Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2177194yba; Fri, 17 May 2019 11:54:23 -0700 (PDT) X-Google-Smtp-Source: APXvYqzcCdK7s8VUOiy0TepKTyuskGLQl39WvKA/0o9+SZCvpkq0hRq9T7t8erUAJ2NfJVseHGi1 X-Received: by 2002:a63:ff23:: with SMTP id k35mr27956164pgi.139.1558119263472; Fri, 17 May 2019 11:54:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558119263; cv=none; d=google.com; s=arc-20160816; b=SG/tb0R05WQY92Vhxn1kfNxmcqtdImjc0TesX4yHwGBz7woqmx6qrmVGfN4fnXgBY6 vWJjn9k4SERA0/p1lPfMTEd5QVmZn+klXxacz2/zw+YaY+tsp0HDD4+PgLbsUhSyECqs iozfrUzAgQu/7mXy/T6ZI6q1EJZr6yJhBbeSMtixwH7NIsmAEroNkXMePnmqCoSSoObG XOV3wZXGyl+c3vQCY8T5+UZeo3uK8aGrxw8Sr94JegrMPEE26CBQgyrmRNAJ9ivhgzFB 1vMvtC+7VPOka0mPKF3J0/JqkUzKxK+WSwmJlIjEkrmfaeC70Yp468pFjahIt9+vxeXH vf1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=Zedk+akRmRCkjlP2v+DLCTRSwVyK89TYIDPpzH+WlCo=; b=EHJtcPQrPxV1fwWlEkB9NqHSGdsdRwa9dyyH0ReRfOL1oTSXdW1Oo25xxswYw8/d7/ CmB0FgS1/w6MXm9rNv7ZC4zWLlN5cmZEVh51uzFhine5SYro8FLPPQ2NixnMAZy5abNk j4KWobdTdemsHQ8ZdVVQdEgeFWy5gI3x3liHqCWWzC8QQjOyFwOKKUbdvEIRE6r6CNH3 bqpoN/V8/deXNlbVNo7R6Ru4o//pkQQyaxuTKlkqwkty0PtmqACzWFI0o8BL6XeNksjw 2hb3bwYYFzv8+mU5W9hOmYkBJUJG4RH36RrsRiJJsn6lRQiYKLB82ZJ9y8hFfSjk4JCA C5OA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=ip6rP4a7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f34si8972757plf.258.2019.05.17.11.54.08; Fri, 17 May 2019 11:54:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=ip6rP4a7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728559AbfEQSxD (ORCPT + 99 others); Fri, 17 May 2019 14:53:03 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:38962 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726293AbfEQSxD (ORCPT ); Fri, 17 May 2019 14:53:03 -0400 Received: by mail-pg1-f194.google.com with SMTP id w22so3696884pgi.6 for ; Fri, 17 May 2019 11:53:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Zedk+akRmRCkjlP2v+DLCTRSwVyK89TYIDPpzH+WlCo=; b=ip6rP4a7K7+zXEf5W8Wi59dm82XG6OS0S9ZuQM/R3m4HZBPDpbEsryeSQAiNCUMo9n Npyu0Ex/7I6LSTU0Hn0T9B9ff3Qt7UHKpZ4kb10dgIjtzru1QNEgtg06cvgOrtmkvSb1 ISueCn1+o+BjU7M/al9zR680IGNP81M2Qw5lkhqS3odOPIG4Szuv1+huK6X2LpmcVRNu D1YAcdMthvyCXOXfPq1Xk3wBo9rPn/9ozeUV9V07aIpTgpZegpqlAGe46klScMYLO4lD h7qUu9d/skpnGxNs/BXnYhbOSYwMNq17RQoSytbin/2RaC9iv4MkDYZ+yHk4Ncsq5ugT fCGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Zedk+akRmRCkjlP2v+DLCTRSwVyK89TYIDPpzH+WlCo=; b=EidCBv7XOsHeOHNbSWs7UnqKRY0ULeZ6AGsHqDcr+1jZIY98gevgIRi9J88iHrpXBi 5vMtXLXVn5nVR9jMaufdSsa1qpe3WhHgRBOp2zjRSfOyTGOB557UAv6c5hZ0gMMmTtGl MkMrOFpdF3BDP7l+1w6HPuLB/dmL9UD++k+7jXDOZpwZxUKOlQM4hrqAEIJeDw5Wp1HY uWAtuKYrwrfjdd0LtBAXopwAjoewQLuTZs/OVyHy3YRIzodiaNkClXXysnx+89u3d4sD EvfZn9ntV/N+zLkBwShS1MuQZey8PfnUKLCiB+XwTCAqM+wKHTaSIM3S+qjHqSSj81KT FIXg== X-Gm-Message-State: APjAAAXpCO+XZiqXwNYe06gXn9gXMwDo+zAV/d10fFoRxGyg8upG/Yxt tgJnzDitGvsCyqNww4v3AdcCZA== X-Received: by 2002:aa7:8a11:: with SMTP id m17mr40233878pfa.122.1558119182522; Fri, 17 May 2019 11:53:02 -0700 (PDT) Received: from ?IPv6:2600:1010:b04b:10dc:8986:2c48:2978:531d? ([2600:1010:b04b:10dc:8986:2c48:2978:531d]) by smtp.gmail.com with ESMTPSA id t142sm529350pgb.32.2019.05.17.11.53.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 May 2019 11:53:01 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: SGX vs LSM (Re: [PATCH v20 00/28] Intel SGX1 support) From: Andy Lutomirski X-Mailer: iPhone Mail (16E227) In-Reply-To: <20190517182124.GF15006@linux.intel.com> Date: Fri, 17 May 2019 11:53:00 -0700 Cc: Linus Torvalds , Stephen Smalley , "Xing, Cedric" , Andy Lutomirski , James Morris , "Serge E. Hallyn" , LSM List , Paul Moore , Eric Paris , "selinux@vger.kernel.org" , Jarkko Sakkinen , Jethro Beekman , "Hansen, Dave" , Thomas Gleixner , "Dr. Greg" , LKML , X86 ML , "linux-sgx@vger.kernel.org" , Andrew Morton , "nhorman@redhat.com" , "npmccallum@redhat.com" , "Ayoun, Serge" , "Katz-zamir, Shay" , "Huang, Haitao" , Andy Shevchenko , "Svahn, Kai" , Borislav Petkov , Josh Triplett , "Huang, Kai" , David Rientjes Content-Transfer-Encoding: quoted-printable Message-Id: <3FECC02D-C65C-4D35-B538-D32EC7D722D5@amacapital.net> References: <960B34DE67B9E140824F1DCDEC400C0F654E3FB9@ORSMSX116.amr.corp.intel.com> <6a97c099-2f42-672e-a258-95bc09152363@tycho.nsa.gov> <20190517150948.GA15632@linux.intel.com> <80013cca-f1c2-f4d5-7558-8f4e752ada76@tycho.nsa.gov> <20190517172953.GC15006@linux.intel.com> <20190517175500.GE15006@linux.intel.com> <20190517182124.GF15006@linux.intel.com> To: Sean Christopherson Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On May 17, 2019, at 11:21 AM, Sean Christopherson wrote: >=20 >> On Fri, May 17, 2019 at 11:04:22AM -0700, Linus Torvalds wrote: >> On Fri, May 17, 2019 at 10:55 AM Sean Christopherson >> wrote: >>>=20 >>> In this snippet, IS_PRIVATE() is true for anon inodes, false for >>> /dev/sgx/enclave. Because EPC memory is always shared, SELinux will nev= er >>> check PROCESS__EXECMEM for mprotect() on/dev/sgx/enclave. >>=20 >> Why _does_ the memory have to be shared? Shared mmap() is >> fundamentally less secure than private mmap, since by definition it >> means "oh, somebody else has access to it too and might modify it >> under us". >>=20 >> Why does the SGX logic care about things like that? Normal executables >> are just private mappings of an underlying file, I'm not sure why the >> SGX interface has to have that shared thing, and why the interface has >> to have a device node in the first place when you have system calls >> for setup anyway. >>=20 >> So why don't the system calls just work on perfectly normal anonymous >> mmap's? Why a device node, and why must it be shared to begin with? >=20 > I agree that conceptually EPC is private memory, but because EPC is > managed as a separate memory pool, SGX tags it VM_PFNMAP and manually > inserts PFNs, i.e. EPC effectively it gets classified as IO memory.=20 >=20 > And vmf_insert_pfn_prot() doesn't like writable private IO mappings: >=20 > BUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags)); I don=E2=80=99t see how it could be anonymous even in principle. The kernel= can=E2=80=99t *read* the memory =E2=80=94 how could we possibly CoW it? An= d we can=E2=80=99t share an RO backing pages between two different enclaves b= ecause the CPU won=E2=80=99t let us =E2=80=94 each EPC page belongs to a par= ticular enclave. And fork()ing an enclave is right out. So I agree that MAP_ANONYMOUS would be nice conceptually, but I don=E2=80=99= t see how it would work.=