asterinas / hyperenclave

HyperEnclave is an open and cross-platform trusted execution environment.
Apache License 2.0
25 stars 4 forks source link

How does the RustMonitor get the most privileged level? #14

Open Ariel08081214 opened 2 weeks ago

Ariel08081214 commented 2 weeks ago

Hai. The Hyperenclave paper does not explain why the RustMonitor can run in the most privileged level.
Is Memory isolation enforced by MMU or RustMonitor? Waiting for your reply. ^^

Bonjourz commented 1 week ago

@Ariel08081214

The Hyperenclave paper does not explain why the RustMonitor can run in the most privileged level.

As stated in the paper:

After RustMonitor is loaded, the execution continues at the pre-defined entry. RustMonitor sets up its own running context (such as the stack, page table, IDT, etc.) and prepares the virtual CPU (vCPU) configurations for each CPU. Then RustMonitor launches the normal VM and demotes the primary OS to the normal mode.

RustMonitor sets up the normal VM's VMCS/VMCB, then launch the normal VM. So the normal VM runs in guest mode and RustMonitor runs in the most privileged mode.

Is Memory isolation enforced by MMU or RustMonitor?

Memory isolation is enforced by MMU. It is the RustMonitor's responsibility to correctly configure the MMU by setting the page table.

Ariel08081214 commented 1 week ago

@Bonjourz

RustMonitor sets up the normal VM's VMCS/VMCB, then launch the normal VM. So the normal VM runs in guest mode and RustMonitor runs in the most privileged mode.

RustMonitor should run on the main OS,right? So,I can't understand the paper's statment about the privilege levels.

Memory isolation is enforced by MMU. It is the RustMonitor's responsibility to correctly configure the MMU by setting the page table.

So Hyperenclave's memory isolation is logical isolation rather than encrypted isolation, right?

Bonjourz commented 1 week ago

@Ariel08081214

RustMonitor should run on the main OS,right? So,I can't understand the paper's statment about the privilege levels.

Take Intel as an example, RustMonitor runs in VMX Root Ring 0, and Primary OS runs in the VMX Non-Root Ring 0 after RustMonitor is loaded.

So Hyperenclave's memory isolation is logical isolation rather than encrypted isolation, right?

For memory attacks originated from software, HyperEnclave configures the MMU by setting the page tables for Normal VM, Enclave VM and device.

For hardware attacks, as stated in the paper:

To thwart physical memory attacks, such as cold boot and bus snooping attacks

HyperEnclave use memory encryption feature provided by hardware to defend some physical memory attacks.

Ariel08081214 commented 1 week ago

Take Intel as an example, RustMonitor runs in VMX Root Ring 0, and Primary OS runs in the VMX Non-Root Ring 0 after RustMonitor is loaded.

@Bonjourz Does this permission mechanism done by configuration?

Bonjourz commented 1 week ago

Hi, @Ariel08081214 , take Intel as an example, how RustMonitor configures VMCS for Primary OS can be found here:

https://github.com/asterinas/hyperenclave/blob/master/src/arch/x86_64/intel/vcpu.rs#L199-L206,