Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp884518yba; Thu, 18 Apr 2019 11:10:42 -0700 (PDT) X-Google-Smtp-Source: APXvYqzzhxskqxSzlbEdFqEm6tiqCSbnD1BLNdx+8RgQLEDXmlLhcMQKOJeYk/LnFxFOxggPGQTU X-Received: by 2002:a63:1d5b:: with SMTP id d27mr88173704pgm.386.1555611041935; Thu, 18 Apr 2019 11:10:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555611041; cv=none; d=google.com; s=arc-20160816; b=nigvg992BDDn+mvNXIZmgjsKOo+gEOIxttPdEV2uSHu/HTChVaTqQf4uxWlLb0rbaR zcLEgiAb81fDk/UCZPXTx+/sl32YBGvMA/7lAxfbGciREYrUl7AKtRxDTusv44Z2iAOd GzqefHAHywVhFOQxIqxFUTrvXRtm3hGk3C73d38dqfm/VBipn8TuHr8E8wGe0+9kQltY sYlHfSAXX8GHSRWEOnercQu92ekTOMOpBvAFZqKnZBZ9Aq/upogUymZZgU71DwRO7Dop GEKQldHj+Yp0I2rMBBaznVOu+TE32u/3W6GzWzw1Wmw+w8aa0+eyxOhhpLMCfWikKBHC 5DFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=qu9eDUsYAbBvXDfAHCWXV7FuvhXe7pVOVOM+bWKYpCk=; b=bq8nltv9UssPo9CnM5nEm/yhGC93swUyBAj31Qo9PPP69pz67CtEZQRVLXpLVE4O2K USzH3TG/7IfnAo80KLRLOtJp/oppXxEHnIRd2utaQfHCWWq9SH88mbf0DUwvJCqRufYY fx+8pGedeGhaPeI5hf9gfsjAWG+hOL13yv1RF234HHp8nKF335Sedh2XYSZHvCyJODzU rX9dXrAXfE5SQn9qcL2rwNeb1k94zjeIIqZxVNpGVcdGW4esJjJFp3K/98yGxEJ/OUyw ZHx0PcbK1K22Vdcl1vgisbsbs2L7Y1PSlHoZu6lZUR7P8fCzYQhU9u+jJFfxSnO8WDqp ajww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=jj8ygHs0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e1si2916848pfc.149.2019.04.18.11.10.27; Thu, 18 Apr 2019 11:10:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=jj8ygHs0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391327AbfDRSHf (ORCPT + 99 others); Thu, 18 Apr 2019 14:07:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:38214 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391278AbfDRSHc (ORCPT ); Thu, 18 Apr 2019 14:07:32 -0400 Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CFEB4218A6 for ; Thu, 18 Apr 2019 18:07:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555610851; bh=IpRhbSjXtgRtUXeY/pxMzOVKIZHWLd27A1JF0KHnLqg=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=jj8ygHs04wG9j5d4K0G7J5sMz+T6/wAqE1jCXlg29NytzVFK613HF9uk5x+gyXqas 0XhPiTjbZrmVLbaufp4TCpk2F1cW9LBQ6mrfaxyAMJofUznuajPLHoGDmkD7PygwoP 3+PiMh5L72DrgaPukpMjJ6Rit2WeJzhEkqb3DhN8= Received: by mail-wr1-f45.google.com with SMTP id t17so4011363wrw.13 for ; Thu, 18 Apr 2019 11:07:30 -0700 (PDT) X-Gm-Message-State: APjAAAX6lx7/xfVLKAYzlgJ+BONkCiRYPLjqo6b9wLn2jmpF5Oo3pWO6 4XO1To6sh3ECPcwCOvF5Shev/xlFjvp4KF+28s9EzQ== X-Received: by 2002:adf:f344:: with SMTP id e4mr995076wrp.77.1555610849447; Thu, 18 Apr 2019 11:07:29 -0700 (PDT) MIME-Version: 1.0 References: <20190417103938.7762-1-jarkko.sakkinen@linux.intel.com> <20190418171059.GA20819@wind.enjellic.com> In-Reply-To: <20190418171059.GA20819@wind.enjellic.com> From: Andy Lutomirski Date: Thu, 18 Apr 2019 11:07:17 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v20 00/28] Intel SGX1 support To: "Dr. Greg" Cc: Jarkko Sakkinen , Linus Torvalds , LKML , X86 ML , linux-sgx@vger.kernel.org, Andrew Morton , Dave Hansen , "Christopherson, Sean J" , nhorman@redhat.com, npmccallum@redhat.com, "Ayoun, Serge" , "Katz-zamir, Shay" , "Huang, Haitao" , Andy Shevchenko , Thomas Gleixner , "Svahn, Kai" , Borislav Petkov , Josh Triplett , Andrew Lutomirski , "Huang, Kai" , David Rientjes Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 18, 2019 at 10:11 AM Dr. Greg wrote: > > On Wed, Apr 17, 2019 at 01:39:10PM +0300, Jarkko Sakkinen wrote: > > Good morning, I hope this note finds the impending end of the work > week going well for everyone. > > First of all, a thank you to Jarkko for his efforts in advancing this > driver, a process that can be decidedly thankless. Our apologies in > advance for contributing to this phenomenon. > > > Intel(R) SGX is a set of CPU instructions that can be used by > > applications to set aside private regions of code and data. The code > > outside the enclave is disallowed to access the memory inside the > > enclave by the CPU access control. In a way you can think that SGX > > provides inverted sandbox. It protects the application from a > > malicious host. > > Unfortunately, in its current implementation, the driver will not > protect a host from malicious enclaves. If it advances in its current > form, the mainline Linux kernel will be implementing a driver with > known and documented security issues. "I can use this kernel or CPU feature to do something unpleasant that I could do anyway, if less nicely" is a far cry from "known and documented security issues". We've hashed this out to death. Once SGX is upstream, feel free to submit patches. > > In addition, the driver breaks all existing SGX software by breaking > compatibility with what is a 3+ year ABI provided by the existing > driver. This seems to contravene the well understood philosophy that > Linux doesn't, if at all possible, break existing applications, > something that we believe can be easily prevented if those interested > in these issues choose to read on. As I understand it, Cedric is going to submit a patch for this shortly, assuming I have correctly guessed what supposed ABI break you're talking about. In the mean time, I need to correct you on a critical point. Linux has *never* had a policy that it will retain compatibility with an API that wasn't upstream in the first place. [removed extensive verbiage. Dr. Greg, if you want your emails to be read, please try to be more concise, and please try to repeat yourself less.] > The attached patch, against the jarkko-sgx/master branch of Jarkko's > driver repository, provides a framework that implements > cryptographically secure enclave initialization policies. The patch > and it's signature are also available from the following URL's: > > ftp://ftp.idfusion.net/pub/idfusion/jarkko-master-SFLC.patch I just spend several minutes trying to read your code. It would benefit dramatically from some attempt at documentation, and, at the very least, you can't have a function foo(type *ptr) that does something almost completely different when ptr == NULL and when ptr != NULL. For a concrete example, consider sgx_launch_control(). If you pass NULL, then there's a vaguely credible argument that the function does what the name suggests. If you pass non-NULL, it doesn't. The result is bug-prone and unreadable. If I'm understanding it right, it causes the SGX ABI to be almost completely incompatible between the case where the list of launch signers is empty and the case where the list is non-empty. This is a non-starter. We're also extensively discussed how launch enclaves would be supported if we were to support them, and the generally agreed-upon solution was that the *kernel* would handle running a launch enclave. Jarkko even has code for this, but it's tabled until someone comes up with a credible argument that we *want* to support launch enclaves. > The policy architecture allows just about any conceivable > initialization policy to be implemented and in any combination. No it doesn't, because it requires the application (or its runtime or SDK or whatever) to bundle the launch enclave that implements the fancy policy, which means that the platform owner actually can't swap out the policy without breaking all the applications. This is the primary reason that, if Linux were to support LE-based launch control, it would do so in the kernel. > If the platform owner chooses to do nothing, the driver will > initialize any enclave that is presented to it. FWIW, we have close > to a century of enterprise system's administration experience on our > team and we could not envision any competent system's administrator, > concerned about security, who would allow such a configuration. A sufficiently careful administrator who wants to protect against enclave malware might want the ability to revoke permission to run a specific enclave, which your approach can't do. Again, this has all been covered extensively. To be crystal clear, i fully agree that we are likely to eventually want some kind of in-kernel launch policy. But I don't think that defining such a policy should block the upstreaming of the driver, and I don't think that your proposal for how the policy should work is an acceptable proposal.