Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2167773yba; Fri, 17 May 2019 11:42:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqyFI5L4S18gWaUWzsnHmAAngKSeQdrzuk/NZESFkN4FIuSx8MO70vdxZRXN4jEeIZPxyEJQ X-Received: by 2002:a17:902:2883:: with SMTP id f3mr32881656plb.26.1558118535238; Fri, 17 May 2019 11:42:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558118535; cv=none; d=google.com; s=arc-20160816; b=D8M+yntUcTkMqix8uIBSEQPcPx3Ke82umy94XS//ulwzARvVmIbBG8CDCJW2KTz18n m8Ntfd+yBVs9Rozb+oh9IhVNZzhzmrM+LfKjr7IoYuGlY1i+PHl3px3AW5lLTdxgNfEr mitAsq9P0//URaCyVcSY9c3xQHZ4Kw3Ri3qqnTa76y7QD7MapVR3qWVV/QmszAwAygjS wlJKiuMWSAjaIuOBWmOm2qlxVSH2sfgZLf1iv7fK8YaDih64oIQyUCwatIrUtoencfPS BUnY32IuNWCmB+AWGeTL3eylJN7fSKq0/NBWwBmrzaD7+3HdDPB1qYpZAvUwxPfvXRJv jP7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=oO/GMUgT+1j7VBkn8MyV9uRSDi94nW1hm071Hw5jVSo=; b=QTOunyCKO6+fUwA6la3gqZfpr8FvdkCTaxSrXRh5uesTg0JsOudUau/cL5Fzen+bog V+Jlp00xh5P6HDGxlmgwnBWBOpkLewgWaXT3gfAC1LW89ncvyUoWlPDPmRq/SgASfbUc avMEhN6Y2RK7TidO4GRbi2LQTs26NOK030vyaCgrcPW6wwV8EGp2lTkyCUd4i7xu7ptn TZpVtTrXdyX6BN65Fe/5/CdT0fKeKTK7uiABrXXt4T3aUuOoxU+q2AW0LWmqGww8EVg7 c2JDeqgYoDl9RGuEbnCKWNe+nmdBBci64IXe81cVVWnMEoIoSFI6ewHCnlOZAouFoAgY flvA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=Fg3ijOgm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b1si8553819pgg.392.2019.05.17.11.41.59; Fri, 17 May 2019 11:42:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=Fg3ijOgm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727849AbfEQSkg (ORCPT + 99 others); Fri, 17 May 2019 14:40:36 -0400 Received: from mail-lf1-f68.google.com ([209.85.167.68]:37255 "EHLO mail-lf1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726740AbfEQSkf (ORCPT ); Fri, 17 May 2019 14:40:35 -0400 Received: by mail-lf1-f68.google.com with SMTP id q17so6036729lfo.4 for ; Fri, 17 May 2019 11:40:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=oO/GMUgT+1j7VBkn8MyV9uRSDi94nW1hm071Hw5jVSo=; b=Fg3ijOgmH36WIunWDge4wgVr1HpSUVX9oAp+UCHPw0NDKT8DXkwZR5Mut0XUVphKdk 7WE868HzNhOuKCXNTdn21kpMbzVCMJsRd2eClEQCb4geolrkgNdveLxZ1t0pqQciLaT5 bwxxuYpv6Ki2BW9/dHBX6rwlLrcuW+6kpcRCs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=oO/GMUgT+1j7VBkn8MyV9uRSDi94nW1hm071Hw5jVSo=; b=VyruRE4rIfonJZcxxx074EkdVY0EwoMpEvMZIbOo5qRuXvv1neRakEoGjksV2MEonU ZFfP/g3AaJjQaTPl3a/84TAUYV8d3z2s+Xfn+lANta2RGO20l8cqArvjVXsWDbIrNYrM q4TBw68tizehSn1a4ohChuFxY0dez33b9k2d0pFHnq7f5g6w5wlxYWTQKQrlN1S31HtB Qij3DKrsLShzd3yT9sF7vkAVQh/XslSBHkS8KVuI6H/lhOw7qyrWu90X5ZEDQwjtQsGn li3tDQ1esuBQAtN61bSZf/KquxIX71UuZYzSMRtLwVoT5oIMA8RlPWB4Hn+IiSJ5Af0Z renQ== X-Gm-Message-State: APjAAAVaZtGkznYYzqmm6uk6JQEjEUCuKhtePOtwa6+/1czLUU0Nnslh Nu3GViUg01uVOXrMQAQCGfqemNcps5Y= X-Received: by 2002:a19:7d04:: with SMTP id y4mr28264034lfc.153.1558118432314; Fri, 17 May 2019 11:40:32 -0700 (PDT) Received: from mail-lj1-f178.google.com (mail-lj1-f178.google.com. [209.85.208.178]) by smtp.gmail.com with ESMTPSA id i187sm1813646lfe.64.2019.05.17.11.40.31 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 May 2019 11:40:32 -0700 (PDT) Received: by mail-lj1-f178.google.com with SMTP id j24so7205590ljg.1 for ; Fri, 17 May 2019 11:40:31 -0700 (PDT) X-Received: by 2002:a2e:9546:: with SMTP id t6mr8446776ljh.51.1558118026162; Fri, 17 May 2019 11:33:46 -0700 (PDT) MIME-Version: 1.0 References: <960B34DE67B9E140824F1DCDEC400C0F654E3FB9@ORSMSX116.amr.corp.intel.com> <6a97c099-2f42-672e-a258-95bc09152363@tycho.nsa.gov> <20190517150948.GA15632@linux.intel.com> <80013cca-f1c2-f4d5-7558-8f4e752ada76@tycho.nsa.gov> <20190517172953.GC15006@linux.intel.com> <20190517175500.GE15006@linux.intel.com> <20190517182124.GF15006@linux.intel.com> In-Reply-To: <20190517182124.GF15006@linux.intel.com> From: Linus Torvalds Date: Fri, 17 May 2019 11:33:30 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: SGX vs LSM (Re: [PATCH v20 00/28] Intel SGX1 support) To: Sean Christopherson Cc: Andy Lutomirski , Stephen Smalley , "Xing, Cedric" , Andy Lutomirski , James Morris , "Serge E. Hallyn" , LSM List , Paul Moore , Eric Paris , "selinux@vger.kernel.org" , Jarkko Sakkinen , Jethro Beekman , "Hansen, Dave" , Thomas Gleixner , "Dr. Greg" , LKML , X86 ML , "linux-sgx@vger.kernel.org" , Andrew Morton , "nhorman@redhat.com" , "npmccallum@redhat.com" , "Ayoun, Serge" , "Katz-zamir, Shay" , "Huang, Haitao" , Andy Shevchenko , "Svahn, Kai" , Borislav Petkov , Josh Triplett , "Huang, Kai" , David Rientjes Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 17, 2019 at 11:21 AM Sean Christopherson wrote: > > I agree that conceptually EPC is private memory, but because EPC is > managed as a separate memory pool, SGX tags it VM_PFNMAP and manually > inserts PFNs, i.e. EPC effectively it gets classified as IO memory. > > And vmf_insert_pfn_prot() doesn't like writable private IO mappings: > > BUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags)); Hmm. I haven't looked into why you want to do your own page insertion and not just "use existing pages", but I'm sure there's some reason. It looks like the "shared vs private" inode part is a red herring, though. You might as well give each opener of the sgx node its own inode - and you probably should. Then you can keep track of the pages that have been added in the inode->i_mapping, and you could avoid the whole PFN thing entirely. I still am not a huge fan of the device node in the first place, but I guess it's just one more place where a system admin can then give (or deny) access to a kernel feature from users. I guess the kvm people do the same thing, for not necessarily any better reasons. With the PFNMAP model I guess the SGX memory ends up being unswappable - at least done the obvious way. Again, the way I'd expect it to be done is as a shmem inode - that would I think be a better model. But I think that's a largely internal design decision, and the device node could just do that eventually (and the mmap could just map the populated shmem information into memory, no PFNMAP needed - the inode and the mapping could be "read-only" as far as the _user_ is concerned, but the i_mapping then gets populated by the ioctl's). I have not actually looked at any of the SGX patches, so maybe you're already doing something like that (although the PFNMAP comment makes me think not), and quite possibly there's some fundamental reason why you can't just use the shmem approach. So my high-level reaction here may be just the rantings of somebody who just isn't familiar with what you do. My "why not shmem and regular mmap" questions come from a 30000ft view without knowing any of the details. Linus