Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2164631yba;
        Fri, 17 May 2019 11:38:06 -0700 (PDT)
X-Google-Smtp-Source: APXvYqy0K6jPp4GpQKVKL3NXa3+iboz5EHOaktMa9GA0AxWFCJOnNCETcvsmMNV3BNX12pA1wILl
X-Received: by 2002:a17:902:704c:: with SMTP id h12mr4104929plt.65.1558118286698;
        Fri, 17 May 2019 11:38:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1558118286; cv=none;
        d=google.com; s=arc-20160816;
        b=RrP8QY3gfilJQGIBl3NHNFFaTyr1LqEriTzFHNpjkoJy7JdIqee0A+gHzht8G7tofP
         ojlWx6vjvK5fw0nvRseCRUVOKu2VVwbGfsEJqMfnHr9ZKhPCFnuCq8EF9B5jELRNwodB
         U0R+o5XVNkIFUGjZEdZaXUjU7S/MlGEl2ZDZMPsd7uOE697S/XxDHBsy68JJSwi4KR81
         k4VLpIGSUMZtz0YoM/3ChoulzUmYoBinJZsSW69OGdsTmlMNsBN0CDemhGoUCHmvcL5o
         fwtcCAnx8G2gyQjdP0V7M3ZhYlhH9TQ51xGjZ4mlrbm7Xf7N/IuSuuGljVsb5ecqroYO
         Gfmw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=GqLsKGWePcHeYkjL6WcpBkvnp3m99gvexZby0QRo7VY=;
        b=fQKknAUzA7vPfU0aZYRr0NT/K12muOSCOz59SpyaSqD8YRXPqmiRy7w8Jh+qlQVvhe
         PvlxSonz7PZqQ2olNtYvkq/0uvo8H5mho88+0qYVcKt9HeR/MnbXk4YKc+5l7gsXoxTZ
         ySGJzzjFK5AjaX09SrSezVFq1QcMpn2vXjRFSfH5R/wAADGTODkH4/Wzci5kf1Rujdmg
         BEBg7xkgNGVKF99bDXE+3TEZKz9RPgcaaRIAz/LNQj1MQJY9PKvhaA5gjcU9gFVytIxw
         kpeZ7zM4k0eF0Gx1AiiA7Y7A3VyQI87s0FJVEQ0Qbjuo+hkXUF5DkWrCe5A8n4tksbM3
         AUtw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b=FLSkmQlU;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k24si9355681pfk.195.2019.05.17.11.37.51;
        Fri, 17 May 2019 11:38:06 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b=FLSkmQlU;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729198AbfEQSMV (ORCPT <rfc822;hououinredflag@gmail.com>
        + 99 others); Fri, 17 May 2019 14:12:21 -0400
Received: from mail-lj1-f196.google.com ([209.85.208.196]:40543 "EHLO
        mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728099AbfEQSMV (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 17 May 2019 14:12:21 -0400
Received: by mail-lj1-f196.google.com with SMTP id d15so7088173ljc.7
        for <linux-kernel@vger.kernel.org>; Fri, 17 May 2019 11:12:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=GqLsKGWePcHeYkjL6WcpBkvnp3m99gvexZby0QRo7VY=;
        b=FLSkmQlUFMZbLyvTJKsJsbzUTzwJ007awR+MJFBzBBIfeyUsLSpio9pw1egk8rl+1T
         GED5nIz0MTZm4wj6hHTQGkolwiBKx+3k5poKvYAAORvXGNs8I19OUvhU2aPU09ae6kVb
         04zIZrSmhGYDYVb200BkHqJrTSJZ0aDJZNgqY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=GqLsKGWePcHeYkjL6WcpBkvnp3m99gvexZby0QRo7VY=;
        b=HR8KCxPEJnImsNPcn9PB0QLX2vvoCSo4VbsRud/pNotCJgyjlb+gBD2NQHRImwO7qj
         EpyG9JfmPHGl2R5LU98QEuZxd5fkcvTwmy8/tHdSLENOIBpmqTpch/ylAABQ7L+F3b4H
         kO/B9Q0G5mLPURpOT2iBmD/3iV49zwxqggfh0IXmkK2YeedahZHUKAPv7estHHq2n/ny
         3X3wTV5fHyIHaMt22Vl7bp5xs8vpMq6qXVaG2XscIWZob2d3N7st8T6Ps4AiMo2dcTd8
         0CdVGpdJAMdSpi0z4OScpfmWO8dfMy6zUVx+b9gz0TSnmGTxIWQmGDrwS6VO0zZxdLe6
         RAfQ==
X-Gm-Message-State: APjAAAWA5MAsid0oQK10v7trP0bIDKjSzfgbsRhGJ3fBkC1HDvHjh3d+
        XJnvBPKInhYnu5Fspx9E2GHWIpejqS8=
X-Received: by 2002:a2e:1b8a:: with SMTP id c10mr29197902ljf.139.1558116739033;
        Fri, 17 May 2019 11:12:19 -0700 (PDT)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com. [2a00:1450:4864:20::12e])
        by smtp.gmail.com with ESMTPSA id g20sm1648171lja.67.2019.05.17.11.12.18
        for <linux-kernel@vger.kernel.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 17 May 2019 11:12:18 -0700 (PDT)
Received: by mail-lf1-x12e.google.com with SMTP id q17so5984117lfo.4
        for <linux-kernel@vger.kernel.org>; Fri, 17 May 2019 11:12:18 -0700 (PDT)
X-Received: by 2002:ac2:59c7:: with SMTP id x7mr24467304lfn.75.1558116278802;
 Fri, 17 May 2019 11:04:38 -0700 (PDT)
MIME-Version: 1.0
References: <CALCETrX2ovRx3Rre+1_xC-q6CiybyLjQ-gmB4FZF_qCZ-Qd+4A@mail.gmail.com>
 <960B34DE67B9E140824F1DCDEC400C0F654E38CD@ORSMSX116.amr.corp.intel.com>
 <CALCETrUfmyQ7ivNzQic0FyPXe1fmAnoK093jnz0i8DRn2LvdSA@mail.gmail.com>
 <960B34DE67B9E140824F1DCDEC400C0F654E3FB9@ORSMSX116.amr.corp.intel.com>
 <6a97c099-2f42-672e-a258-95bc09152363@tycho.nsa.gov> <20190517150948.GA15632@linux.intel.com>
 <ca807220-47e2-5ec2-982c-4fb4a72439c6@tycho.nsa.gov> <80013cca-f1c2-f4d5-7558-8f4e752ada76@tycho.nsa.gov>
 <20190517172953.GC15006@linux.intel.com> <DFE03E0C-694A-4289-B416-29CDC2644F94@amacapital.net>
 <20190517175500.GE15006@linux.intel.com>
In-Reply-To: <20190517175500.GE15006@linux.intel.com>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Fri, 17 May 2019 11:04:22 -0700
X-Gmail-Original-Message-ID: <CAHk-=wgH2FBzBG3_RZSuatpYCj8DCQZipJYp9vh3Wy_S3Qt4-g@mail.gmail.com>
Message-ID: <CAHk-=wgH2FBzBG3_RZSuatpYCj8DCQZipJYp9vh3Wy_S3Qt4-g@mail.gmail.com>
Subject: Re: SGX vs LSM (Re: [PATCH v20 00/28] Intel SGX1 support)
To:     Sean Christopherson <sean.j.christopherson@intel.com>
Cc:     Andy Lutomirski <luto@amacapital.net>,
        Stephen Smalley <sds@tycho.nsa.gov>,
        "Xing, Cedric" <cedric.xing@intel.com>,
        Andy Lutomirski <luto@kernel.org>,
        James Morris <jmorris@namei.org>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        LSM List <linux-security-module@vger.kernel.org>,
        Paul Moore <paul@paul-moore.com>,
        Eric Paris <eparis@parisplace.org>,
        "selinux@vger.kernel.org" <selinux@vger.kernel.org>,
        Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
        Jethro Beekman <jethro@fortanix.com>,
        "Hansen, Dave" <dave.hansen@intel.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        "Dr. Greg" <greg@enjellic.com>,
        LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
        "linux-sgx@vger.kernel.org" <linux-sgx@vger.kernel.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        "nhorman@redhat.com" <nhorman@redhat.com>,
        "npmccallum@redhat.com" <npmccallum@redhat.com>,
        "Ayoun, Serge" <serge.ayoun@intel.com>,
        "Katz-zamir, Shay" <shay.katz-zamir@intel.com>,
        "Huang, Haitao" <haitao.huang@intel.com>,
        Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
        "Svahn, Kai" <kai.svahn@intel.com>, Borislav Petkov <bp@alien8.de>,
        Josh Triplett <josh@joshtriplett.org>,
        "Huang, Kai" <kai.huang@intel.com>,
        David Rientjes <rientjes@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, May 17, 2019 at 10:55 AM Sean Christopherson
<sean.j.christopherson@intel.com> wrote:
>
> In this snippet, IS_PRIVATE() is true for anon inodes, false for
> /dev/sgx/enclave.  Because EPC memory is always shared, SELinux will never
> check PROCESS__EXECMEM for mprotect() on/dev/sgx/enclave.

Why _does_ the memory have to be shared? Shared mmap() is
fundamentally less secure than private mmap, since by definition it
means "oh, somebody else has access to it too and might modify it
under us".

Why does the SGX logic care about things like that? Normal executables
are just private mappings of an underlying file, I'm not sure why the
SGX interface has to have that shared thing, and why the interface has
to have a device node in the first place when  you have system calls
for setup anyway.

So why don't the system calls just work on perfectly normal anonymous
mmap's? Why a device node, and why must it be shared to begin with?

                  Linus