Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1376955yba; Thu, 16 May 2019 20:38:51 -0700 (PDT) X-Google-Smtp-Source: APXvYqyWAaE9shm16JPBjjz9nSo1u4Pt1ohn8xlhU47k/jmXLSe59i8cjz0Y7LoEq/KOH4V4QAbX X-Received: by 2002:a17:902:5066:: with SMTP id f35mr6562830plh.54.1558064331339; Thu, 16 May 2019 20:38:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558064331; cv=none; d=google.com; s=arc-20160816; b=nyLutbX5+iHBZ3IVcZODWIrdbww/ckYYrjfdUWrLWJ7xTaCJCvOFzOncf/Lp2Yb1p6 O50cBEQ1AdkQ+X37KP873XaUwdD5wyoI5UjQDZZjDm4QTiCUEtPHi5XGUYgxVLsGIusj yidqsI0lzXRAk0vFgPu4FNfZ/usxKYWodQW5ig17d3/mD/q5LC90Lqn9gXWXbqkSQe0Q mBhce2JzyKMaILjj06aqOpVovGIBaxV7GCZfPLAoWf1n4RE9mI8bH+xbiOZFRGVfxqP9 h+lLToXBaE8I9jaqHoIVWyq73jCbuvPh1Vrc3nUlh+e67tOwTi0J1h0S4FfwR+hcbgmD B2/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=XoC7z1tTY2GWHmK/cAUDtYhdk/yzxIY2i5RLpXAHFlg=; b=bd+7JHY1iMMPDtHEiqpiNCKJnQb8tYX/+/v3wQxJgNc5Jb9wJ9glh/Yn8eWiwepqIJ /3xjV5206tbL02EaM+zhBnX55ArlwgrjgGwCwUbTkckXqQQZKq2QljgM3b0t0T5G3wO4 zik/IdvjwNaNJJnqWZXI27rA+L1/+xx3tdB4t1kknrQ/SNDQkiqSeLWZnPdpHgTtlDju 6MvhlQzNjvc+EFvM5r3DApaBMFNsojn+32JauFTvj9+PE2SGpMVjzL+qYmP6dWo4ZnQW 0v5oNeeqS1vRMtYCfYct+9OWlwtwTd3rMw2osU1ahVaqpTBIkgJEoY+9sUyN8Qz0CHOD 3lBw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=aRKGmssG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z18si6657809plo.72.2019.05.16.20.38.36; Thu, 16 May 2019 20:38:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=aRKGmssG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727223AbfEQBVe (ORCPT + 99 others); Thu, 16 May 2019 21:21:34 -0400 Received: from mail.kernel.org ([198.145.29.99]:60792 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727027AbfEQBVe (ORCPT ); Thu, 16 May 2019 21:21:34 -0400 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7E2D32177B for ; Fri, 17 May 2019 01:21:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1558056092; bh=gof0GYVbhaJmsy1U34euLEiyfxRjuIA4jzoUaq2teCU=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=aRKGmssGlGlJ230iE7AwZpUuXotMV/b2pMeGvX3uBLqJTK4Z+UKIc8i6YthHF5PvR Xny8i1xX2ow1TkXQsUNgtMm54NX23RMfkzgC9VyWzZWEDyAg2eJV6JC01nL2DhE1LW NaS0L00Oudt+HZO/LUe0h5OykFt66z8fK46NWcsc= Received: by mail-wm1-f49.google.com with SMTP id i3so5306638wml.4 for ; Thu, 16 May 2019 18:21:32 -0700 (PDT) X-Gm-Message-State: APjAAAXQ2ZPtKJuo4slv1gexqfuiOUpKuW1o1ISosMNvmCLu8/zMfBOE czdNMh7CIbb5Pb0v1+SNBsVKmm7ErEeA+Y4BGyhaeA== X-Received: by 2002:a1c:4107:: with SMTP id o7mr25914083wma.122.1558056090883; Thu, 16 May 2019 18:21:30 -0700 (PDT) MIME-Version: 1.0 References: <8fe520bb-30bd-f246-a3d8-c5443e47a014@intel.com> <358e9b36-230f-eb18-efdb-b472be8438b4@fortanix.com> <960B34DE67B9E140824F1DCDEC400C0F4E886094@ORSMSX116.amr.corp.intel.com> <6da269d8-7ebb-4177-b6a7-50cc5b435cf4@fortanix.com> <20190513102926.GD8743@linux.intel.com> <20190514104323.GA7591@linux.intel.com> <20190514204527.GC1977@linux.intel.com> <20190515013031.GF1977@linux.intel.com> <960B34DE67B9E140824F1DCDEC400C0F654E38CD@ORSMSX116.amr.corp.intel.com> <960B34DE67B9E140824F1DCDEC400C0F654E3FB9@ORSMSX116.amr.corp.intel.com> <960B34DE67B9E140824F1DCDEC400C0F654E40E5@ORSMSX116.amr.corp.intel.com> In-Reply-To: <960B34DE67B9E140824F1DCDEC400C0F654E40E5@ORSMSX116.amr.corp.intel.com> From: Andy Lutomirski Date: Thu, 16 May 2019 18:21:19 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: SGX vs LSM (Re: [PATCH v20 00/28] Intel SGX1 support) To: "Xing, Cedric" Cc: Andy Lutomirski , James Morris , "Christopherson, Sean J" , "Serge E. Hallyn" , LSM List , Paul Moore , Stephen Smalley , Eric Paris , "selinux@vger.kernel.org" , Jarkko Sakkinen , Jethro Beekman , "Hansen, Dave" , Thomas Gleixner , "Dr. Greg" , Linus Torvalds , LKML , X86 ML , "linux-sgx@vger.kernel.org" , Andrew Morton , "nhorman@redhat.com" , "npmccallum@redhat.com" , "Ayoun, Serge" , "Katz-zamir, Shay" , "Huang, Haitao" , Andy Shevchenko , "Svahn, Kai" , Borislav Petkov , Josh Triplett , "Huang, Kai" , David Rientjes Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 16, 2019 at 6:06 PM Xing, Cedric wrote: > > > From: Andy Lutomirski [mailto:luto@kernel.org] > > > > On Thu, May 16, 2019 at 3:23 PM Xing, Cedric > > wrote: > > > > > > Hi Andy, > > > > > > > > SIGSTRUCT isn't necessarily stored on disk so may not always have > > a fd. > > > > How about the following? > > > > > void *ss_pointer =3D mmap(sigstruct_fd, PROT_READ,...); > > > > > ioctl(enclave_fd, SGX_INIT_THE_ENCLAVE, ss_pointer); > > > > > > > > > > The idea here is SIGSTRUCT will still be passed in memory so it > > > > > works > > > > the same way when no LSM modules are loaded or basing its decision > > > > on the .sigstruct file. Otherwise, an LSM module can figure out the > > > > backing file (and offset within that file) by looking into the VMA > > > > covering ss_pointer. > > > > > > > > I don=E2=80=99t love this approach. Application authors seem likel= y to use > > > > read() instead of mmap(), and it=E2=80=99ll still work in many care= s. It > > > > would also complicate the kernel implementation, and looking at the > > > > inode backing the vma that backs a pointer is at least rather > > unusual. > > > > Instead, if the sigstruct isn=E2=80=99t on disk because it=E2=80=99= s dynamic or came > > > > from a network, the application can put it in a memfd. > > > > > > I understand your concern here. But I guess we are making too much > > assumption on how enclaves are structured/packaged. My concern is, what > > if a SIGSTRUCT really has to be from memory? For example, an enclave > > (along with its SIGSTRUCT) could be embedded inside a shared object (or > > even the "main" executable) so it shows up in memory to begin with. > > > > Hmm. That's a fair point, although opening /proc/self/exe could be > > somewhat of a workaround. It does suffer from a bit of an in-band > > signaling problem, though, in that it's possible that some other random > > bytes in the library resemble a SIGSTRUCT. > > > > > I was not saying enclaves were exempt to good security practices. Wha= t > > I was trying to say was, EPC pages are *not* subject to the same attack= s > > as regular pages so I suspect there will be a desire to enforce > > different policies on them, especially after new SGX2 > > features/applications become available. So I think it beneficial to > > distinguish between regular vs. enclave virtual ranges. And to do that, > > a new VM_SGX flag in VMA is probably a very simple/easy way. And with > > that VM_SGX flag, we could add a new security_sgx_mprot() hook so that > > LSM modules/policies could act differently. > > > > I'm not opposed to this, but I also don't think this needs to be in the > > initial upstream driver. VM_SGX also isn't strictly necessary -- an LS= M > > could inspect the VMA to decide whether it's an SGX VMA if it really > > wanted to. > > VM_SGX is just what I think is the easiest way for any module to tell enc= lave VMAs from all others. I agree totally with you that doesn't have to be= in the initial release! > > > > > That being said, do you have any specific behavior differences in mind > > aside from the oddities involved in loading the enclave. > > The major thing is dynamically linked enclaves. Say if you want something= like dlopen() inside an enclave, the driver would need to EAUG a page as R= W initially, and then change to RX after it has been EACCEPTCOPY'ed by the = enclave. So it's like a RW->RX transition and an LSM module/policy may want= to allow it only if it's within an enclave range (ELRANGE), or deny it oth= erwise. I'm not convinced. Given that the kernel has no way to tell that the dynamically loaded code wasn't dynamically generated, I don't think it makes sense to allow this in an enclave but disallow it outside an enclave. > > > > > > > > > And if you are with me on that bigger picture, the next question is: > > what should be the default behavior of security_sgx_mprot() for > > existing/non-SGX-aware LSM modules/policies? I'd say a reasonable > > default is to allow R, RW and RX, but not anything else. It'd suffice t= o > > get rid of EXECMEM/EXECMOD requirements on enclave applications. For > > SGX1, EPCM permissions are immutable so it really doesn't matter what > > security_sgx_mprot() does. For SGX2 and beyond, there's still time and > > new SGX-aware LSM modules/policies will probably have emerged by then. > > > > I hadn't thought about the SGX1 vs SGX2 difference. If the driver > > initially only wants to support SGX1, then I guess we really could get > > away with constraining the EPC flags based on the source page permissio= n > > and not restricting mprotect() and mmap() permissions on > > /dev/sgx/enclave at all. > > This is exactly what I'm going after! > > But I have to apologize for this silly question because I don't know much= about SELinux: Wouldn't it require changes to existing SELinux policies to= *not* restrict mprotect() on /dev/sgx/enclave? I'm assuming we'd make a small in-kernel change to SELinux to make it work without policy changes, assuming the SELinux maintainers would be okay with this.