Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2678745imm; Sat, 9 Jun 2018 22:40:53 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKUZTV3343FoOEwyYKEWNejBngcQL3NoaGbqKhWjTCCc7q+G0GhbWfibwWHvSiuGLrtwXYN X-Received: by 2002:a63:81c7:: with SMTP id t190-v6mr10492415pgd.378.1528609253722; Sat, 09 Jun 2018 22:40:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528609253; cv=none; d=google.com; s=arc-20160816; b=hw2WLX/ziupKRCGQ1vaQpVvAh7AmTp2Fj+fMo4J7LWI04BUCIZcmF0jYWBqkWQW98P fqJo+CtbfNzj8vJcsOAa01gTUTpogalErwThbDpUoHuknGCE8qUEIVd8ZHHCeqxvn40Z bgbvSi/5QVthPI1d8GdzKEGZWyvIB1s3LRfJg9/lligsu44JPh5F5vlEfXd6ynqCKcOm 1+2kqfoEZCqd75v3B4CgcHVJMFEo6WQRlpaloZ4FVkfFclxn7zTPtdvkNfd8+ask9Pbk u/8GT9R7eFSrJNsf/1yvDAA10m07e4VnIE6yPNYLcBCtl5ty1GLCW0CBpakopCB1McdI tfJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=t1AY9dCu/xrf8LKZltXvXA4GHRSpCDyNIwT6wumFXpY=; b=ha9ge/ktdwQbi2Yo97vKaC4GF4rDcJzE8WGVE4wOD149lG3n6DFKfoW289hZW/Iz3m bbC1KDH8XH8M/1Wa0DTKZl1H4RoVSVteU+h/LyJSM4RNNrjMwe3pa+VISCnAmA+9d6Dk azY+630toR2nsXMm7Ohv7k24WtkJgP9mRz9JELHmp0rzoawTNfvoUukH4E2szbBJ0XqO UQt9uuRppMyULgY+krLGHo/2UDjd9J5eVQXZLP2Vv342jDT3nmW7MytONAb8KMrCzYyN LoBiY5uXhuLMQU2LAc18rdssvkdEPV6/OIVcjMxZt9NaGnRD95XFY57iywQh6pR5h/BR o7qg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nb5IrQ6o; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w12-v6si20666834pfa.113.2018.06.09.22.40.38; Sat, 09 Jun 2018 22:40:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nb5IrQ6o; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753727AbeFJFkF (ORCPT + 99 others); Sun, 10 Jun 2018 01:40:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:44440 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753675AbeFJFkE (ORCPT ); Sun, 10 Jun 2018 01:40:04 -0400 Received: from mail-wr0-f176.google.com (mail-wr0-f176.google.com [209.85.128.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 609CE208B5 for ; Sun, 10 Jun 2018 05:40:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1528609203; bh=7Kxr8xHZUMxV/9FgwnVdmEctGP4Xb1Jc9EDn+IgbP8U=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=nb5IrQ6oz0R/sOG5q6Cko4teT8UWmYl5IGtatPXXx1SShqm+SYWd9MRP9Itm1AhfX 69+vL2R5b1Hl8Hu9woVF1zHsyfkAc6FOAxTHwvK+NsOEZlHMJk8j5JG8ohnRE06JWH 98+yolIsfz2KV1YF8ibnJfdZy4GUxD4ZnypZW6XQ= Received: by mail-wr0-f176.google.com with SMTP id d8-v6so17057943wro.4 for ; Sat, 09 Jun 2018 22:40:03 -0700 (PDT) X-Gm-Message-State: APt69E0T1gWDpQcI0/gaqoHReKGMuN89QwHrtTF1TXtDZiwaHX24mXr2 NyqS80eo5CrkG9FqhRFF050nEb9aQkg/Yif5+Lyxgw== X-Received: by 2002:adf:b445:: with SMTP id v5-v6mr8979371wrd.67.1528609201663; Sat, 09 Jun 2018 22:40:01 -0700 (PDT) MIME-Version: 1.0 References: <20180608171216.26521-1-jarkko.sakkinen@linux.intel.com> <20180608171216.26521-14-jarkko.sakkinen@linux.intel.com> In-Reply-To: <20180608171216.26521-14-jarkko.sakkinen@linux.intel.com> From: Andy Lutomirski Date: Sat, 9 Jun 2018 22:39:50 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [intel-sgx-kernel-dev] [PATCH v11 13/13] intel_sgx: in-kernel launch enclave To: Jarkko Sakkinen Cc: X86 ML , Platform Driver , nhorman@redhat.com, npmccallum@redhat.com, LKML , Ingo Molnar , intel-sgx-kernel-dev@lists.01.org, "H. Peter Anvin" , Darren Hart , Thomas Gleixner , andy@infradead.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 8, 2018 at 10:32 AM Jarkko Sakkinen wrote: > > The Launch Enclave (LE) generates cryptographic launch tokens for user > enclaves. A launch token is used by EINIT to check whether the enclave > is authorized to launch or not. By having its own launch enclave, Linux > has full control of the enclave launch process. > > LE is wrapped into a user space proxy program that reads enclave > signatures outputs launch tokens. The kernel-side glue code is > implemented by using the user space helper framework. The IPC between > the LE proxy program and kernel is handled with an anonymous inode. > > The commit also adds enclave signing tool that is used by kbuild to > measure and sign the launch enclave. CONFIG_INTEL_SGX_SIGNING_KEY points > to a PEM-file for the 3072-bit RSA key that is used as the LE public key > pair. The default location is: > > drivers/platform/x86/intel_sgx/sgx_signing_key.pem > > If the default key does not exist kbuild will generate a random key and > place it to this location. KBUILD_SGX_SIGN_PIN can be used to specify > the passphrase for the LE public key. It seems to me that it might be more useful to just commit a key pair into the kernel. As far as I know, there is no security whatsoever gained by keeping the private key private, so why not make reproducible builds easier by simply fixing the key? Also, this email is so long that gmail won't let me quote the relevant code, but: what is the intended use case for supporting the mode where the MSRs are locked but happen to contain the right value? I could see the case for bundling a key with the kernel and literally hard-coding the acceptable MSR values (as in literal values in the code, not even autogenerated hashes). The only use case I've thought of for the code as it stands is that $VENDOR could publish their LE public key and some daft firmware vendor could get it into their head that it would be a good idea to lock the MSRs to that value. This would add no security at all, but it would add a considerable about of annoyance and loss of value, so I still tend to think that we shouldn't support it.