Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp186414yba; Wed, 15 May 2019 22:08:25 -0700 (PDT) X-Google-Smtp-Source: APXvYqxKimnahleEHB6G6EY8DR5cEy/JwPRrcjzjwqLzoTVAY0vKvLxEt+Y5kzrMO59appUJ6+cG X-Received: by 2002:a17:902:7883:: with SMTP id q3mr47605158pll.60.1557983305122; Wed, 15 May 2019 22:08:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557983305; cv=none; d=google.com; s=arc-20160816; b=GlkxX5DKlsp0ml0pCumAFWn71hwwiegBVL8aDkEI+/RyAepd93K+gF5LFttSPNJ8Nf KRXzO8oU5MMQPrKAObcmcLKQ+Gmc0Sh2Z7hE2Ad1O9ZGgZctAWaZzoLTdwT/hBQ7nqGc Wf9Ki1DTdaxChyKZikriU8Rc6aRnf2xsGpu6ZlpAa1Yckx1uhXxYuPVCn3bfJ8/9Jnoz iQMZk7htTPsIsXk26denvB6Frm4wrsCiCNKl1l59LPDubE4qeCWHRT/LGmzMs5QGibM7 Y6zDV6BJA/by3i+BJ1TDdZ4z4ZUVd8KtDsk6Hvm1IwTpjyHSLLRILfT0aeruX2AKwCJM 2GHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:organization:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=0bajRUQIoUBgqzrDApmpSoS1zx5q1B8T+ssqlmcpg3I=; b=unopXOYOsvOI552FEy0Fu3N0+8Fa/7yu/yPeHTMZ9mm0be+jKAwAn7bfuRZ9Q1u0Zv NxvcyoLQApiqAtfs3f0PrSAu/yYp9EbRzmwkXXJSiyV98ypvntIVkUFdsJVcWX/kVGcj 5XCTA1QTiSXwdM3Fg6t18tig8vzDaS95k5TC5lp1ZnlQgV8zJ/f4iAD4eOryMoEwh4O0 WTcX6Cifbmrjwn8LYNr6siGMtxjHHPxVTZRisJ0MkxT0+aqb7Mqi4d2agZu1NwTJaZa9 RZDJTF0y9/vQC/EY8YODrvRpxI69eeOoqTUix3MWtiXtTeYoAmpWyfcTb+IIONi+bpXj IEeg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v14si4325487pfa.252.2019.05.15.22.08.09; Wed, 15 May 2019 22:08:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726363AbfEPFHC (ORCPT + 99 others); Thu, 16 May 2019 01:07:02 -0400 Received: from mga01.intel.com ([192.55.52.88]:19998 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725975AbfEPFHC (ORCPT ); Thu, 16 May 2019 01:07:02 -0400 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 May 2019 22:07:01 -0700 X-ExtLoop1: 1 Received: from jsakkine-mobl1.tm.intel.com (HELO localhost) ([10.237.50.189]) by orsmga003.jf.intel.com with ESMTP; 15 May 2019 22:06:55 -0700 Date: Thu, 16 May 2019 08:07:05 +0300 From: Jarkko Sakkinen To: Andy Lutomirski Cc: Sean Christopherson , Andy Lutomirski , Jethro Beekman , "Xing, Cedric" , "Hansen, Dave" , Thomas Gleixner , "Dr. Greg" , Linus Torvalds , LKML , X86 ML , "linux-sgx@vger.kernel.org" , Andrew Morton , "nhorman@redhat.com" , "npmccallum@redhat.com" , "Ayoun, Serge" , "Katz-zamir, Shay" , "Huang, Haitao" , Andy Shevchenko , "Svahn, Kai" , Borislav Petkov , Josh Triplett , "Huang, Kai" , David Rientjes Subject: Re: [PATCH v20 00/28] Intel SGX1 support Message-ID: <20190516050705.GB6388@linux.intel.com> References: <960B34DE67B9E140824F1DCDEC400C0F4E886094@ORSMSX116.amr.corp.intel.com> <6da269d8-7ebb-4177-b6a7-50cc5b435cf4@fortanix.com> <20190513102926.GD8743@linux.intel.com> <20190514104323.GA7591@linux.intel.com> <20190514204527.GC1977@linux.intel.com> <20190515103531.GB10917@linux.intel.com> <20190515110005.GA14718@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 15, 2019 at 07:27:02AM -0700, Andy Lutomirski wrote: > > > On May 15, 2019, at 4:00 AM, Jarkko Sakkinen wrote: > > > >> On Wed, May 15, 2019 at 01:35:31PM +0300, Jarkko Sakkinen wrote: > >> This brings me to an open question in Andy's model: lets say that we > >> change the source for SIGSTRUCT from memory address to fd. How can the > >> policy prevent the use not creating a file containing a SIGSTRUCT and > >> passing fd of that to the EINIT ioctl? > > > > The policy will presumably check the label on the file that the fd points to. Right (checked SELinux documentation). Got one idea from this. Right now creation and initialization does not require any VMAs to be created (since v20). Requiring to map a VMA for copying the data would bring in my opinion a glitch to this model that we have done effort to build up. What if we similarly change EADD ioctl in a way that it'd take an fd and an offset? This way we can enforce policy to the source where the enclave data is loaded from. On the other hand, loading SIGSTRUCT from fd enforces a legit structure for the enclave. This would still allow to construct enclaves in VMA independent way. > > Also wondering if a path would be better than plain fd for defining a > > reasonable policy i.e. have sigstruct_path as part of the ioctl > > parameters and not sigstruct_fd. > > > > It would save two syscalls at the cost of a decent amount of complexity. And also using fd gives robustness because it allows SIGSTRUCT pulled from a file containing it (among other things). /Jarkko