Question about enclaves: Why the SECS created as ECREATE happens is in the range of EPC pages?

[Unik-lif]

Hello. I got some questions about the memory allocation step in Hyperenclave. Assume the user app triggers an ECREATE request, the hypervisor driver catches this request and handles it using function he_cmd_encl_create, after some initialization steps, this function calls hypercall HC_ENCL_CREATE, which will be sent to the rust-monitor, and here it comes the function enclave_create.

    pub(super) fn enclave_create(
        &self,
        config_ptr: GuestPtr<HvEnclDesc>,
    ) -> HyperCallResult<usize> {
        let now = Instant::now();
        let secs_gpaddr = config_ptr.as_guest_paddr()?;
        let secs = *GuestPtr::gpaddr_to_ref(&secs_gpaddr, false)?;
        info!("enclave_create({:#x?}): {:#x?}", config_ptr, secs);
        let enclave = Enclave::new(secs_gpaddr, config_ptr.guest_vaddr(), secs)?;
        ENCLAVE_MANAGER.add_enclave(enclave.clone())?;
        enclave.atomic_add_stats(EnclaveStatsId::Create, now.elapsed());
        Ok(0)
    }

As mentioned above, the config is the SECS, so how does the SECS translated using query step in function as_guest_paddr, and Why this guest physical address will fall just in the range of EPC that we reserved beforehand? (According to my understanding, since SECS is stored in one of EPC, the guest physical address will fail just in this range.)

Besides, what confused me is that in the hypervisor-driver, we allocated the he_enclave, including SECS using kzalloc, it seems that the mappings between guest physical address and the guest virtual address are set up here. If so, how does it make sure the address of SECS is in the reserved part?

I tried to figure it out, but I failed to do so. Any helps will be appreciated, thanks a lot.

[Bonjourz]

Hi @Unik-lif, thanks for your interest on HyperEnclave.

so how does the SECS translated using query step in function as_guest_paddr

Hypervisor translates the virtual address using the page table in untrusted part, and then gets the the target physical address.

Why this guest physical address will fall just in the range of EPC that we reserved beforehand? ... If so, how does it make sure the address of SECS is in the reserved part?

The secs_gpaddr does not locate in the range of EPC, but the data pointed by secs_gpaddr is copied to the memory area held by the secs in the following expression:

 let secs = *GuestPtr::gpaddr_to_ref(&secs_gpaddr, false)?;

The memory area pointed by the field secs in struct Enclave locates in the hypervisor's memory, which cannot be accessed by untrusted software. But it should mentioned that there is no EPC page holding the SECS information in HyperEnclave currently, which is different from that in Intel SGX.

[Unik-lif]

Thank u 4 ur timely reply!

But it should mentioned that there is no EPC page holding the SECS information in HyperEnclave currently, which is different from that in Intel SGX.

This helps me a lot.

So can I simply conclude like that? Different from other EPC pages, the SECS is not maintained in EPC part we divided beforehand, it is wrapped and maintained in Rust-Monitor part.