Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp186414yba;
        Wed, 15 May 2019 22:08:25 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxKimnahleEHB6G6EY8DR5cEy/JwPRrcjzjwqLzoTVAY0vKvLxEt+Y5kzrMO59appUJ6+cG
X-Received: by 2002:a17:902:7883:: with SMTP id q3mr47605158pll.60.1557983305122;
        Wed, 15 May 2019 22:08:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1557983305; cv=none;
        d=google.com; s=arc-20160816;
        b=GlkxX5DKlsp0ml0pCumAFWn71hwwiegBVL8aDkEI+/RyAepd93K+gF5LFttSPNJ8Nf
         KRXzO8oU5MMQPrKAObcmcLKQ+Gmc0Sh2Z7hE2Ad1O9ZGgZctAWaZzoLTdwT/hBQ7nqGc
         Wf9Ki1DTdaxChyKZikriU8Rc6aRnf2xsGpu6ZlpAa1Yckx1uhXxYuPVCn3bfJ8/9Jnoz
         iQMZk7htTPsIsXk26denvB6Frm4wrsCiCNKl1l59LPDubE4qeCWHRT/LGmzMs5QGibM7
         Y6zDV6BJA/by3i+BJ1TDdZ4z4ZUVd8KtDsk6Hvm1IwTpjyHSLLRILfT0aeruX2AKwCJM
         2GHA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:organization:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=0bajRUQIoUBgqzrDApmpSoS1zx5q1B8T+ssqlmcpg3I=;
        b=unopXOYOsvOI552FEy0Fu3N0+8Fa/7yu/yPeHTMZ9mm0be+jKAwAn7bfuRZ9Q1u0Zv
         NxvcyoLQApiqAtfs3f0PrSAu/yYp9EbRzmwkXXJSiyV98ypvntIVkUFdsJVcWX/kVGcj
         5XCTA1QTiSXwdM3Fg6t18tig8vzDaS95k5TC5lp1ZnlQgV8zJ/f4iAD4eOryMoEwh4O0
         WTcX6Cifbmrjwn8LYNr6siGMtxjHHPxVTZRisJ0MkxT0+aqb7Mqi4d2agZu1NwTJaZa9
         RZDJTF0y9/vQC/EY8YODrvRpxI69eeOoqTUix3MWtiXtTeYoAmpWyfcTb+IIONi+bpXj
         IEeg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v14si4325487pfa.252.2019.05.15.22.08.09;
        Wed, 15 May 2019 22:08:25 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726363AbfEPFHC (ORCPT <rfc822;brice.berna@gmail.com>
        + 99 others); Thu, 16 May 2019 01:07:02 -0400
Received: from mga01.intel.com ([192.55.52.88]:19998 "EHLO mga01.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725975AbfEPFHC (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 16 May 2019 01:07:02 -0400
X-Amp-Result: UNKNOWN
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: False
Received: from orsmga003.jf.intel.com ([10.7.209.27])
  by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 May 2019 22:07:01 -0700
X-ExtLoop1: 1
Received: from jsakkine-mobl1.tm.intel.com (HELO localhost) ([10.237.50.189])
  by orsmga003.jf.intel.com with ESMTP; 15 May 2019 22:06:55 -0700
Date:   Thu, 16 May 2019 08:07:05 +0300
From:   Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To:     Andy Lutomirski <luto@amacapital.net>
Cc:     Sean Christopherson <sean.j.christopherson@intel.com>,
        Andy Lutomirski <luto@kernel.org>,
        Jethro Beekman <jethro@fortanix.com>,
        "Xing, Cedric" <cedric.xing@intel.com>,
        "Hansen, Dave" <dave.hansen@intel.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        "Dr. Greg" <greg@enjellic.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
        "linux-sgx@vger.kernel.org" <linux-sgx@vger.kernel.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        "nhorman@redhat.com" <nhorman@redhat.com>,
        "npmccallum@redhat.com" <npmccallum@redhat.com>,
        "Ayoun, Serge" <serge.ayoun@intel.com>,
        "Katz-zamir, Shay" <shay.katz-zamir@intel.com>,
        "Huang, Haitao" <haitao.huang@intel.com>,
        Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
        "Svahn, Kai" <kai.svahn@intel.com>, Borislav Petkov <bp@alien8.de>,
        Josh Triplett <josh@joshtriplett.org>,
        "Huang, Kai" <kai.huang@intel.com>,
        David Rientjes <rientjes@google.com>
Subject: Re: [PATCH v20 00/28] Intel SGX1 support
Message-ID: <20190516050705.GB6388@linux.intel.com>
References: <960B34DE67B9E140824F1DCDEC400C0F4E886094@ORSMSX116.amr.corp.intel.com>
 <6da269d8-7ebb-4177-b6a7-50cc5b435cf4@fortanix.com>
 <CALCETrWCZQwg-TUCm58DVG43=xCKRsMe1tVHrR8vdt06hf4fWA@mail.gmail.com>
 <20190513102926.GD8743@linux.intel.com>
 <20190514104323.GA7591@linux.intel.com>
 <CALCETrVbgTCnPo=PAq0-KoaRwt--urrPzn==quAJ8wodCpkBkw@mail.gmail.com>
 <20190514204527.GC1977@linux.intel.com>
 <20190515103531.GB10917@linux.intel.com>
 <20190515110005.GA14718@linux.intel.com>
 <B1DF6DCD-C37D-4C87-AF32-F31785184482@amacapital.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <B1DF6DCD-C37D-4C87-AF32-F31785184482@amacapital.net>
Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, May 15, 2019 at 07:27:02AM -0700, Andy Lutomirski wrote:
> 
> > On May 15, 2019, at 4:00 AM, Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> wrote:
> > 
> >> On Wed, May 15, 2019 at 01:35:31PM +0300, Jarkko Sakkinen wrote:
> >> This brings me to an open question in Andy's model: lets say that we
> >> change the source for SIGSTRUCT from memory address to fd. How can the
> >> policy prevent the use not creating a file containing a SIGSTRUCT and
> >> passing fd of that to the EINIT ioctl?
> > 
> 
> The policy will presumably check the label on the file that the fd points to.

Right (checked SELinux documentation).

Got one idea from this. Right now creation and initialization does not
require any VMAs to be created (since v20). Requiring to map a VMA for
copying the data would bring in my opinion a glitch to this model that
we have done effort to build up.

What if we similarly change EADD ioctl in a way that it'd take an fd
and an offset? This way we can enforce policy to the source where the
enclave data is loaded from. On the other hand, loading SIGSTRUCT from
fd enforces a legit structure for the enclave.

This would still allow to construct enclaves in VMA independent way.

> > Also wondering if a path would be better than plain fd for defining a
> > reasonable policy i.e. have sigstruct_path as part of the ioctl
> > parameters and not sigstruct_fd.
> > 
> 
> It would save two syscalls at the cost of a decent amount of complexity.

And also using fd gives robustness because it allows SIGSTRUCT
pulled from a file containing it (among other things).

/Jarkko