Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp450755imu; Tue, 27 Nov 2018 00:59:04 -0800 (PST) X-Google-Smtp-Source: AFSGD/UiwUBOHcEkRp3jNravFIYYcCr9nExeHDWhtuH1I3ZGUX4E7NzDLFtsRWKST2trQg6GUkLc X-Received: by 2002:a17:902:20e9:: with SMTP id v38mr28971541plg.250.1543309144560; Tue, 27 Nov 2018 00:59:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543309144; cv=none; d=google.com; s=arc-20160816; b=Z0vbDkr862PPbapaiVPggcSzpTrFBRkwEOhfXuuDmMa14OaVI+t4QcBG/VBHR8Lvlx gMr3IbsLkrvg1slY7ZxM9FeRdUWI/g0xv67U3NjYlA2rfU/QJau3Ddl7TFOx6q7YrXAv NeBgsR5bAMCFMnQf7jJMD0t79ouYVhXcVZxcjeg6IT1+TK0SGdIfAhSPYbuUKWOXTHbK 4tkrEgC+CXR2ePgvHatpyXLPaw++ABFdHIz7oQ2hoJzCcWUjfv47jEqNm8HRIXJQ+b8D wRdkx4B4oBMbMeUmeTvB0rf8+NXXxRE2hm3AKTQ6Hrv+wkNGIh93b/zbkMfRsTIAHS7w dvXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:reply-to:message-id :subject:cc:to:from:date; bh=6YvHf9aTXul3a06YsfcJ38ubO+8R9JW87Ijp3m7ft4w=; b=Eht6QvhaYtDTAIEipa4nr+ubOGUPXf2HI4CwNCtYlg+NfJlMgyCyc51z3h5SFAx1av YIb+IjG9H9gC45Oh+v+GaNzAbqehZsFH6hbZuGmoDBBOuCw8QyZGfLjF5XX3ifJwc3+W bWD0T1q0I4mNqgKVms4UjRrw9QloQV8qDTgOz0azX0GIlDVwabI+I/0dGk6x4mhk/z/l cHUzOoHASgDgpWQteW0zmMClx8FED6tk6EOpkR7F/SLLH2gqOViEk6hGJ5avxRSS1iQJ kvryilTNMGwN+TkjFHJpIwt0rlPXFH5V2QFrlT8djbR1l/jSSyEghWQv9xK4WgX1CKNs +lEQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v7si3353599plz.250.2018.11.27.00.58.48; Tue, 27 Nov 2018 00:59:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729792AbeK0TxV (ORCPT + 99 others); Tue, 27 Nov 2018 14:53:21 -0500 Received: from wind.enjellic.com ([76.10.64.91]:55482 "EHLO wind.enjellic.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729259AbeK0TxV (ORCPT ); Tue, 27 Nov 2018 14:53:21 -0500 Received: from wind.enjellic.com (localhost [127.0.0.1]) by wind.enjellic.com (8.15.2/8.15.2) with ESMTP id wAR8tX2x012665; Tue, 27 Nov 2018 02:55:33 -0600 Received: (from greg@localhost) by wind.enjellic.com (8.15.2/8.15.2/Submit) id wAR8tXnX012664; Tue, 27 Nov 2018 02:55:33 -0600 Date: Tue, 27 Nov 2018 02:55:33 -0600 From: "Dr. Greg" To: Jarkko Sakkinen Cc: Andy Lutomirski , Andy Lutomirski , "Dr. Greg Wettstein" , X86 ML , Platform Driver , linux-sgx@vger.kernel.org, Dave Hansen , "Christopherson, Sean J" , nhorman@redhat.com, npmccallum@redhat.com, "Ayoun, Serge" , shay.katz-zamir@intel.com, haitao.huang@linux.intel.com, Andy Shevchenko , Thomas Gleixner , "Svahn, Kai" , mark.shanahan@intel.com, Suresh Siddha , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , Darren Hart , Andy Shevchenko , LKML Subject: Re: [PATCH v17 18/23] platform/x86: Intel SGX driver Message-ID: <20181127085533.GA12247@wind.enjellic.com> Reply-To: "Dr. Greg" References: <20181119161917.GF13298@linux.intel.com> <20181120120442.GA22172@linux.intel.com> <20181122111253.GA31150@wind.enjellic.com> <20181124172114.GB32210@linux.intel.com> <20181125145329.GA5777@linux.intel.com> <0669C300-02CB-4EA6-BF88-5C4B4DDAD4C7@amacapital.net> <20181126215145.GC868@linux.intel.com> <20181126230436.GA6737@linux.intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181126230436.GA6737@linux.intel.com> User-Agent: Mutt/1.4i X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.3 (wind.enjellic.com [127.0.0.1]); Tue, 27 Nov 2018 02:55:34 -0600 (CST) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Nov 26, 2018 at 03:04:36PM -0800, Jarkko Sakkinen wrote: Good morning to everyone. > On Mon, Nov 26, 2018 at 01:51:45PM -0800, Jarkko Sakkinen wrote: > > > ioctl(sgx, SGX_IOC_ADD_RIGHT, sgx_provisioning); > > > > > > This requires extra syscalls, but it doesn???t have the combinatorial > > > explosion problem. > > > > I like this design because it is extendable. I'm now also in the same > > page why we need to protect provisioning in the first place. I would > > slight restructure this as > > > > /dev/sgx/control > > /dev/sgx/attributes/provision > I guess it would be OK to upstream only control node first as long > as provision attribute is denied in order to keep the already huge > patch set a tiny bit smaller? At this point in time I believe there is a consensus that the driver needs a policy management framework of some type for an optimum implementation. The PROVISION attribute has privacy implications and unrestricted access to release mode (full security) is problematic. Since the thread has become a bit divergent I wanted to note that we have offered a proposal for a general policy management framework based on MRSIGNER values. This framework is consistent with the SGX security model, ie. cryptographic rather then DAC based policy controls. This framework also allows a much more flexible policy implementation that doesn't result in combinatoric issues. Our framework also allows the preservation of the current ABI which allows an EINITTOKEN to be passed in from userspace. The framework also supports the ability to specify that only a kernel based launch enclave (LE) should be available if the platform owner or distribution should desire to implement such a model. The policy management framework is straight forward. Three linked lists or their equivalent which are populated through /sysfs pseudo-files or equivalent plumbing. Each list is populated with MRSIGNER values for signing keys that are allowed to initialize enclaves under three separate conditions. 1.) General enclaves without special attribute bits. 2.) Enclaves with the SGX_FLAGS_PROVISION_KEY attribute set. - i.e., 'Provisioning Enclaves'. 3.) Enclaves with the SGX_FLAGS_LICENSE_KEY attribute set - i.e., 'Launch Enclaves'. An all-null MRSIGNER value serves as a 'sealing' value that locks a list from any further modifications. This architecture allows platform policies to be specified and then sealed at early boot by the root user. At that point cryptographic policy controls are in place rather then DAC based controls, the latter of which have perpetual security liabilities in addition to the useability constraints inherent in a DAC or device node model. We have developed an independent implementation of the PSW and arguably have as much experience with issues surrounding how to interact with the device driver as anyone. We have spent a lot of time thinking about these issues and the above framework provides the most flexible architecture available. > /Jarkko We would be happy to discuss specific aspects of the implementation. Have a good day. Dr. Greg As always, Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC. 4206 N. 19th Ave. Specializing in information infra-structure Fargo, ND 58102 development. PH: 701-281-1686 FAX: 701-281-3949 EMAIL: greg@enjellic.com ------------------------------------------------------------------------------ "Remember that when you take down the fishhouse you can't put the minnows back into the lake, so throw them out on the ice. Make sure you stomp on any of the live ones so they don't suffer." -- Fritz Wettstein At the lake