Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp1962921imm; Thu, 21 Jun 2018 05:13:52 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLiooeE2bgeKUU/6P/bZufqytyhMuWxeeatum2fNCibac8AXepPMV+4AmSUPmYejHe92sRG X-Received: by 2002:a62:d345:: with SMTP id q66-v6mr27113882pfg.158.1529583232538; Thu, 21 Jun 2018 05:13:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529583232; cv=none; d=google.com; s=arc-20160816; b=OaicwBKcY5KOF18cpt8lKhuIrBBhKM7vtdKVugw1W4DL6Xr9jF2uPM+eWbiLwEayNf jFDzF/bKCElBM4wdO3vu0SQxiZS7paUtlDHMqXuPT9hTaNmHvKng5bGvZtiNlossV/ck u5TZ9N76GjVTO0TTVIDbQaOcH2/TyMYaY2MeS74e7nK9JwIQUEE18e7S6OfHZSxmN5Fk fnsDaVyrCScvFESmLFQaoQQoAVRCVgGjdmfDz6OyUamhivfmj8Ey81SKTmIPL0bsIkOq GAGTx19jfuhPw+9hTm/WbioNyaRO4iAIOEiAsZyzth3z+bmhDxUegJjL89EtWnqZwn6T 8lZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :arc-authentication-results; bh=/+JT3jepMLKj2w0CdHORPce2LbT+3SVRWkpEafQ49j0=; b=dry9PEOxcYctgs5F0e/bL88PjA/Qmn8kDeYWepvO+Km7nBRtr3N9y3saBP5u2Tmo8y xuJChsc9PEcbmjKe0bkCrMlmhWYspQxTE1RAn/c/yMdD15J9tgMVsLQmd5DCnuGNSHnn fGsrodMlY2nQATmTQcMhZ36+Twa1/f29fP4OHZR3Z5PsaIIt5aZn9kaD8RmqUqMrC20F x4nRyF20rZSdc9WN5x5tYcnNhBchJn57tZYMrdrGVDwJMcSMb9We3oZbRwsTH+H/FB1Y lem7cRi2uld1DnMTZCmasafsLzVfCBO8AIHRqTafiQyBE+cEbK37gSWQoorLuRxY2EPy 7fRA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z190-v6si3827602pgd.646.2018.06.21.05.13.38; Thu, 21 Jun 2018 05:13:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933428AbeFUMNC convert rfc822-to-8bit (ORCPT + 99 others); Thu, 21 Jun 2018 08:13:02 -0400 Received: from mail-oi0-f66.google.com ([209.85.218.66]:42196 "EHLO mail-oi0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933262AbeFUMNA (ORCPT ); Thu, 21 Jun 2018 08:13:00 -0400 Received: by mail-oi0-f66.google.com with SMTP id k190-v6so2678352oib.9 for ; Thu, 21 Jun 2018 05:13:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=bFyZRGkfp8uza1PVcsYB1+7J87E6djF2eSS6PtDaf/k=; b=ZiMWdfnDspfs4YrFAH53B3VXVXYEOeUo1mbj09POsa2ayyon5EDgBmgnginWS+xEJw PHJntvxMeo8TJaJN1HlydcQJ/ykjcvMkfdtI6ffagUm9rvqYX88zmSlmSO/BblOWIg+w sYtWP2fbeFVb6l2TMIr6vzrcFH9G/tXG7V1RzoXjrzgwAPU+2PFNZMg1/7zBcfQI2jGh qKD+uRrEOItKeKctTkKKZAHEZhU0Cfjpedoyqyrr4v+Hx5pECBl4aDDKl/jBt4g94OCT LjktMGoIIqegECUcqzVqnNsOlDP6OdXoK8BY/Kbzl9ynNM0EfgWTfhaiJ1EuspL8tAGY r8UA== X-Gm-Message-State: APt69E3xQhixL+BtrKoqe713jLAyEhdBtxtKMCEG8mzeVvrc9F8DLbao BrcooxAFhreFuw86Aa8F2wTihWhC3pV7kKYbrEN9iw== X-Received: by 2002:aca:33d5:: with SMTP id z204-v6mr13191283oiz.184.1529583180208; Thu, 21 Jun 2018 05:13:00 -0700 (PDT) MIME-Version: 1.0 References: <20180608171216.26521-1-jarkko.sakkinen@linux.intel.com> <20180608171216.26521-14-jarkko.sakkinen@linux.intel.com> <20180611115255.GC22164@hmswarspite.think-freely.org> <20180612174535.GE19168@hmswarspite.think-freely.org> In-Reply-To: From: Nathaniel McCallum Date: Thu, 21 Jun 2018 08:12:49 -0400 Message-ID: Subject: Re: [intel-sgx-kernel-dev] [PATCH v11 13/13] intel_sgx: in-kernel launch enclave To: jethro@fortanix.com Cc: luto@kernel.org, Neil Horman , jarkko.sakkinen@linux.intel.com, x86@kernel.org, platform-driver-x86@vger.kernel.org, linux-kernel@vger.kernel.org, mingo@redhat.com, intel-sgx-kernel-dev@lists.01.org, hpa@zytor.com, dvhart@infradead.org, tglx@linutronix.de, andy@infradead.org, Peter Jones Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 20, 2018 at 2:16 PM Jethro Beekman wrote: > > On 2018-06-20 09:28, Nathaniel McCallum wrote: > > As I understand it, the current policy models under discussion look like this: > > > > 1. SGX w/o FLC (not being merged) looks like this: > > Intel CPU => (Intel signed) launch enclave => enclaves > > I think you mean: > > Intel CPU => kernel => (Intel signed) launch enclave => enclaves I get what you mean. But it wasn't what I intended. I'm referring to cryptographic policy. While it is true that the kernel would provide hardware support and would still enforce other non-cryptographic policy under this model (such as filesystem permissions to /dev/sgx), the kernel doesn't verify signatures or pick the key used to verify signatures. The Intel CPU validates the signature of the launch enclave using a hard-coded key. Since the kernel doesn't get to pick the key, it has no say in the cryptographic policy. > > 2. SGX w/ FLC, looks like this: > > Intel CPU => kernel => launch enclave => enclaves In this case, the kernel picks the key used to verify the signature of the LE and writes it to the appropriate MSRs. So it has a say in the policy chain. > > 3. Andy is proposing this: > > Intel CPU => kernel => enclaves In this case, the kernel basically throws away the concept of LEs based on the fact that proposal #2 doesn't actually reduce the attack surface and therefore adds complexity without security. So the kernel takes over the evaluation of the cryptographic policy. > > This proposal is based on the fact that if the kernel can write to the > > MSRs then a kernel compromise allows an attacker to run their own > > launch enclave and therefore having an independent launch enclave adds > > only complexity but not security. > > > > Is it possible to restrict the ability of the kernel to change the > > MSRs? For example, could a UEFI module manage the MSRs? Could the > > launch enclave live entirely within that UEFI module? > > On 2017-03-17 09:15, Jethro Beekman wrote: > > While collecting my thoughts about the issue I read through the > > documentation again and it seems that it will not be possible for a > > platform to lock in a non-Intel hash at all. From Section 39.1.4 of the > > latest Intel SDM: > > > > > IA32_SGXLEPUBKEYHASH defaults to digest of Intel’s launch enclave > > > signing key after reset. > > > > > > IA32_FEATURE_CONTROL bit 17 controls the permissions on the > > > IA32_SGXLEPUBKEYHASH MSRs when CPUID.(EAX=12H, ECX=00H):EAX[0] = 1. > > > If IA32_FEATURE_CONTROL is locked with bit 17 set, > > > IA32_SGXLEPUBKEYHASH MSRs are reconfigurable (writeable). If either > > > IA32_FEATURE_CONTROL is not locked or bit 17 is clear, the MSRs are > > > read only. > > > > This last bit is also repeated in different words in Table 35-2 and > > Section 42.2.2. The MSRs are *not writable* before the write-lock bit > > itself is locked. Meaning the MSRs are either locked with Intel's key > > hash, or not locked at all. > > > > > 4. I am suggesting this: > > Intel CPU => UEFI module => enclaves > > > > Under this architecture, the kernel isn't involved in policy at all > > and users get exactly the same freedoms they already have with Secure > > Boot. Further, the launch enclave can be independently updated and > > could be distributed in linux-firmware. The UEFI module can also be > > shared across operating systems. If I want to have my own enclave > > policy, then I can build the UEFI module myself, with my > > modifications, and I can disable Secure Boot. Alternatively, > > distributions that want to set their own policies can build their own > > UEFI module and sign it with their vendor key. > > Jethro Beekman | Fortanix >