Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp308947yba; Wed, 15 May 2019 01:33:33 -0700 (PDT) X-Google-Smtp-Source: APXvYqxueaH6loufAge7+C0XHgpGI8Sx8rcgWqzHGOg3lpKQ0KvlXcmLXMSZLLPfggQ06lxlU280 X-Received: by 2002:a65:608a:: with SMTP id t10mr42381610pgu.155.1557909213190; Wed, 15 May 2019 01:33:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557909213; cv=none; d=google.com; s=arc-20160816; b=Hw242tzrLDIrc4wpWzGQKhSXB37eoN5ieU4vIy/MoEJxlV8nFyuoRyepHQbBx0F80z tpwo0dQ1y5yeywPOJbz5ObaWuALonYjWgkrpXtOIf0mktVuIewJksOZ+gFXrAe/1H8gW zQHl6C/v0GqKoOLlPWUdqxFybwCUDV3LFmuoEz2Bc0YdeS7HrrojO4jXBi+3x9dvR7k0 6u3fTl3z82rlyNp2L2ePs/hlEvtcRcHYPBZbYium6I/JFWsyQMxnTkPHvsi7F3hWH5Fk wA+nR0CJEUa96gUMSg1AF3+MWayKjubpHJ/HIkNRK3cY5dcACnODtIqQ+NJ5/OFooqvn M6vg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:organization:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=YoVf/02OZ5RN6eVSr9LBs0fF3kMWcJEUZ/O5G8p0e2E=; b=GMDEn75d2/2UrrynaSSz3fAbsr7z3sSzOfC9N57M8jPbqaynXDXcn3yD4QIE24y31a oxigaTS4MaIQHHpuMqKdHDesbfYk1+25Rv3ZGqecNC3vtlfzbk4Uyxxk0BMRNBk6SG9q kTIBl7phPVK7vaB+6rvhk632V0IoYjaDH4aSQ0yBPvZtJE27DbnSrmw5+v7r8pUZQcn4 /Cr6PFBzSeg/OlTJUpSE7ONOJG+P4gg5f4gPo66W2oyfU1GPYtaB9BI6TYJM3TRYrrpR zXvCOxE7q0wimSuFq8V0Qubn/ouAPAaI/nvTiv/kXExr/b3fAPNfptUJb8Df/+kjnLOs 69bg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y4si1185070pgv.154.2019.05.15.01.33.18; Wed, 15 May 2019 01:33:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726562AbfEOIbu (ORCPT + 99 others); Wed, 15 May 2019 04:31:50 -0400 Received: from mga02.intel.com ([134.134.136.20]:54050 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725871AbfEOIbu (ORCPT ); Wed, 15 May 2019 04:31:50 -0400 X-Amp-Result: UNSCANNABLE X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 May 2019 01:31:49 -0700 X-ExtLoop1: 1 Received: from jsakkine-mobl1.tm.intel.com (HELO localhost) ([10.237.50.189]) by fmsmga006.fm.intel.com with ESMTP; 15 May 2019 01:31:42 -0700 Date: Wed, 15 May 2019 11:31:50 +0300 From: Jarkko Sakkinen To: Andy Lutomirski Cc: "Xing, Cedric" , Jethro Beekman , "Hansen, Dave" , Thomas Gleixner , "Dr. Greg" , Linus Torvalds , LKML , X86 ML , "linux-sgx@vger.kernel.org" , Andrew Morton , "Christopherson, Sean J" , "nhorman@redhat.com" , "npmccallum@redhat.com" , "Ayoun, Serge" , "Katz-zamir, Shay" , "Huang, Haitao" , Andy Shevchenko , "Svahn, Kai" , Borislav Petkov , Josh Triplett , "Huang, Kai" , David Rientjes Subject: Re: [PATCH v20 00/28] Intel SGX1 support Message-ID: <20190515083150.GD7708@linux.intel.com> References: <960B34DE67B9E140824F1DCDEC400C0F4E885F9D@ORSMSX116.amr.corp.intel.com> <979615a8-fd03-e3fd-fbdb-65c1e51afd93@fortanix.com> <8fe520bb-30bd-f246-a3d8-c5443e47a014@intel.com> <358e9b36-230f-eb18-efdb-b472be8438b4@fortanix.com> <960B34DE67B9E140824F1DCDEC400C0F4E886094@ORSMSX116.amr.corp.intel.com> <6da269d8-7ebb-4177-b6a7-50cc5b435cf4@fortanix.com> <960B34DE67B9E140824F1DCDEC400C0F4E886394@ORSMSX116.amr.corp.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 14, 2019 at 08:08:03AM -0700, Andy Lutomirski wrote: > > Putting everything together, I'd suggest to: > > - Change EADD ioctl to take source page's VMA permission as ("upper bound" of) EPCM permission. This make sure no one can circumvent LSM to generate executable code on the fly using SGX driver. > > - Change EINIT ioctl to invoke (new?) LSM hook to validate SIGSTRUCT before issuing EINIT. > > I'm okay with this if the consensus is that having a .sigstruct file > is too annoying. SIGSTRUCT has two nice properties from kernel perspective: - Static structure - Fully defines enclave contents including the page permissions as they are part of the measurement. Making it as the "root of trust" really is the right thing and the most robust way to deal with this. /Jarkko