Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp70631imu; Mon, 10 Dec 2018 16:21:00 -0800 (PST) X-Google-Smtp-Source: AFSGD/WwWRKr/oF7GZiW0/OxalrnXPPhze+r3vebZwVApqvv0ME6NxjqDYrsHuviFgY2oK8IEcZQ X-Received: by 2002:a63:5407:: with SMTP id i7mr12646185pgb.413.1544487660419; Mon, 10 Dec 2018 16:21:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544487660; cv=none; d=google.com; s=arc-20160816; b=RIqVMXMtgTuWhXQv72ggJxU2eWZ3LVmEQH9b9kP4NSQMSW3iodjNOeQCcuZhkx5Mns SJ8PIkfM0WxVgXGeLXgRRj7FYaqabGETrFfu5NJ2X3L4keSC/HBDmFEPOBTDpytrMjr3 7/1+QiIvRgDigPPiGndCd9JTeW5cHXNRXjgaqTrr50CII+2CuVCJoQ3enX/S4jdj3vBk daGIniSeJojOZOExDJJIjLYRNJYxyRy0yHF9+z5BaIYggmSYfMw5e/mHrpGXw2F+YjP+ 9l/EDRptx+4a2ovpyuSPSmPv1S1IWjtwQ+26k9h4GPOSlxk7ccae81SQV6/u9TCdIu7N 1stg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=eP6dtGRL4EwwLS6T95SaXhGwhdv24pFfFjVjbfxFFyE=; b=IOObNvLMTWP/aUuriRS7w4oDrIXoQsbv0+AQylumFui6NOta2vKExl8ntNDghC7Ecb BHYrcBZxwxNMlZomvMFdHZ780smMQyQHjgxhAY0n5K7blmfJNCqbnmmN2JSjWuqWlScr 3LYqlVwuAMhWaO+9MZbVWJdTHJgXB+q3bM5vyiO+nlWqN+HxpjUodGJDWuSyf92+pbkt elhx+WTLFRG86AGAXI3X41/H/wXO9HRMjQE+N/uRA7gZv8xxcbOm87U78uZg7PSPSYgV rm2VIWwQo7So26YFnxgpVvYN6IhGd2FutXlF4OjFvHd4LTyoDmTCqQDr/lc8B3i2gAYs gFAA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q5si11031319pgr.435.2018.12.10.16.20.45; Mon, 10 Dec 2018 16:21:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730036AbeLJXM3 (ORCPT + 99 others); Mon, 10 Dec 2018 18:12:29 -0500 Received: from relay4-d.mail.gandi.net ([217.70.183.196]:41575 "EHLO relay4-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726841AbeLJXM3 (ORCPT ); Mon, 10 Dec 2018 18:12:29 -0500 X-Originating-IP: 134.134.139.72 Received: from localhost (jfdmzpr03-ext.jf.intel.com [134.134.139.72]) (Authenticated sender: josh@joshtriplett.org) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 8E241E0002; Mon, 10 Dec 2018 23:12:05 +0000 (UTC) Date: Mon, 10 Dec 2018 15:12:00 -0800 From: Josh Triplett To: Pavel Machek Cc: Jarkko Sakkinen , x86@kernel.org, platform-driver-x86@vger.kernel.org, dave.hansen@intel.com, sean.j.christopherson@intel.com, nhorman@redhat.com, npmccallum@redhat.com, Alexei Starovoitov , Andi Kleen , Andrew Morton , Andy Lutomirski , Borislav Petkov , "David S. Miller" , David Woodhouse , Greg Kroah-Hartman , "H. Peter Anvin" , Ingo Molnar , "open list:INTEL SGX" , Janakarajan Natarajan , "Kirill A. Shutemov" , Konrad Rzeszutek Wilk , "open list:KERNEL VIRTUAL MACHINE FOR X86 (KVM/x86)" , Len Brown , Linus Walleij , "open list:CRYPTO API" , "open list:DOCUMENTATION" , open list , "open list:SPARSE CHECKER" , Mauro Carvalho Chehab , Peter Zijlstra , "Rafael J. Wysocki" , Randy Dunlap , Ricardo Neri , Thomas Gleixner , Tom Lendacky , Vikas Shivappa Subject: Re: [PATCH v11 00/13] Intel SGX1 support Message-ID: <20181210231159.GA10718@localhost> References: <20180608171216.26521-1-jarkko.sakkinen@linux.intel.com> <20180612105011.GA26931@amd> <20180619145943.GC8034@linux.intel.com> <20180619200414.GA3143@amd> <20180619214833.GA5873@localhost> <20181209200600.GA11608@amd> <20181210074717.GA9880@localhost> <20181210082704.GA14594@amd> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181210082704.GA14594@amd> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Dec 10, 2018 at 09:27:04AM +0100, Pavel Machek wrote: > On Sun 2018-12-09 23:47:17, Josh Triplett wrote: > > On Sun, Dec 09, 2018 at 09:06:00PM +0100, Pavel Machek wrote: > > ... > > > > > > The default permissions for the device are 600. > > > > > > > > > > Good. This does not belong to non-root. > > > > > > > > There are entirely legitimate use cases for using this as an > > > > unprivileged user. However, that'll be up to system and distribution > > > > policy, which can evolve over time, and it makes sense for the *initial* > > > > kernel permission to start out root-only and then adjust permissions via > > > > udev. > > > > > > Agreed. > > > > > > > Building a software certificate store. Hardening key-agent software like > > > > ssh-agent or gpg-agent. Building a challenge-response authentication > > > > system. Providing more assurance that your server infrastructure is > > > > uncompromised. Offloading computation to a system without having to > > > > fully trust that system. > > > > > > I think you can do the crypto stuff... as crypto already verifies the > > > results. But I don't think you can do the computation offload. > > > > You can, as long as you can do attestation. > > You can not, because random errors are very easy to trigger for person > with physical access, Random errors can also just happen, so if you're concerned about that you might want to build each object on two different machines and compare. Good luck generating the *same* random errors on two machines. (And, of course, someone can also DoS you in any number of other ways, such as accepting data and then never sending back a result. So you'll need timeouts and failovers.) > > > > As one of many possibilities, imagine a distcc that didn't have to trust > > > > the compile nodes. The compile nodes could fail to return results at > > > > all, but they couldn't alter the results. > > > > > > distcc on untrusted nodes ... oh yes, that would be great. > > > > > > Except that you can't do it, right? :-). > > > > > > First, AFAICT it would be quite hard to get gcc to run under SGX. But > > > maybe you have spare month or three and can do it. > > > > Assuming you don't need to #include files, gcc seems quite simple to run > > in an enclave: data in, computation inside, data out. > > So is there a plan to run dynamically linked binaries inside enclave? I've seen some approaches for that, but you could also just statically link your compiler. (Since you'd need attestation for all the individual libraries, you'd need to know the versions of all those libraries, so you might as well just statically link.) > Or maybe even python/shell scripts? It looked to me like virtual > memory will be "interesting" for enclaves. Memory management doesn't seem that hard to deal with.