Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1272108yba; Thu, 16 May 2019 18:09:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqxDfKg2YuR5MDK0nWyQZIixHNMyJ79YHhkAatsJqjoBXX12kExEgBuSKSzaR41teacWhd90 X-Received: by 2002:a63:317:: with SMTP id 23mr53479193pgd.414.1558055367832; Thu, 16 May 2019 18:09:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558055367; cv=none; d=google.com; s=arc-20160816; b=0brUhoGICBmq5cON7e/OfOltqiarZAkW3C7q3pKk/vkuTUXKvJFMaVlm6ntWMq4u94 ZwgDmrx/111E2GIdZUnhJuO1m6IqvcFnO3cyS2jlHtuLkcFsfOlvFH6zVP1cK9s2xIYa I05C2v7aE+z2R3nLoYYQHW5xCADAOVFY/LDlFhzdNAvZrF5mrbgKZGE6SrVkzo63yJrV lRjipVYcoI+NjNIT+GHxWEcb4uiM/AhIUF87Zrez8LjhgdIhNMaYGI8BZN/1ovSqgCmO vyYc0VFS5Uvyo0RcFN7vWYN5kCJDBSYfl18UwjGmhfPpB05vFDDcJd5uAEyp/yA2DWCe ZDzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=RxeYK4KHM5hNwWzP8T2AOho578o3HMiciEwy7Rr78tQ=; b=NqlGZw/1t2vxv2ivDc8HgHaU6Z3JtDD9G2ZfdSyDBVzQLxIUZnweiFk/rfPldmTvvH SnGoDBddeBgXDGsACRvWBvmmHM68cZyyjSm9VzC/9a8CLilw8JPCpkeLso8wksqrLKc3 nRC8prIEKZy0WOCqaaTcIqUZFN6WDXmG6sams1TZJJSSY0Kh/v6/A9meoi1dv8gyCJ5g ahHPIXdcVXFbWZLCsB5cXT+uQKil/8wm+fM+mwq8T7AZXYMrX+7hyjrMIMaBrE9fvfTx L0DwcovTG1KEhUCZKcPAzQwaz+CDMYyYdcvqOfCWvxbe+JB++Y/xNCf5zcNVZMqcLzHZ oQwg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o15si6633959pgh.181.2019.05.16.18.09.12; Thu, 16 May 2019 18:09:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727540AbfEQADd (ORCPT + 99 others); Thu, 16 May 2019 20:03:33 -0400 Received: from mga12.intel.com ([192.55.52.136]:35471 "EHLO mga12.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726523AbfEQADd (ORCPT ); Thu, 16 May 2019 20:03:33 -0400 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 May 2019 17:03:32 -0700 X-ExtLoop1: 1 Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.36]) by fmsmga008.fm.intel.com with ESMTP; 16 May 2019 17:03:31 -0700 Date: Thu, 16 May 2019 17:03:31 -0700 From: Sean Christopherson To: Andy Lutomirski Cc: James Morris , "Serge E. Hallyn" , LSM List , Paul Moore , Stephen Smalley , Eric Paris , selinux@vger.kernel.org, Jarkko Sakkinen , Jethro Beekman , "Xing, Cedric" , "Hansen, Dave" , Thomas Gleixner , "Dr. Greg" , Linus Torvalds , LKML , X86 ML , "linux-sgx@vger.kernel.org" , Andrew Morton , "nhorman@redhat.com" , "npmccallum@redhat.com" , "Ayoun, Serge" , "Katz-zamir, Shay" , "Huang, Haitao" , Andy Shevchenko , "Svahn, Kai" , Borislav Petkov , Josh Triplett , "Huang, Kai" , David Rientjes Subject: Re: SGX vs LSM (Re: [PATCH v20 00/28] Intel SGX1 support) Message-ID: <20190517000331.GD11204@linux.intel.com> References: <960B34DE67B9E140824F1DCDEC400C0F4E886094@ORSMSX116.amr.corp.intel.com> <6da269d8-7ebb-4177-b6a7-50cc5b435cf4@fortanix.com> <20190513102926.GD8743@linux.intel.com> <20190514104323.GA7591@linux.intel.com> <20190514204527.GC1977@linux.intel.com> <20190515013031.GF1977@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 15, 2019 at 11:27:04AM -0700, Andy Lutomirski wrote: > Here's a very vague proposal that's kind of like what I've been > thinking over the past few days. The SGX inode could track, for each > page, a "safe-to-execute" bit. When you first open /dev/sgx/enclave, > you get a blank enclave and all pages are safe-to-execute. When you > do the ioctl to load context (which could be code, data, or anything > else), the kernel will check whether the *source* VMA is executable > and, if not, mark the page of the enclave being loaded as unsafe. > Once the enclave is initialized, the driver will clear the > safe-to-execute bit for any page that is successfully mapped writably. > > The intent is that a page of the enclave is safe-to-execute if that > page was populated from executable memory and not modified since then. > LSMs could then enforce a policy that you can map an enclave page RX > if the page is safe-to-execute, you can map any page you want for > write if there are no executable mappings, and you can only map a page > for write and execute simultaneously if you can EXECMOD permission. > This should allow an enclave to be loaded by userspace from a file > with EXECUTE rights. I'm still confused as to why you want to track execute permissions on the enclave pages and add SGX-specific LSM hooks. Is there anything that prevents userspace from building the enclave like any other DSO and then copying it into enclave memory? I feel like I'm missing something. 1. Userspace loads enclave into regular memory, e.g. like a normal DSO. All mmap(), mprotect(), etc... calls are subject to all existing LSM policies. 2. Userspace opens /dev/sgx/enclave to instantiate a new enclave. 3. Userspace uses mmap() to allocate virtual memory for its enclave, again subject to all existing LSM policies (sane userspaces map it RO since the permissions eventually get tossed anyways). 4. SGX subsystem refuses to service page faults for enclaves that have not yet been initialized, e.g. signals SIGBUS or SIGSEGV. 5. Userspace invokes SGX ioctl() to copy enclave from regulary VMA to enclave VMA. 6. SGX ioctl() propagates VMA protection-related flags from source VMA to enclave VMA, e.g. invokes mprotect_fixup(). Enclave VMA(s) may be split as part of this process. 7. At all times, mprotect() calls on the enclave VMA are subject to existing LSM policies, i.e. it's not special cased for enclaves. The SGX ioctl() would need to take mmap_sem for write, but we can mitigate that issue by changing the ioctl() to take a range of memory instead of a single page. That'd also provide "EADD batching" that folks have requested.