Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp84450imu; Thu, 10 Jan 2019 18:40:38 -0800 (PST) X-Google-Smtp-Source: ALg8bN6RmZNmoxZURzpdlfHSBE281+ZHU4An49oOa4hGRBwey2I/jXrQHke0SdNWly2vFXq1Q6He X-Received: by 2002:a65:47ca:: with SMTP id f10mr11937231pgs.166.1547174438678; Thu, 10 Jan 2019 18:40:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547174438; cv=none; d=google.com; s=arc-20160816; b=U2U6WWkLuRJAFlTgoog21angmZ4IlOXFW5CXjSSbgoPz644/F0AgXVvaMzbUs/D1D0 Rqqq4SCJ9aFnVtNzpSB1KKwH99VNDg/lBdK2r1IVLjiRmIDOcei656fO8g0qhvoxQlXk UvKyjrDsyTXcwS3JWSpinAUJVPd5+cAynUPQ12x9yrAG7uDVHu/i9gLVt2rUqUklmNah ojWrA9+ZN0O/oGC3PZzh12LMLgfvtk2lXT4HPgQz1gTEVjqAZs61u+NNmAgjuarTkg7l GOURAbxCa11b/X/LG9CWM6ZWG0usVpgRfvGfe7bfbDfJqxadrS37mGEK3+VgKFbA3OXs ci1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=Mv28415NmmxPKGrcO/RN4TFIF4qwBjODY5aVf4D7dXo=; b=rQz3NcFX2yMp6+c9RbZ4CWr6E/6fLUyq60zKDLWU7YR1HG0pla9tTvjHBHI9pU5g0z 3iwK/xRiRuzNZAZKFFZj551kWlukPgHyRKUqXKlSe0FQogy0GVIh8k72n/Tz3lXVqcrS sWQwstz/GRIeojbxvDFMA/ueXlEsxBJI8ubloDkrHgOVPxD4SHzPtxRQacXjnXq4wGR4 Q9WmcF4Nc3/lgV837xMxrnHPLDF9+pR3i93dyFBa9nzzww2aOUJ+M1Yu9/0LhCaQIV1j 9hAZ4qLt3WSlqn1D6wUU3qjfobLlMI/hRhUh1jhapvHcRYEU1TfR81f117WP+fdYmMNE SUvw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z5si16275190pgh.469.2019.01.10.18.40.23; Thu, 10 Jan 2019 18:40:38 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730556AbfAJXyI (ORCPT + 99 others); Thu, 10 Jan 2019 18:54:08 -0500 Received: from mga06.intel.com ([134.134.136.31]:47789 "EHLO mga06.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727799AbfAJXyI (ORCPT ); Thu, 10 Jan 2019 18:54:08 -0500 X-Amp-Result: UNSCANNABLE X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Jan 2019 15:54:07 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,463,1539673200"; d="scan'208";a="309414047" Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.154]) by fmsmga006.fm.intel.com with ESMTP; 10 Jan 2019 15:54:06 -0800 Date: Thu, 10 Jan 2019 15:54:06 -0800 From: Sean Christopherson To: Andy Lutomirski Cc: "Huang, Kai" , Jethro Beekman , Jarkko Sakkinen , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "x86@kernel.org" , Dave Hansen , Peter Zijlstra , "H. Peter Anvin" , "linux-kernel@vger.kernel.org" , "linux-sgx@vger.kernel.org" , Josh Triplett , Haitao Huang , "Dr . Greg Wettstein" Subject: Re: x86/sgx: uapi change proposal Message-ID: <20190110235406.GB2365@linux.intel.com> References: <20181219091148.GA5121@linux.intel.com> <613c6814-4e71-38e5-444a-545f0e286df8@fortanix.com> <20181219144515.GA30909@linux.intel.com> <20181221162825.GB26865@linux.intel.com> <105F7BF4D0229846AF094488D65A0989355A45B6@PGSMSX112.gar.corp.intel.com> <20190108220946.GA30462@linux.intel.com> <20190109163135.GA1821@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 10, 2019 at 01:34:44PM -0800, Andy Lutomirski wrote: > >> On Jan 9, 2019, at 8:31 AM, Sean Christopherson wrote: > >> > >> On Tue, Jan 08, 2019 at 02:54:11PM -0800, Andy Lutomirski wrote: > > > >> I do think it makes sense to have QEMU delegate the various ENCLS > >> operations (especially EINIT) to the regular SGX interface, which will > >> mean that VM guests will have exactly the same access controls applied > >> as regular user programs, which is probably what we want. > > > > To what end? Except for EINIT, none of the ENCLS leafs are interesting > > from a permissions perspective. Trapping and re-executing ENCLS leafs > > is painful, e.g. most leafs have multiple virtual addresses that need to > > be translated. And routing everything through the regular interface > > would make SGX even slower than it already is, e.g. every ENCLS would > > take an additional ~900 cycles just to handle the VM-Exit, and that's > > not accounting for any additional overhead in the SGX code, e.g. using > > the regular interface would mean superfluous locks, etc... > > Trapping EINIT is what I have in mind. Phew, had me worried :-) > > > > Couldn't we require the same privilege/capability for VMs and and EINIT > > tokens? I.e. /dev/sgx/virtualmachine can only be opened by a user that > > can also generate tokens. > > Hmm, maybe. Or we can use Jarkko’s securityfs attribute thingy. > > Concretely, I think there are two things we care about: > > First, if the host enforces some policy as to which enclaves can > launch, then it should apply the same policy to guests — otherwise KVM > lets programs do an end run around the policy. So, in the initial > incarnation of this, QEMU should probably have to open the provision > attribute fd if it wants its guest to be able to EINIT a provisioning > enclave. When someone inevitably adds an EINIT LSM hook, the KVM > interface should also call it. Sort of. A guest that is running under KVM (i.e. VMX) is much more contained than a random userspace program. A rogue enclave in a VMX guest can attack the guest kernel/OS, but barring a bug (or more likely, several major bugs) elsewhere in the virtualization stack the enclave can't do anything nasty to the host. An enclave would let someone hide code, but enclaves are even more restricted than cpl3, i.e. there's not a lot it can do without coordinating with unencrypted code in the guest. And if someone has sufficient permissions to run a KVM guest, they're much more likely to do something malcious in the guest kernel, not an enclave. All that aside, I don't see any justification for singling out SGX for extra scrutiny, there are other ways for a user with KVM permissions to hide malicious code in guest (and at cpl0!), e.g. AMD's SEV{-ES}. > Second, the normal enclave interface won't allow user code to supply > an EINITTOKEN, so the KVM interface will presumably need to be > different, unless we're going to emulate EINIT by ignoring the token. > That seems like a very strange thing to do.