Received: by 2002:a17:90a:c8b:0:0:0:0 with SMTP id v11csp2300740pja; Fri, 19 Apr 2019 11:34:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqzgh40NIWQxAVYb/9pYgmGJnRJd6YCzKjc2UG9iEPw8UMimLtYLMa1sazoZ+u5+mgSBGIGf X-Received: by 2002:a17:902:be18:: with SMTP id r24mr5135065pls.69.1555698844497; Fri, 19 Apr 2019 11:34:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555698844; cv=none; d=google.com; s=arc-20160816; b=u7hZ4L4Yb96nxSjw/QGxQw9x8J+GSaAB1toXNmjrabTKBITvMvMNOLpd5zqV8JHeN5 AaBvfwL8Om1kTEVOSTYBxX5OC1rHCdr0NSh+CTreENS2tBfbYlsOzXLQ1YvgGDY7phH5 ngxYIHcVv0JLCCG606hakcJ+CTePHhkBs+WXEzKmTQ8LEpIKw1Z43aFOUKGih0EcTtf4 c4wXDv60V6nNlfjjG/HVJu7gvo5KRElqlOcCFzUn507XV5dXyCKAWUxVP/3Y63NxEpCF uanmx02cD1Wf9Htik/iP5hoNB2MOo7y3ZFliRo0ladBrvcTO02WjsylOYoBCxQjZNtPn wGTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=4yCdwc7dXkiEkZpjmncNUeXw67fSuJy6u5De6NeIZhc=; b=lk/lekPu1SGi5POi82UQ1GIYb58ohrxrscPmLlCRElW2mT2nymvaVVg9TIagCs0C/9 cVRDZRDCaSurNnZzRxFiDMF93SLF/7+S03/g6+N0K59d/Xk0Ig9gIXt6fc9HlalNyGg1 75fszdEpwFg77/2+c8usC2Racmqg95Gix3+rRuyk9Ta/LV02/uCluizIc1bCJyZ/E0hh UUP0Ka8lZNzlnFs/PivbROtWvr9FV4tYF0cXd4c0JLU7+Wdn3Bv8fSfpTh7x/+/Eh/EW nJ4S7dPPrVEeaQQcsiBUVZO/oUo5AtQFj2a3L/DhumqPjPUEwp6+BBMJJDWnZIkp1aD0 Qi5w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="JT/dgZk3"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l6si5162643pgq.213.2019.04.19.11.33.48; Fri, 19 Apr 2019 11:34:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="JT/dgZk3"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728127AbfDSSbf (ORCPT + 99 others); Fri, 19 Apr 2019 14:31:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:53896 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727932AbfDSS3R (ORCPT ); Fri, 19 Apr 2019 14:29:17 -0400 Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AD359222DD for ; Fri, 19 Apr 2019 15:27:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555687659; bh=J99gtRrJI/sxcUDI9VlJ1PuPq+LCWVlFaN+rk+m4zTo=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=JT/dgZk3rOO5n7351+3P3Z75wCkW4+pDfvuRf2y+ZvwTp1Ci//z0B8R98N7KctZ2r LwjkJJvE3kqnNiuKUMx2wX7wFImJ36bK4paw/QitG+/sjZz2l5/VjPWbiFcmECwmer 5q/C6BBomFNha5w9c4incg9nkLu8LQ3DMUMQ6gsI= Received: by mail-wm1-f52.google.com with SMTP id z11so6652462wmi.0 for ; Fri, 19 Apr 2019 08:27:39 -0700 (PDT) X-Gm-Message-State: APjAAAVDTJrUahRf20f4rkxqwBqiGWMPcD8+LUlAb6fzrh46+fIHgxhF jcAwbLqnm8ho4ngSnGylZCiLM3USgqa12RDNb2yq3Q== X-Received: by 2002:a1c:eb18:: with SMTP id j24mr3240691wmh.32.1555687658136; Fri, 19 Apr 2019 08:27:38 -0700 (PDT) MIME-Version: 1.0 References: <20190417103938.7762-1-jarkko.sakkinen@linux.intel.com> <20190418171059.GA20819@wind.enjellic.com> <09ebfa1d-c03d-c1fe-ff0f-d99287b6ec3c@intel.com> <20190419141732.GA2269@wind.enjellic.com> In-Reply-To: <20190419141732.GA2269@wind.enjellic.com> From: Andy Lutomirski Date: Fri, 19 Apr 2019 08:27:26 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v20 00/28] Intel SGX1 support To: "Dr. Greg" Cc: Dave Hansen , Jarkko Sakkinen , Linus Torvalds , LKML , X86 ML , linux-sgx@vger.kernel.org, Andrew Morton , "Christopherson, Sean J" , nhorman@redhat.com, npmccallum@redhat.com, "Ayoun, Serge" , "Katz-zamir, Shay" , "Huang, Haitao" , Andy Shevchenko , Thomas Gleixner , "Svahn, Kai" , Borislav Petkov , Josh Triplett , Andrew Lutomirski , "Huang, Kai" , David Rientjes Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Apr 19, 2019, at 7:17 AM, Dr. Greg wrote: > > On Thu, Apr 18, 2019 at 11:01:00AM -0700, Dave Hansen wrote: > "The value of Intel SGX is to execute code in a protected enclave; > however, Intel SGX does not guarantee that the code executed in the > enclave is from a trusted source. In all cases, we recommend > utilizing programs, files, apps and plugins from trusted sources," > Intel said. Linux *has* mechanisms to enforce the provenance of code, and they have nothing to do with SGX. Off the top of my head, there=E2=80=99s IMA, SELinux (depending on policy), and dm-verity. So it seems to me that our bases are already pretty well covered. I see two cases where some additional protection for SGX might make sense: 1. You care more about the provenance of enclaves than the provenance of normal code. (=E2=80=9CYou=E2=80=9D is the platform owner, not a remote= party verifying SGX quotes.=E2=80=9D) There are any number of solutions that coul= d work here, and not all of them involve crypto. 2. You care about the case where the kernel is compromised. In this case, nothing that's been discussed helps much on an FLC system, and even the pre-LC systems aren't a whole lot better given the lack of init token revocation. But I think we may be missing a much bigger issue that does need consideration before the driver gets merged. We're all focusing on *additional* SGX protections, but I'm not even sure we have the SGX protections up to snuff with the rest of the system. There are many, many Linux systems that enforce a policy that *all* executable text needs to come from a verified source. On these systems, you can't mmap some writable memory, write to it, and then change it to executable. (Obviously, JITs either don't work or need special permissions on these systems.) Unless I'm missing it, the current SGX API is entirely incompatible with this model -- the host process supplies text *bytes* to the kernel, and the kernel merrily loads those bytes into executable enclave memory. Whoops! I think we may need to change the API so that enclaves are loaded from a file where the contents of the file are in some appropriate format. (The file should, at least, contain MRENCLAVE, but various antivirus tools would much prefer if the actual enclave contents were in the file.) It's not entirely clear that the enclave text and data need to be in the file, since they're covered by the hash.) Then, to start an enclave, you pass an fd to the file to the SGX driver, and the SGX driver parses out the relevant data initializes the enclave. Before this happens, the driver could call into IMA and LSM hooks, and the driver would also verify that the file didn't come from a noexec filesystem. I suppose another approach would be to treat SGX the same way that ld.so is treated, mostly by requiring that the buffers passed to the driver that contain text be marked executable. This seems quite a bit weakter to me. What do you all think?