cpu/sgx/encl.c

0001 // SPDX-License-Identifier: GPL-2.0
0002 /*  Copyright(c) 2016-20 Intel Corporation. */
0003
0004 #include <linux/lockdep.h>
0005 #include <linux/mm.h>
0006 #include <linux/mman.h>
0007 #include <linux/shmem_fs.h>
0008 #include <linux/suspend.h>
0009 #include <linux/sched/mm.h>
0010 #include <asm/sgx.h>
0011 #include "encl.h"
0012 #include "encls.h"
0013 #include "sgx.h"
0014
0015 #define PCMDS_PER_PAGE (PAGE_SIZE / sizeof(struct sgx_pcmd))
0016 /*
0017  * 32 PCMD entries share a PCMD page. PCMD_FIRST_MASK is used to
0018  * determine the page index associated with the first PCMD entry
0019  * within a PCMD page.
0020  */
0021 #define PCMD_FIRST_MASK GENMASK(4, 0)
0022
0023 /**
0024  * reclaimer_writing_to_pcmd() - Query if any enclave page associated with
0025  *                               a PCMD page is in process of being reclaimed.
0026  * @encl:        Enclave to which PCMD page belongs
0027  * @start_addr:  Address of enclave page using first entry within the PCMD page
0028  *
0029  * When an enclave page is reclaimed some Paging Crypto MetaData (PCMD) is
0030  * stored. The PCMD data of a reclaimed enclave page contains enough
0031  * information for the processor to verify the page at the time
0032  * it is loaded back into the Enclave Page Cache (EPC).
0033  *
0034  * The backing storage to which enclave pages are reclaimed is laid out as
0035  * follows:
0036  * Encrypted enclave pages:SECS page:PCMD pages
0037  *
0038  * Each PCMD page contains the PCMD metadata of
0039  * PAGE_SIZE/sizeof(struct sgx_pcmd) enclave pages.
0040  *
0041  * A PCMD page can only be truncated if it is (a) empty, and (b) not in the
0042  * process of getting data (and thus soon being non-empty). (b) is tested with
0043  * a check if an enclave page sharing the PCMD page is in the process of being
0044  * reclaimed.
0045  *
0046  * The reclaimer sets the SGX_ENCL_PAGE_BEING_RECLAIMED flag when it
0047  * intends to reclaim that enclave page - it means that the PCMD page
0048  * associated with that enclave page is about to get some data and thus
0049  * even if the PCMD page is empty, it should not be truncated.
0050  *
0051  * Context: Enclave mutex (&sgx_encl->lock) must be held.
0052  * Return: 1 if the reclaimer is about to write to the PCMD page
0053  *         0 if the reclaimer has no intention to write to the PCMD page
0054  */
0055 static int reclaimer_writing_to_pcmd(struct sgx_encl *encl,
0056                      unsigned long start_addr)
0057 {
0058     int reclaimed = 0;
0059     int i;
0060
0061     /*
0062      * PCMD_FIRST_MASK is based on number of PCMD entries within
0063      * PCMD page being 32.
0064      */
0065     BUILD_BUG_ON(PCMDS_PER_PAGE != 32);
0066
0067     for (i = 0; i < PCMDS_PER_PAGE; i++) {
0068         struct sgx_encl_page *entry;
0069         unsigned long addr;
0070
0071         addr = start_addr + i * PAGE_SIZE;
0072
0073         /*
0074          * Stop when reaching the SECS page - it does not
0075          * have a page_array entry and its reclaim is
0076          * started and completed with enclave mutex held so
0077          * it does not use the SGX_ENCL_PAGE_BEING_RECLAIMED
0078          * flag.
0079          */
0080         if (addr == encl->base + encl->size)
0081             break;
0082
0083         entry = xa_load(&encl->page_array, PFN_DOWN(addr));
0084         if (!entry)
0085             continue;
0086
0087         /*
0088          * VA page slot ID uses same bit as the flag so it is important
0089          * to ensure that the page is not already in backing store.
0090          */
0091         if (entry->epc_page &&
0092             (entry->desc & SGX_ENCL_PAGE_BEING_RECLAIMED)) {
0093             reclaimed = 1;
0094             break;
0095         }
0096     }
0097
0098     return reclaimed;
0099 }
0100
0101 /*
0102  * Calculate byte offset of a PCMD struct associated with an enclave page. PCMD's
0103  * follow right after the EPC data in the backing storage. In addition to the
0104  * visible enclave pages, there's one extra page slot for SECS, before PCMD
0105  * structs.
0106  */
0107 static inline pgoff_t sgx_encl_get_backing_page_pcmd_offset(struct sgx_encl *encl,
0108                                 unsigned long page_index)
0109 {
0110     pgoff_t epc_end_off = encl->size + sizeof(struct sgx_secs);
0111
0112     return epc_end_off + page_index * sizeof(struct sgx_pcmd);
0113 }
0114
0115 /*
0116  * Free a page from the backing storage in the given page index.
0117  */
0118 static inline void sgx_encl_truncate_backing_page(struct sgx_encl *encl, unsigned long page_index)
0119 {
0120     struct inode *inode = file_inode(encl->backing);
0121
0122     shmem_truncate_range(inode, PFN_PHYS(page_index), PFN_PHYS(page_index) + PAGE_SIZE - 1);
0123 }
0124
0125 /*
0126  * ELDU: Load an EPC page as unblocked. For more info, see "OS Management of EPC
0127  * Pages" in the SDM.
0128  */
0129 static int __sgx_encl_eldu(struct sgx_encl_page *encl_page,
0130                struct sgx_epc_page *epc_page,
0131                struct sgx_epc_page *secs_page)
0132 {
0133     unsigned long va_offset = encl_page->desc & SGX_ENCL_PAGE_VA_OFFSET_MASK;
0134     struct sgx_encl *encl = encl_page->encl;
0135     pgoff_t page_index, page_pcmd_off;
0136     unsigned long pcmd_first_page;
0137     struct sgx_pageinfo pginfo;
0138     struct sgx_backing b;
0139     bool pcmd_page_empty;
0140     u8 *pcmd_page;
0141     int ret;
0142
0143     if (secs_page)
0144         page_index = PFN_DOWN(encl_page->desc - encl_page->encl->base);
0145     else
0146         page_index = PFN_DOWN(encl->size);
0147
0148     /*
0149      * Address of enclave page using the first entry within the PCMD page.
0150      */
0151     pcmd_first_page = PFN_PHYS(page_index & ~PCMD_FIRST_MASK) + encl->base;
0152
0153     page_pcmd_off = sgx_encl_get_backing_page_pcmd_offset(encl, page_index);
0154
0155     ret = sgx_encl_lookup_backing(encl, page_index, &b);
0156     if (ret)
0157         return ret;
0158
0159     pginfo.addr = encl_page->desc & PAGE_MASK;
0160     pginfo.contents = (unsigned long)kmap_atomic(b.contents);
0161     pcmd_page = kmap_atomic(b.pcmd);
0162     pginfo.metadata = (unsigned long)pcmd_page + b.pcmd_offset;
0163
0164     if (secs_page)
0165         pginfo.secs = (u64)sgx_get_epc_virt_addr(secs_page);
0166     else
0167         pginfo.secs = 0;
0168
0169     ret = __eldu(&pginfo, sgx_get_epc_virt_addr(epc_page),
0170              sgx_get_epc_virt_addr(encl_page->va_page->epc_page) + va_offset);
0171     if (ret) {
0172         if (encls_failed(ret))
0173             ENCLS_WARN(ret, "ELDU");
0174
0175         ret = -EFAULT;
0176     }
0177
0178     memset(pcmd_page + b.pcmd_offset, 0, sizeof(struct sgx_pcmd));
0179     set_page_dirty(b.pcmd);
0180
0181     /*
0182      * The area for the PCMD in the page was zeroed above.  Check if the
0183      * whole page is now empty meaning that all PCMD's have been zeroed:
0184      */
0185     pcmd_page_empty = !memchr_inv(pcmd_page, 0, PAGE_SIZE);
0186
0187     kunmap_atomic(pcmd_page);
0188     kunmap_atomic((void *)(unsigned long)pginfo.contents);
0189
0190     get_page(b.pcmd);
0191     sgx_encl_put_backing(&b);
0192
0193     sgx_encl_truncate_backing_page(encl, page_index);
0194
0195     if (pcmd_page_empty && !reclaimer_writing_to_pcmd(encl, pcmd_first_page)) {
0196         sgx_encl_truncate_backing_page(encl, PFN_DOWN(page_pcmd_off));
0197         pcmd_page = kmap_atomic(b.pcmd);
0198         if (memchr_inv(pcmd_page, 0, PAGE_SIZE))
0199             pr_warn("PCMD page not empty after truncate.\n");
0200         kunmap_atomic(pcmd_page);
0201     }
0202
0203     put_page(b.pcmd);
0204
0205     return ret;
0206 }
0207
0208 static struct sgx_epc_page *sgx_encl_eldu(struct sgx_encl_page *encl_page,
0209                       struct sgx_epc_page *secs_page)
0210 {
0211
0212     unsigned long va_offset = encl_page->desc & SGX_ENCL_PAGE_VA_OFFSET_MASK;
0213     struct sgx_encl *encl = encl_page->encl;
0214     struct sgx_epc_page *epc_page;
0215     int ret;
0216
0217     epc_page = sgx_alloc_epc_page(encl_page, false);
0218     if (IS_ERR(epc_page))
0219         return epc_page;
0220
0221     ret = __sgx_encl_eldu(encl_page, epc_page, secs_page);
0222     if (ret) {
0223         sgx_encl_free_epc_page(epc_page);
0224         return ERR_PTR(ret);
0225     }
0226
0227     sgx_free_va_slot(encl_page->va_page, va_offset);
0228     list_move(&encl_page->va_page->list, &encl->va_pages);
0229     encl_page->desc &= ~SGX_ENCL_PAGE_VA_OFFSET_MASK;
0230     encl_page->epc_page = epc_page;
0231
0232     return epc_page;
0233 }
0234
0235 static struct sgx_encl_page *__sgx_encl_load_page(struct sgx_encl *encl,
0236                           struct sgx_encl_page *entry)
0237 {
0238     struct sgx_epc_page *epc_page;
0239
0240     /* Entry successfully located. */
0241     if (entry->epc_page) {
0242         if (entry->desc & SGX_ENCL_PAGE_BEING_RECLAIMED)
0243             return ERR_PTR(-EBUSY);
0244
0245         return entry;
0246     }
0247
0248     if (!(encl->secs.epc_page)) {
0249         epc_page = sgx_encl_eldu(&encl->secs, NULL);
0250         if (IS_ERR(epc_page))
0251             return ERR_CAST(epc_page);
0252     }
0253
0254     epc_page = sgx_encl_eldu(entry, encl->secs.epc_page);
0255     if (IS_ERR(epc_page))
0256         return ERR_CAST(epc_page);
0257
0258     encl->secs_child_cnt++;
0259     sgx_mark_page_reclaimable(entry->epc_page);
0260
0261     return entry;
0262 }
0263
0264 static struct sgx_encl_page *sgx_encl_load_page_in_vma(struct sgx_encl *encl,
0265                                unsigned long addr,
0266                                unsigned long vm_flags)
0267 {
0268     unsigned long vm_prot_bits = vm_flags & (VM_READ | VM_WRITE | VM_EXEC);
0269     struct sgx_encl_page *entry;
0270
0271     entry = xa_load(&encl->page_array, PFN_DOWN(addr));
0272     if (!entry)
0273         return ERR_PTR(-EFAULT);
0274
0275     /*
0276      * Verify that the page has equal or higher build time
0277      * permissions than the VMA permissions (i.e. the subset of {VM_READ,
0278      * VM_WRITE, VM_EXECUTE} in vma->vm_flags).
0279      */
0280     if ((entry->vm_max_prot_bits & vm_prot_bits) != vm_prot_bits)
0281         return ERR_PTR(-EFAULT);
0282
0283     return __sgx_encl_load_page(encl, entry);
0284 }
0285
0286 struct sgx_encl_page *sgx_encl_load_page(struct sgx_encl *encl,
0287                      unsigned long addr)
0288 {
0289     struct sgx_encl_page *entry;
0290
0291     entry = xa_load(&encl->page_array, PFN_DOWN(addr));
0292     if (!entry)
0293         return ERR_PTR(-EFAULT);
0294
0295     return __sgx_encl_load_page(encl, entry);
0296 }
0297
0298 /**
0299  * sgx_encl_eaug_page() - Dynamically add page to initialized enclave
0300  * @vma:    VMA obtained from fault info from where page is accessed
0301  * @encl:   enclave accessing the page
0302  * @addr:   address that triggered the page fault
0303  *
0304  * When an initialized enclave accesses a page with no backing EPC page
0305  * on a SGX2 system then the EPC can be added dynamically via the SGX2
0306  * ENCLS[EAUG] instruction.
0307  *
0308  * Returns: Appropriate vm_fault_t: VM_FAULT_NOPAGE when PTE was installed
0309  * successfully, VM_FAULT_SIGBUS or VM_FAULT_OOM as error otherwise.
0310  */
0311 static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma,
0312                      struct sgx_encl *encl, unsigned long addr)
0313 {
0314     vm_fault_t vmret = VM_FAULT_SIGBUS;
0315     struct sgx_pageinfo pginfo = {0};
0316     struct sgx_encl_page *encl_page;
0317     struct sgx_epc_page *epc_page;
0318     struct sgx_va_page *va_page;
0319     unsigned long phys_addr;
0320     u64 secinfo_flags;
0321     int ret;
0322
0323     if (!test_bit(SGX_ENCL_INITIALIZED, &encl->flags))
0324         return VM_FAULT_SIGBUS;
0325
0326     /*
0327      * Ignore internal permission checking for dynamically added pages.
0328      * They matter only for data added during the pre-initialization
0329      * phase. The enclave decides the permissions by the means of
0330      * EACCEPT, EACCEPTCOPY and EMODPE.
0331      */
0332     secinfo_flags = SGX_SECINFO_R | SGX_SECINFO_W | SGX_SECINFO_X;
0333     encl_page = sgx_encl_page_alloc(encl, addr - encl->base, secinfo_flags);
0334     if (IS_ERR(encl_page))
0335         return VM_FAULT_OOM;
0336
0337     mutex_lock(&encl->lock);
0338
0339     epc_page = sgx_alloc_epc_page(encl_page, false);
0340     if (IS_ERR(epc_page)) {
0341         if (PTR_ERR(epc_page) == -EBUSY)
0342             vmret =  VM_FAULT_NOPAGE;
0343         goto err_out_unlock;
0344     }
0345
0346     va_page = sgx_encl_grow(encl, false);
0347     if (IS_ERR(va_page)) {
0348         if (PTR_ERR(va_page) == -EBUSY)
0349             vmret = VM_FAULT_NOPAGE;
0350         goto err_out_epc;
0351     }
0352
0353     if (va_page)
0354         list_add(&va_page->list, &encl->va_pages);
0355
0356     ret = xa_insert(&encl->page_array, PFN_DOWN(encl_page->desc),
0357             encl_page, GFP_KERNEL);
0358     /*
0359      * If ret == -EBUSY then page was created in another flow while
0360      * running without encl->lock
0361      */
0362     if (ret)
0363         goto err_out_shrink;
0364
0365     pginfo.secs = (unsigned long)sgx_get_epc_virt_addr(encl->secs.epc_page);
0366     pginfo.addr = encl_page->desc & PAGE_MASK;
0367     pginfo.metadata = 0;
0368
0369     ret = __eaug(&pginfo, sgx_get_epc_virt_addr(epc_page));
0370     if (ret)
0371         goto err_out;
0372
0373     encl_page->encl = encl;
0374     encl_page->epc_page = epc_page;
0375     encl_page->type = SGX_PAGE_TYPE_REG;
0376     encl->secs_child_cnt++;
0377
0378     sgx_mark_page_reclaimable(encl_page->epc_page);
0379
0380     phys_addr = sgx_get_epc_phys_addr(epc_page);
0381     /*
0382      * Do not undo everything when creating PTE entry fails - next #PF
0383      * would find page ready for a PTE.
0384      */
0385     vmret = vmf_insert_pfn(vma, addr, PFN_DOWN(phys_addr));
0386     if (vmret != VM_FAULT_NOPAGE) {
0387         mutex_unlock(&encl->lock);
0388         return VM_FAULT_SIGBUS;
0389     }
0390     mutex_unlock(&encl->lock);
0391     return VM_FAULT_NOPAGE;
0392
0393 err_out:
0394     xa_erase(&encl->page_array, PFN_DOWN(encl_page->desc));
0395
0396 err_out_shrink:
0397     sgx_encl_shrink(encl, va_page);
0398 err_out_epc:
0399     sgx_encl_free_epc_page(epc_page);
0400 err_out_unlock:
0401     mutex_unlock(&encl->lock);
0402     kfree(encl_page);
0403
0404     return vmret;
0405 }
0406
0407 static vm_fault_t sgx_vma_fault(struct vm_fault *vmf)
0408 {
0409     unsigned long addr = (unsigned long)vmf->address;
0410     struct vm_area_struct *vma = vmf->vma;
0411     struct sgx_encl_page *entry;
0412     unsigned long phys_addr;
0413     struct sgx_encl *encl;
0414     vm_fault_t ret;
0415
0416     encl = vma->vm_private_data;
0417
0418     /*
0419      * It's very unlikely but possible that allocating memory for the
0420      * mm_list entry of a forked process failed in sgx_vma_open(). When
0421      * this happens, vm_private_data is set to NULL.
0422      */
0423     if (unlikely(!encl))
0424         return VM_FAULT_SIGBUS;
0425
0426     /*
0427      * The page_array keeps track of all enclave pages, whether they
0428      * are swapped out or not. If there is no entry for this page and
0429      * the system supports SGX2 then it is possible to dynamically add
0430      * a new enclave page. This is only possible for an initialized
0431      * enclave that will be checked for right away.
0432      */
0433     if (cpu_feature_enabled(X86_FEATURE_SGX2) &&
0434         (!xa_load(&encl->page_array, PFN_DOWN(addr))))
0435         return sgx_encl_eaug_page(vma, encl, addr);
0436
0437     mutex_lock(&encl->lock);
0438
0439     entry = sgx_encl_load_page_in_vma(encl, addr, vma->vm_flags);
0440     if (IS_ERR(entry)) {
0441         mutex_unlock(&encl->lock);
0442
0443         if (PTR_ERR(entry) == -EBUSY)
0444             return VM_FAULT_NOPAGE;
0445
0446         return VM_FAULT_SIGBUS;
0447     }
0448
0449     phys_addr = sgx_get_epc_phys_addr(entry->epc_page);
0450
0451     ret = vmf_insert_pfn(vma, addr, PFN_DOWN(phys_addr));
0452     if (ret != VM_FAULT_NOPAGE) {
0453         mutex_unlock(&encl->lock);
0454
0455         return VM_FAULT_SIGBUS;
0456     }
0457
0458     sgx_encl_test_and_clear_young(vma->vm_mm, entry);
0459     mutex_unlock(&encl->lock);
0460
0461     return VM_FAULT_NOPAGE;
0462 }
0463
0464 static void sgx_vma_open(struct vm_area_struct *vma)
0465 {
0466     struct sgx_encl *encl = vma->vm_private_data;
0467
0468     /*
0469      * It's possible but unlikely that vm_private_data is NULL. This can
0470      * happen in a grandchild of a process, when sgx_encl_mm_add() had
0471      * failed to allocate memory in this callback.
0472      */
0473     if (unlikely(!encl))
0474         return;
0475
0476     if (sgx_encl_mm_add(encl, vma->vm_mm))
0477         vma->vm_private_data = NULL;
0478 }
0479
0480
0481 /**
0482  * sgx_encl_may_map() - Check if a requested VMA mapping is allowed
0483  * @encl:       an enclave pointer
0484  * @start:      lower bound of the address range, inclusive
0485  * @end:        upper bound of the address range, exclusive
0486  * @vm_flags:       VMA flags
0487  *
0488  * Iterate through the enclave pages contained within [@start, @end) to verify
0489  * that the permissions requested by a subset of {VM_READ, VM_WRITE, VM_EXEC}
0490  * do not contain any permissions that are not contained in the build time
0491  * permissions of any of the enclave pages within the given address range.
0492  *
0493  * An enclave creator must declare the strongest permissions that will be
0494  * needed for each enclave page. This ensures that mappings have the identical
0495  * or weaker permissions than the earlier declared permissions.
0496  *
0497  * Return: 0 on success, -EACCES otherwise
0498  */
0499 int sgx_encl_may_map(struct sgx_encl *encl, unsigned long start,
0500              unsigned long end, unsigned long vm_flags)
0501 {
0502     unsigned long vm_prot_bits = vm_flags & (VM_READ | VM_WRITE | VM_EXEC);
0503     struct sgx_encl_page *page;
0504     unsigned long count = 0;
0505     int ret = 0;
0506
0507     XA_STATE(xas, &encl->page_array, PFN_DOWN(start));
0508
0509     /* Disallow mapping outside enclave's address range. */
0510     if (test_bit(SGX_ENCL_INITIALIZED, &encl->flags) &&
0511         (start < encl->base || end > encl->base + encl->size))
0512         return -EACCES;
0513
0514     /*
0515      * Disallow READ_IMPLIES_EXEC tasks as their VMA permissions might
0516      * conflict with the enclave page permissions.
0517      */
0518     if (current->personality & READ_IMPLIES_EXEC)
0519         return -EACCES;
0520
0521     mutex_lock(&encl->lock);
0522     xas_lock(&xas);
0523     xas_for_each(&xas, page, PFN_DOWN(end - 1)) {
0524         if (~page->vm_max_prot_bits & vm_prot_bits) {
0525             ret = -EACCES;
0526             break;
0527         }
0528
0529         /* Reschedule on every XA_CHECK_SCHED iteration. */
0530         if (!(++count % XA_CHECK_SCHED)) {
0531             xas_pause(&xas);
0532             xas_unlock(&xas);
0533             mutex_unlock(&encl->lock);
0534
0535             cond_resched();
0536
0537             mutex_lock(&encl->lock);
0538             xas_lock(&xas);
0539         }
0540     }
0541     xas_unlock(&xas);
0542     mutex_unlock(&encl->lock);
0543
0544     return ret;
0545 }
0546
0547 static int sgx_vma_mprotect(struct vm_area_struct *vma, unsigned long start,
0548                 unsigned long end, unsigned long newflags)
0549 {
0550     return sgx_encl_may_map(vma->vm_private_data, start, end, newflags);
0551 }
0552
0553 static int sgx_encl_debug_read(struct sgx_encl *encl, struct sgx_encl_page *page,
0554                    unsigned long addr, void *data)
0555 {
0556     unsigned long offset = addr & ~PAGE_MASK;
0557     int ret;
0558
0559
0560     ret = __edbgrd(sgx_get_epc_virt_addr(page->epc_page) + offset, data);
0561     if (ret)
0562         return -EIO;
0563
0564     return 0;
0565 }
0566
0567 static int sgx_encl_debug_write(struct sgx_encl *encl, struct sgx_encl_page *page,
0568                 unsigned long addr, void *data)
0569 {
0570     unsigned long offset = addr & ~PAGE_MASK;
0571     int ret;
0572
0573     ret = __edbgwr(sgx_get_epc_virt_addr(page->epc_page) + offset, data);
0574     if (ret)
0575         return -EIO;
0576
0577     return 0;
0578 }
0579
0580 /*
0581  * Load an enclave page to EPC if required, and take encl->lock.
0582  */
0583 static struct sgx_encl_page *sgx_encl_reserve_page(struct sgx_encl *encl,
0584                            unsigned long addr,
0585                            unsigned long vm_flags)
0586 {
0587     struct sgx_encl_page *entry;
0588
0589     for ( ; ; ) {
0590         mutex_lock(&encl->lock);
0591
0592         entry = sgx_encl_load_page_in_vma(encl, addr, vm_flags);
0593         if (PTR_ERR(entry) != -EBUSY)
0594             break;
0595
0596         mutex_unlock(&encl->lock);
0597     }
0598
0599     if (IS_ERR(entry))
0600         mutex_unlock(&encl->lock);
0601
0602     return entry;
0603 }
0604
0605 static int sgx_vma_access(struct vm_area_struct *vma, unsigned long addr,
0606               void *buf, int len, int write)
0607 {
0608     struct sgx_encl *encl = vma->vm_private_data;
0609     struct sgx_encl_page *entry = NULL;
0610     char data[sizeof(unsigned long)];
0611     unsigned long align;
0612     int offset;
0613     int cnt;
0614     int ret = 0;
0615     int i;
0616
0617     /*
0618      * If process was forked, VMA is still there but vm_private_data is set
0619      * to NULL.
0620      */
0621     if (!encl)
0622         return -EFAULT;
0623
0624     if (!test_bit(SGX_ENCL_DEBUG, &encl->flags))
0625         return -EFAULT;
0626
0627     for (i = 0; i < len; i += cnt) {
0628         entry = sgx_encl_reserve_page(encl, (addr + i) & PAGE_MASK,
0629                           vma->vm_flags);
0630         if (IS_ERR(entry)) {
0631             ret = PTR_ERR(entry);
0632             break;
0633         }
0634
0635         align = ALIGN_DOWN(addr + i, sizeof(unsigned long));
0636         offset = (addr + i) & (sizeof(unsigned long) - 1);
0637         cnt = sizeof(unsigned long) - offset;
0638         cnt = min(cnt, len - i);
0639
0640         ret = sgx_encl_debug_read(encl, entry, align, data);
0641         if (ret)
0642             goto out;
0643
0644         if (write) {
0645             memcpy(data + offset, buf + i, cnt);
0646             ret = sgx_encl_debug_write(encl, entry, align, data);
0647             if (ret)
0648                 goto out;
0649         } else {
0650             memcpy(buf + i, data + offset, cnt);
0651         }
0652
0653 out:
0654         mutex_unlock(&encl->lock);
0655
0656         if (ret)
0657             break;
0658     }
0659
0660     return ret < 0 ? ret : i;
0661 }
0662
0663 const struct vm_operations_struct sgx_vm_ops = {
0664     .fault = sgx_vma_fault,
0665     .mprotect = sgx_vma_mprotect,
0666     .open = sgx_vma_open,
0667     .access = sgx_vma_access,
0668 };
0669
0670 /**
0671  * sgx_encl_release - Destroy an enclave instance
0672  * @ref:    address of a kref inside &sgx_encl
0673  *
0674  * Used together with kref_put(). Frees all the resources associated with the
0675  * enclave and the instance itself.
0676  */
0677 void sgx_encl_release(struct kref *ref)
0678 {
0679     struct sgx_encl *encl = container_of(ref, struct sgx_encl, refcount);
0680     struct sgx_va_page *va_page;
0681     struct sgx_encl_page *entry;
0682     unsigned long index;
0683
0684     xa_for_each(&encl->page_array, index, entry) {
0685         if (entry->epc_page) {
0686             /*
0687              * The page and its radix tree entry cannot be freed
0688              * if the page is being held by the reclaimer.
0689              */
0690             if (sgx_unmark_page_reclaimable(entry->epc_page))
0691                 continue;
0692
0693             sgx_encl_free_epc_page(entry->epc_page);
0694             encl->secs_child_cnt--;
0695             entry->epc_page = NULL;
0696         }
0697
0698         kfree(entry);
0699         /* Invoke scheduler to prevent soft lockups. */
0700         cond_resched();
0701     }
0702
0703     xa_destroy(&encl->page_array);
0704
0705     if (!encl->secs_child_cnt && encl->secs.epc_page) {
0706         sgx_encl_free_epc_page(encl->secs.epc_page);
0707         encl->secs.epc_page = NULL;
0708     }
0709
0710     while (!list_empty(&encl->va_pages)) {
0711         va_page = list_first_entry(&encl->va_pages, struct sgx_va_page,
0712                        list);
0713         list_del(&va_page->list);
0714         sgx_encl_free_epc_page(va_page->epc_page);
0715         kfree(va_page);
0716     }
0717
0718     if (encl->backing)
0719         fput(encl->backing);
0720
0721     cleanup_srcu_struct(&encl->srcu);
0722
0723     WARN_ON_ONCE(!list_empty(&encl->mm_list));
0724
0725     /* Detect EPC page leak's. */
0726     WARN_ON_ONCE(encl->secs_child_cnt);
0727     WARN_ON_ONCE(encl->secs.epc_page);
0728
0729     kfree(encl);
0730 }
0731
0732 /*
0733  * 'mm' is exiting and no longer needs mmu notifications.
0734  */
0735 static void sgx_mmu_notifier_release(struct mmu_notifier *mn,
0736                      struct mm_struct *mm)
0737 {
0738     struct sgx_encl_mm *encl_mm = container_of(mn, struct sgx_encl_mm, mmu_notifier);
0739     struct sgx_encl_mm *tmp = NULL;
0740
0741     /*
0742      * The enclave itself can remove encl_mm.  Note, objects can't be moved
0743      * off an RCU protected list, but deletion is ok.
0744      */
0745     spin_lock(&encl_mm->encl->mm_lock);
0746     list_for_each_entry(tmp, &encl_mm->encl->mm_list, list) {
0747         if (tmp == encl_mm) {
0748             list_del_rcu(&encl_mm->list);
0749             break;
0750         }
0751     }
0752     spin_unlock(&encl_mm->encl->mm_lock);
0753
0754     if (tmp == encl_mm) {
0755         synchronize_srcu(&encl_mm->encl->srcu);
0756         mmu_notifier_put(mn);
0757     }
0758 }
0759
0760 static void sgx_mmu_notifier_free(struct mmu_notifier *mn)
0761 {
0762     struct sgx_encl_mm *encl_mm = container_of(mn, struct sgx_encl_mm, mmu_notifier);
0763
0764     /* 'encl_mm' is going away, put encl_mm->encl reference: */
0765     kref_put(&encl_mm->encl->refcount, sgx_encl_release);
0766
0767     kfree(encl_mm);
0768 }
0769
0770 static const struct mmu_notifier_ops sgx_mmu_notifier_ops = {
0771     .release        = sgx_mmu_notifier_release,
0772     .free_notifier      = sgx_mmu_notifier_free,
0773 };
0774
0775 static struct sgx_encl_mm *sgx_encl_find_mm(struct sgx_encl *encl,
0776                         struct mm_struct *mm)
0777 {
0778     struct sgx_encl_mm *encl_mm = NULL;
0779     struct sgx_encl_mm *tmp;
0780     int idx;
0781
0782     idx = srcu_read_lock(&encl->srcu);
0783
0784     list_for_each_entry_rcu(tmp, &encl->mm_list, list) {
0785         if (tmp->mm == mm) {
0786             encl_mm = tmp;
0787             break;
0788         }
0789     }
0790
0791     srcu_read_unlock(&encl->srcu, idx);
0792
0793     return encl_mm;
0794 }
0795
0796 int sgx_encl_mm_add(struct sgx_encl *encl, struct mm_struct *mm)
0797 {
0798     struct sgx_encl_mm *encl_mm;
0799     int ret;
0800
0801     /*
0802      * Even though a single enclave may be mapped into an mm more than once,
0803      * each 'mm' only appears once on encl->mm_list. This is guaranteed by
0804      * holding the mm's mmap lock for write before an mm can be added or
0805      * remove to an encl->mm_list.
0806      */
0807     mmap_assert_write_locked(mm);
0808
0809     /*
0810      * It's possible that an entry already exists in the mm_list, because it
0811      * is removed only on VFS release or process exit.
0812      */
0813     if (sgx_encl_find_mm(encl, mm))
0814         return 0;
0815
0816     encl_mm = kzalloc(sizeof(*encl_mm), GFP_KERNEL);
0817     if (!encl_mm)
0818         return -ENOMEM;
0819
0820     /* Grab a refcount for the encl_mm->encl reference: */
0821     kref_get(&encl->refcount);
0822     encl_mm->encl = encl;
0823     encl_mm->mm = mm;
0824     encl_mm->mmu_notifier.ops = &sgx_mmu_notifier_ops;
0825
0826     ret = __mmu_notifier_register(&encl_mm->mmu_notifier, mm);
0827     if (ret) {
0828         kfree(encl_mm);
0829         return ret;
0830     }
0831
0832     spin_lock(&encl->mm_lock);
0833     list_add_rcu(&encl_mm->list, &encl->mm_list);
0834     /* Pairs with smp_rmb() in sgx_zap_enclave_ptes(). */
0835     smp_wmb();
0836     encl->mm_list_version++;
0837     spin_unlock(&encl->mm_lock);
0838
0839     return 0;
0840 }
0841
0842 /**
0843  * sgx_encl_cpumask() - Query which CPUs might be accessing the enclave
0844  * @encl: the enclave
0845  *
0846  * Some SGX functions require that no cached linear-to-physical address
0847  * mappings are present before they can succeed. For example, ENCLS[EWB]
0848  * copies a page from the enclave page cache to regular main memory but
0849  * it fails if it cannot ensure that there are no cached
0850  * linear-to-physical address mappings referring to the page.
0851  *
0852  * SGX hardware flushes all cached linear-to-physical mappings on a CPU
0853  * when an enclave is exited via ENCLU[EEXIT] or an Asynchronous Enclave
0854  * Exit (AEX). Exiting an enclave will thus ensure cached linear-to-physical
0855  * address mappings are cleared but coordination with the tracking done within
0856  * the SGX hardware is needed to support the SGX functions that depend on this
0857  * cache clearing.
0858  *
0859  * When the ENCLS[ETRACK] function is issued on an enclave the hardware
0860  * tracks threads operating inside the enclave at that time. The SGX
0861  * hardware tracking require that all the identified threads must have
0862  * exited the enclave in order to flush the mappings before a function such
0863  * as ENCLS[EWB] will be permitted
0864  *
0865  * The following flow is used to support SGX functions that require that
0866  * no cached linear-to-physical address mappings are present:
0867  * 1) Execute ENCLS[ETRACK] to initiate hardware tracking.
0868  * 2) Use this function (sgx_encl_cpumask()) to query which CPUs might be
0869  *    accessing the enclave.
0870  * 3) Send IPI to identified CPUs, kicking them out of the enclave and
0871  *    thus flushing all locally cached linear-to-physical address mappings.
0872  * 4) Execute SGX function.
0873  *
0874  * Context: It is required to call this function after ENCLS[ETRACK].
0875  *          This will ensure that if any new mm appears (racing with
0876  *          sgx_encl_mm_add()) then the new mm will enter into the
0877  *          enclave with fresh linear-to-physical address mappings.
0878  *
0879  *          It is required that all IPIs are completed before a new
0880  *          ENCLS[ETRACK] is issued so be sure to protect steps 1 to 3
0881  *          of the above flow with the enclave's mutex.
0882  *
0883  * Return: cpumask of CPUs that might be accessing @encl
0884  */
0885 const cpumask_t *sgx_encl_cpumask(struct sgx_encl *encl)
0886 {
0887     cpumask_t *cpumask = &encl->cpumask;
0888     struct sgx_encl_mm *encl_mm;
0889     int idx;
0890
0891     cpumask_clear(cpumask);
0892
0893     idx = srcu_read_lock(&encl->srcu);
0894
0895     list_for_each_entry_rcu(encl_mm, &encl->mm_list, list) {
0896         if (!mmget_not_zero(encl_mm->mm))
0897             continue;
0898
0899         cpumask_or(cpumask, cpumask, mm_cpumask(encl_mm->mm));
0900
0901         mmput_async(encl_mm->mm);
0902     }
0903
0904     srcu_read_unlock(&encl->srcu, idx);
0905
0906     return cpumask;
0907 }
0908
0909 static struct page *sgx_encl_get_backing_page(struct sgx_encl *encl,
0910                           pgoff_t index)
0911 {
0912     struct inode *inode = encl->backing->f_path.dentry->d_inode;
0913     struct address_space *mapping = inode->i_mapping;
0914     gfp_t gfpmask = mapping_gfp_mask(mapping);
0915
0916     return shmem_read_mapping_page_gfp(mapping, index, gfpmask);
0917 }
0918
0919 /**
0920  * sgx_encl_get_backing() - Pin the backing storage
0921  * @encl:   an enclave pointer
0922  * @page_index: enclave page index
0923  * @backing:    data for accessing backing storage for the page
0924  *
0925  * Pin the backing storage pages for storing the encrypted contents and Paging
0926  * Crypto MetaData (PCMD) of an enclave page.
0927  *
0928  * Return:
0929  *   0 on success,
0930  *   -errno otherwise.
0931  */
0932 static int sgx_encl_get_backing(struct sgx_encl *encl, unsigned long page_index,
0933              struct sgx_backing *backing)
0934 {
0935     pgoff_t page_pcmd_off = sgx_encl_get_backing_page_pcmd_offset(encl, page_index);
0936     struct page *contents;
0937     struct page *pcmd;
0938
0939     contents = sgx_encl_get_backing_page(encl, page_index);
0940     if (IS_ERR(contents))
0941         return PTR_ERR(contents);
0942
0943     pcmd = sgx_encl_get_backing_page(encl, PFN_DOWN(page_pcmd_off));
0944     if (IS_ERR(pcmd)) {
0945         put_page(contents);
0946         return PTR_ERR(pcmd);
0947     }
0948
0949     backing->contents = contents;
0950     backing->pcmd = pcmd;
0951     backing->pcmd_offset = page_pcmd_off & (PAGE_SIZE - 1);
0952
0953     return 0;
0954 }
0955
0956 /*
0957  * When called from ksgxd, returns the mem_cgroup of a struct mm stored
0958  * in the enclave's mm_list. When not called from ksgxd, just returns
0959  * the mem_cgroup of the current task.
0960  */
0961 static struct mem_cgroup *sgx_encl_get_mem_cgroup(struct sgx_encl *encl)
0962 {
0963     struct mem_cgroup *memcg = NULL;
0964     struct sgx_encl_mm *encl_mm;
0965     int idx;
0966
0967     /*
0968      * If called from normal task context, return the mem_cgroup
0969      * of the current task's mm. The remainder of the handling is for
0970      * ksgxd.
0971      */
0972     if (!current_is_ksgxd())
0973         return get_mem_cgroup_from_mm(current->mm);
0974
0975     /*
0976      * Search the enclave's mm_list to find an mm associated with
0977      * this enclave to charge the allocation to.
0978      */
0979     idx = srcu_read_lock(&encl->srcu);
0980
0981     list_for_each_entry_rcu(encl_mm, &encl->mm_list, list) {
0982         if (!mmget_not_zero(encl_mm->mm))
0983             continue;
0984
0985         memcg = get_mem_cgroup_from_mm(encl_mm->mm);
0986
0987         mmput_async(encl_mm->mm);
0988
0989         break;
0990     }
0991
0992     srcu_read_unlock(&encl->srcu, idx);
0993
0994     /*
0995      * In the rare case that there isn't an mm associated with
0996      * the enclave, set memcg to the current active mem_cgroup.
0997      * This will be the root mem_cgroup if there is no active
0998      * mem_cgroup.
0999      */
1000     if (!memcg)
1001         return get_mem_cgroup_from_mm(NULL);
1002
1003     return memcg;
1004 }
1005
1006 /**
1007  * sgx_encl_alloc_backing() - allocate a new backing storage page
1008  * @encl:   an enclave pointer
1009  * @page_index: enclave page index
1010  * @backing:    data for accessing backing storage for the page
1011  *
1012  * When called from ksgxd, sets the active memcg from one of the
1013  * mms in the enclave's mm_list prior to any backing page allocation,
1014  * in order to ensure that shmem page allocations are charged to the
1015  * enclave.
1016  *
1017  * Return:
1018  *   0 on success,
1019  *   -errno otherwise.
1020  */
1021 int sgx_encl_alloc_backing(struct sgx_encl *encl, unsigned long page_index,
1022                struct sgx_backing *backing)
1023 {
1024     struct mem_cgroup *encl_memcg = sgx_encl_get_mem_cgroup(encl);
1025     struct mem_cgroup *memcg = set_active_memcg(encl_memcg);
1026     int ret;
1027
1028     ret = sgx_encl_get_backing(encl, page_index, backing);
1029
1030     set_active_memcg(memcg);
1031     mem_cgroup_put(encl_memcg);
1032
1033     return ret;
1034 }
1035
1036 /**
1037  * sgx_encl_lookup_backing() - retrieve an existing backing storage page
1038  * @encl:   an enclave pointer
1039  * @page_index: enclave page index
1040  * @backing:    data for accessing backing storage for the page
1041  *
1042  * Retrieve a backing page for loading data back into an EPC page with ELDU.
1043  * It is the caller's responsibility to ensure that it is appropriate to use
1044  * sgx_encl_lookup_backing() rather than sgx_encl_alloc_backing(). If lookup is
1045  * not used correctly, this will cause an allocation which is not accounted for.
1046  *
1047  * Return:
1048  *   0 on success,
1049  *   -errno otherwise.
1050  */
1051 int sgx_encl_lookup_backing(struct sgx_encl *encl, unsigned long page_index,
1052                struct sgx_backing *backing)
1053 {
1054     return sgx_encl_get_backing(encl, page_index, backing);
1055 }
1056
1057 /**
1058  * sgx_encl_put_backing() - Unpin the backing storage
1059  * @backing:    data for accessing backing storage for the page
1060  */
1061 void sgx_encl_put_backing(struct sgx_backing *backing)
1062 {
1063     put_page(backing->pcmd);
1064     put_page(backing->contents);
1065 }
1066
1067 static int sgx_encl_test_and_clear_young_cb(pte_t *ptep, unsigned long addr,
1068                         void *data)
1069 {
1070     pte_t pte;
1071     int ret;
1072
1073     ret = pte_young(*ptep);
1074     if (ret) {
1075         pte = pte_mkold(*ptep);
1076         set_pte_at((struct mm_struct *)data, addr, ptep, pte);
1077     }
1078
1079     return ret;
1080 }
1081
1082 /**
1083  * sgx_encl_test_and_clear_young() - Test and reset the accessed bit
1084  * @mm:     mm_struct that is checked
1085  * @page:   enclave page to be tested for recent access
1086  *
1087  * Checks the Access (A) bit from the PTE corresponding to the enclave page and
1088  * clears it.
1089  *
1090  * Return: 1 if the page has been recently accessed and 0 if not.
1091  */
1092 int sgx_encl_test_and_clear_young(struct mm_struct *mm,
1093                   struct sgx_encl_page *page)
1094 {
1095     unsigned long addr = page->desc & PAGE_MASK;
1096     struct sgx_encl *encl = page->encl;
1097     struct vm_area_struct *vma;
1098     int ret;
1099
1100     ret = sgx_encl_find(mm, addr, &vma);
1101     if (ret)
1102         return 0;
1103
1104     if (encl != vma->vm_private_data)
1105         return 0;
1106
1107     ret = apply_to_page_range(vma->vm_mm, addr, PAGE_SIZE,
1108                   sgx_encl_test_and_clear_young_cb, vma->vm_mm);
1109     if (ret < 0)
1110         return 0;
1111
1112     return ret;
1113 }
1114
1115 struct sgx_encl_page *sgx_encl_page_alloc(struct sgx_encl *encl,
1116                       unsigned long offset,
1117                       u64 secinfo_flags)
1118 {
1119     struct sgx_encl_page *encl_page;
1120     unsigned long prot;
1121
1122     encl_page = kzalloc(sizeof(*encl_page), GFP_KERNEL);
1123     if (!encl_page)
1124         return ERR_PTR(-ENOMEM);
1125
1126     encl_page->desc = encl->base + offset;
1127     encl_page->encl = encl;
1128
1129     prot = _calc_vm_trans(secinfo_flags, SGX_SECINFO_R, PROT_READ)  |
1130            _calc_vm_trans(secinfo_flags, SGX_SECINFO_W, PROT_WRITE) |
1131            _calc_vm_trans(secinfo_flags, SGX_SECINFO_X, PROT_EXEC);
1132
1133     /*
1134      * TCS pages must always RW set for CPU access while the SECINFO
1135      * permissions are *always* zero - the CPU ignores the user provided
1136      * values and silently overwrites them with zero permissions.
1137      */
1138     if ((secinfo_flags & SGX_SECINFO_PAGE_TYPE_MASK) == SGX_SECINFO_TCS)
1139         prot |= PROT_READ | PROT_WRITE;
1140
1141     /* Calculate maximum of the VM flags for the page. */
1142     encl_page->vm_max_prot_bits = calc_vm_prot_bits(prot, 0);
1143
1144     return encl_page;
1145 }
1146
1147 /**
1148  * sgx_zap_enclave_ptes() - remove PTEs mapping the address from enclave
1149  * @encl: the enclave
1150  * @addr: page aligned pointer to single page for which PTEs will be removed
1151  *
1152  * Multiple VMAs may have an enclave page mapped. Remove the PTE mapping
1153  * @addr from each VMA. Ensure that page fault handler is ready to handle
1154  * new mappings of @addr before calling this function.
1155  */
1156 void sgx_zap_enclave_ptes(struct sgx_encl *encl, unsigned long addr)
1157 {
1158     unsigned long mm_list_version;
1159     struct sgx_encl_mm *encl_mm;
1160     struct vm_area_struct *vma;
1161     int idx, ret;
1162
1163     do {
1164         mm_list_version = encl->mm_list_version;
1165
1166         /* Pairs with smp_wmb() in sgx_encl_mm_add(). */
1167         smp_rmb();
1168
1169         idx = srcu_read_lock(&encl->srcu);
1170
1171         list_for_each_entry_rcu(encl_mm, &encl->mm_list, list) {
1172             if (!mmget_not_zero(encl_mm->mm))
1173                 continue;
1174
1175             mmap_read_lock(encl_mm->mm);
1176
1177             ret = sgx_encl_find(encl_mm->mm, addr, &vma);
1178             if (!ret && encl == vma->vm_private_data)
1179                 zap_vma_ptes(vma, addr, PAGE_SIZE);
1180
1181             mmap_read_unlock(encl_mm->mm);
1182
1183             mmput_async(encl_mm->mm);
1184         }
1185
1186         srcu_read_unlock(&encl->srcu, idx);
1187     } while (unlikely(encl->mm_list_version != mm_list_version));
1188 }
1189
1190 /**
1191  * sgx_alloc_va_page() - Allocate a Version Array (VA) page
1192  * @reclaim: Reclaim EPC pages directly if none available. Enclave
1193  *           mutex should not be held if this is set.
1194  *
1195  * Allocate a free EPC page and convert it to a Version Array (VA) page.
1196  *
1197  * Return:
1198  *   a VA page,
1199  *   -errno otherwise
1200  */
1201 struct sgx_epc_page *sgx_alloc_va_page(bool reclaim)
1202 {
1203     struct sgx_epc_page *epc_page;
1204     int ret;
1205
1206     epc_page = sgx_alloc_epc_page(NULL, reclaim);
1207     if (IS_ERR(epc_page))
1208         return ERR_CAST(epc_page);
1209
1210     ret = __epa(sgx_get_epc_virt_addr(epc_page));
1211     if (ret) {
1212         WARN_ONCE(1, "EPA returned %d (0x%x)", ret, ret);
1213         sgx_encl_free_epc_page(epc_page);
1214         return ERR_PTR(-EFAULT);
1215     }
1216
1217     return epc_page;
1218 }
1219
1220 /**
1221  * sgx_alloc_va_slot - allocate a VA slot
1222  * @va_page:    a &struct sgx_va_page instance
1223  *
1224  * Allocates a slot from a &struct sgx_va_page instance.
1225  *
1226  * Return: offset of the slot inside the VA page
1227  */
1228 unsigned int sgx_alloc_va_slot(struct sgx_va_page *va_page)
1229 {
1230     int slot = find_first_zero_bit(va_page->slots, SGX_VA_SLOT_COUNT);
1231
1232     if (slot < SGX_VA_SLOT_COUNT)
1233         set_bit(slot, va_page->slots);
1234
1235     return slot << 3;
1236 }
1237
1238 /**
1239  * sgx_free_va_slot - free a VA slot
1240  * @va_page:    a &struct sgx_va_page instance
1241  * @offset: offset of the slot inside the VA page
1242  *
1243  * Frees a slot from a &struct sgx_va_page instance.
1244  */
1245 void sgx_free_va_slot(struct sgx_va_page *va_page, unsigned int offset)
1246 {
1247     clear_bit(offset >> 3, va_page->slots);
1248 }
1249
1250 /**
1251  * sgx_va_page_full - is the VA page full?
1252  * @va_page:    a &struct sgx_va_page instance
1253  *
1254  * Return: true if all slots have been taken
1255  */
1256 bool sgx_va_page_full(struct sgx_va_page *va_page)
1257 {
1258     int slot = find_first_zero_bit(va_page->slots, SGX_VA_SLOT_COUNT);
1259
1260     return slot == SGX_VA_SLOT_COUNT;
1261 }
1262
1263 /**
1264  * sgx_encl_free_epc_page - free an EPC page assigned to an enclave
1265  * @page:   EPC page to be freed
1266  *
1267  * Free an EPC page assigned to an enclave. It does EREMOVE for the page, and
1268  * only upon success, it puts the page back to free page list.  Otherwise, it
1269  * gives a WARNING to indicate page is leaked.
1270  */
1271 void sgx_encl_free_epc_page(struct sgx_epc_page *page)
1272 {
1273     int ret;
1274
1275     WARN_ON_ONCE(page->flags & SGX_EPC_PAGE_RECLAIMER_TRACKED);
1276
1277     ret = __eremove(sgx_get_epc_virt_addr(page));
1278     if (WARN_ONCE(ret, EREMOVE_ERROR_MESSAGE, ret, ret))
1279         return;
1280
1281     sgx_free_epc_page(page);
1282 }