Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp6823934yba; Tue, 14 May 2019 14:28:47 -0700 (PDT) X-Google-Smtp-Source: APXvYqyznaTVfVX8JDRQ073bXqgcs7eoDHrmKavfKRCwM1u5imL9SKdP6PsBrmJ2TzuiMkr2lgGU X-Received: by 2002:a17:902:e30b:: with SMTP id cg11mr39240192plb.3.1557869326973; Tue, 14 May 2019 14:28:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557869326; cv=none; d=google.com; s=arc-20160816; b=s00hrDLhMBlGw2tt/QIrQBKtUY1kcKpMA4/RWeg02M41lmA/6s8CDUPvuoBrgh6b4i 9K9EvwehdpsLPQzB0YnXjli/BYB9gMq4MnYJNs0r/7kz89DZpPUAicos/wgvYfacsVpy dEoI9CuINN1SyYkHDLrApzKjkn2yg0uCtIlnCaH202syL0xzZoF77rJlIQDdcikrERui jSo2Brbc9CNH+fqzG5NGCo3rWs21A6UIc03a/cKyTb+Jq1j148JGECcM8rXIDsW2Sbs3 48jZY+cmijpS8Q5Vc4Qkc+sykPkFVssdToh/zF9lUClLo8L9TQ+Oh5UHij+OwEgTkLd+ Gdzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Jb98uBq+vaPxCeJ7w7Dse+Ji5lrzJpA6vqJfh/TBq6E=; b=M5vox7LKfd3fjEyVaJSbDNYwY5As0oLdnEiQLgahKVrCzn2/IUDO24OC7+Tx1QRAa2 x2kw/6HlmaHI8qxCcc3wTxNPIJbiNDuSpXj+5GIKmXNDD8PAywDmGpRItVhhV6lLfzlu jdEd0pLPnWx4WxfIiN7aZah1Hahfd2N0WeKzENYrbox4vWdf2B1jjS3nqlzKKxFX6l5m 9mgEQJG3qjsw0vG3z5lRNfzh5mHEfuLm/yeP6JV/f36LBA3Xn+NdExPKzPGAnF4ILboP fgKvI64OAZm7KuwFjjEJ+U2CLpG2uuXig97B5FYfrHJnV+u13Ysgf6nfzfRp4s+lK2EK XqwA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=a6H2YSuK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x10si19796138plo.422.2019.05.14.14.28.31; Tue, 14 May 2019 14:28:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=a6H2YSuK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726460AbfENV1Z (ORCPT + 99 others); Tue, 14 May 2019 17:27:25 -0400 Received: from mail.kernel.org ([198.145.29.99]:56968 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726089AbfENV1Y (ORCPT ); Tue, 14 May 2019 17:27:24 -0400 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EA7FE20881 for ; Tue, 14 May 2019 21:27:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557869243; bh=U+VL0dmjNNUjKe+d6kYcn7aIVhPL50PNNaeV/TC21FQ=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=a6H2YSuKARMMhuuyHhIETuYs0P9Hma1HC7HGG3sklOhmnxAG6Y5pCa/nRsCMTCPLj go2cZg8eakBmy0wHq1QWXH+RUKVJ/Ap3MANt4xZFyXhriY/1X/+DSrSHN25hZgD6pD I2m8bCQHMsmy+cMktNCXv0juM0A1Uyx2dlE1Fei8= Received: by mail-wm1-f50.google.com with SMTP id y3so523177wmm.2 for ; Tue, 14 May 2019 14:27:22 -0700 (PDT) X-Gm-Message-State: APjAAAW/tsPet1LAqzyA7tRT8rSgQgtcXMp1vTGaNOfUhS/1mn7wIHQA qB7Tt4A03UJ49+7b+O3Vak6RXq/knOn5zcG6/dI3nw== X-Received: by 2002:a1c:eb18:: with SMTP id j24mr21871063wmh.32.1557869241523; Tue, 14 May 2019 14:27:21 -0700 (PDT) MIME-Version: 1.0 References: <960B34DE67B9E140824F1DCDEC400C0F4E885F9D@ORSMSX116.amr.corp.intel.com> <979615a8-fd03-e3fd-fbdb-65c1e51afd93@fortanix.com> <8fe520bb-30bd-f246-a3d8-c5443e47a014@intel.com> <358e9b36-230f-eb18-efdb-b472be8438b4@fortanix.com> <960B34DE67B9E140824F1DCDEC400C0F4E886094@ORSMSX116.amr.corp.intel.com> <6da269d8-7ebb-4177-b6a7-50cc5b435cf4@fortanix.com> <20190513102926.GD8743@linux.intel.com> <20190514104323.GA7591@linux.intel.com> <20190514204527.GC1977@linux.intel.com> In-Reply-To: <20190514204527.GC1977@linux.intel.com> From: Andy Lutomirski Date: Tue, 14 May 2019 14:27:08 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v20 00/28] Intel SGX1 support To: Sean Christopherson Cc: Andy Lutomirski , Jarkko Sakkinen , Jethro Beekman , "Xing, Cedric" , "Hansen, Dave" , Thomas Gleixner , "Dr. Greg" , Linus Torvalds , LKML , X86 ML , "linux-sgx@vger.kernel.org" , Andrew Morton , "nhorman@redhat.com" , "npmccallum@redhat.com" , "Ayoun, Serge" , "Katz-zamir, Shay" , "Huang, Haitao" , Andy Shevchenko , "Svahn, Kai" , Borislav Petkov , Josh Triplett , "Huang, Kai" , David Rientjes Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 14, 2019 at 1:45 PM Sean Christopherson wrote: > > On Tue, May 14, 2019 at 08:13:36AM -0700, Andy Lutomirski wrote: > > On Tue, May 14, 2019 at 3:43 AM Jarkko Sakkinen > > wrote: > > > > > > On Mon, May 13, 2019 at 01:29:26PM +0300, Jarkko Sakkinen wrote: > > > > I did study through SDK's file format and realized that it does not > > > > does make sense after all to embed one. > > > > > > > > To implement it properly you would probably need a new syscall (lets say > > > > sgx_load_enclave) and also that enclaves are not just executables > > > > binaries. It is hard to find a generic format for them as applications > > > > range from simply protecting part of an application to running a > > > > containter inside enclave. > > > > > > I'm still puzzling what kind of changes you were discussing considering > > > SGX_IOC_ENCLAVE_ADD_PAGE. > > > > I think it's as simple as requiring that, if SECINFO.X is set, then > > the src pointer points to the appropriate number of bytes of > > executable memory. (Unless there's some way for an enclave to change > > SECINFO after the fact -- is there?) > > Nit: SECINFO is just the struct passed to EADD, I think what you're really > asking is "can the EPCM permissions be changed after the fact". > > And the answer is, yes. > > On SGX2 hardware, the enclave can extend the EPCM permissions at runtime > via ENCLU[EMODPE], e.g. to make a page writable. > > Hardware also doesn't prevent doing EADD to the same virtual address > multiple times, e.g. an enclave could EADD a RX page, and then EADD a > RW page at the same virtual address with different data. The second EADD > will affect MRENCLAVE, but so long as it's accounted for by the enclave's > signer, it's "legal". SGX_IOC_ENCLAVE_ADD_PAGE *does* prevent adding the > "same" page to an enclave multiple times, so effectively this scenario is > blocked by the current implementation, but it's more of a side effect (of > a sane implementation) as opposed to deliberately preventing shenanigans. > > Regarding EMODPE, the kernel doesn't rely on EPCM permissions in any way > shape or form (the EPCM permissions are purely to protect the enclave > from the kernel), e.g. adding +X to a page in the EPCM doesn't magically > change the kernel's page tables and attempting to execute from the page > will still generate a (non-SGX) #PF. > > So rather than check SECINFO.X, I think we'd want to have EADD check that > the permissions in SECINFO are a subset of the VMA's perms (IIUC, this is > essentially what Cedric proposed). That would prevent using EMODPE to > gain executable permissions, and would explicitly deny the scenario of a > double EADD to load non-executable data into an executable page. Let me make sure I'm understanding this correctly: when an enclave tries to execute code, it only works if *both* the EPCM and the page tables grant the access, right? This seems to be that 37.3 is trying to say. So we should probably just ignore SECINFO for these purposes. But thinking this all through, it's a bit more complicated than any of this. Looking at the SELinux code for inspiration, there are quite a few paths, but they boil down to two cases: EXECUTE is the right to map an unmodified file executably, and EXECMOD/EXECMEM (the distinction seems mostly irrelevant) is the right to create (via mmap or mprotect) a modified anonymous file mapping or a non-file-backed mapping that is executable. So, if we do nothing, then mapping an enclave with execute permission will require either EXECUTE on the enclave inode or EXECMOD/EXECMEM, depending on exactly how this gets set up. So all is well, sort of. The problem is that I expect there will be people who want enclaves to work in a process that does not have these rights. To make this work, we probably need do some surgery on SELinux. ISTM the act of copying (via the EADD ioctl) data from a PROT_EXEC mapping to an enclave should not be construed as "modifying" the enclave for SELinux purposes. Actually doing this could be awkward, since the same inode will have executable parts and non-executable parts, and SELinux can't really tell the difference. Maybe the enclave should track a bitmap of which pages have ever been either mapped for write or EADDed with a *source* that wasn't PROT_EXEC. And then SELinux could learn to allow those pages (and only those pages) to be mapped executably without EXECUTE or EXECMOD or whatever permission. Does this seem at all reasonable? I suppose it's not the end of the world if the initially merged version doesn't do this, as long as there's some reasonable path to adding a mechanism like this when there's demand for it.