy changes.
+The shim model also gives impetus to the idea of it being acceptable to ship pre-built binaries, '''provided''' a reproducible build process can prove the binaries match the source under Fedora approved licenses.
+Ultimately it is suggested to consider a hybrid between the two views. Treat the SGX enclaves as firmware, but none the less require a reproducible build process, to prove the binaries correspond to the claim OSS code.
-* '''Application enclaves'''
+It is further suggested that this not be limited to SGX enclaves, instead expand the existing firmware exception guidance, to require a reproducible build is performed if the pre-built signed firmware binaries have complete & corresponding soruce available with a supported reproducible build process.
-** No shipping of pre-built binaries permitted. Everything must follow normal Fedora policies requiring build from source. Any signature must use Fedora controlled persistent keys, or single use keys.
-The distinction between architectural enclaves (signed by Intel to bootstrap trust) and application enclaves (signed by Fedora, with trust chained from the AEs), is considered conceptually similar to the distinction between shim (signed by Microsoft to bootstrap trust), vs kernel (signed by Fedora, with trust chained from shim).
+The intent is to prove that the signed vendor firmware actually matches the published code whenever practical. This would apply to all SGX architectural enclaves, but also potentially to other distributed firmware with available source.
 ===Trademark approval===
@@ Line 114: / Line 164: @@
 Do you require 'QA Blueprint' support? N
-The proposed new packages are available for testing via Copr:
+The proposed new packages are available for testing via Copr, until such time as they are reviewed & built in Fedora koji:
+* https://copr.fedorainfracloud.org/coprs/berrange/sgx-ng/
-  https://copr.fedorainfracloud.org/coprs/berrange/sgx-ng/
+These should work on any Intel Xeon class platform
 == How To Test ==
@@ Line 130: / Line 182: @@
 At a later time, when support for Intel TDX is integrated into KVM and QEMU, the immediate Fedora user benefit will significantly expand.
-=== Limitations ===
-As noted earlier, due to the need for Intel signatures on 4 pre-built architectural enclaves there is a small constraint on user software freedom, if they choose to make use of SGX technology.
-For the '''ide''', '''qe3''' and '''tdqe''' architectural enclaves, it is possible for users to rebuild the source with arbitrary local modifications, and sign the result with their own local key. The resulting enclaves can be deployed and used at runtime, however, it is not guaranteed that applications will be able to successfully verify quotes produced by such enclaves. It depends on whether applications have been written to expect non-Intel signatures.
-For the '''pce'' architectural enclaves, it is possible for users to rebuild the source with arbitrary local modifications, and sign the result with their key. The resulting enclave can be deployed and used at runtime, however, it will not be possible to obtain a certificate from Intel proving authenticity of the hardware. Thus when verifying quotes, it will not be able to successfully verify the complete chain of trust.
-There are no limitations on customization, rebuilds & re-signing of permitted application enclaves, as any usage with signing constraints is proposed to make such enclaves ineligible for inclusion in Fedora.
 == Dependencies ==
-No existing packages will have a dependency on this change initially. In future, some deployments of QEMU may change to pull in certain SGX packages, to support Intel TDX.
+The primary functional dependency for use of SGX is kernel support, which has existed in Fedora for some time. See "CONFIG_X86_SGX=y" in the kconfig files.
-Kernel support for SGX already exists in Fedora:
-  $ git grep CONFIG_X86_SGX=y
+This change proposal does not rely on work by another other package maintainers, but new packages will require reviewer attention.
-  kernel-x86_64-debug-fedora.config:CONFIG_X86_SGX=y
-  kernel-x86_64-debug-rhel.config:CONFIG_X86_SGX=y
-  kernel-x86_64-fedora.config:CONFIG_X86_SGX=y
-  kernel-x86_64-rhel.config:CONFIG_X86_SGX=y
-  kernel-x86_64-rt-debug-rhel.config:CONFIG_X86_SGX=y
-  kernel-x86_64-rt-rhel.config:CONFIG_X86_SGX=y
 == Contingency Plan ==
-<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
-* Contingency mechanism: (What to do?  Who will do it?) N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
-<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
-* Contingency deadline: N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
-<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
-* Blocks release? N/A (not a System Wide Change), Yes/No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+* Contingency mechanism: The new packages have no ill effects on existing Fedora usage. Any outstanding work can be postponed to a later release if required.
+* Contingency deadline: Beta free
+* Blocks release? No
 == Documentation ==
-<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
-<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+Documentation will be provided to describe:
-N/A (not a System Wide Change)
+* Configuring hardware UEFI to enable use of SGX
+* Obtaining PCK certificates for a host from the Intel trusted services API
+A subsequent change proposal will cover usage of SGX with TDX confidential virtual machines.
 == Release Notes ==

Search

Changes/IntelSGX: Difference between revisions