Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp859432ybi; Fri, 24 May 2019 12:39:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqwTSKFNFppSL2DEaWz5pFRmE6gyddNuS3/+xTs2sRoli0Y9ZMzGUQ7TCOkMCUStGAiUBv94 X-Received: by 2002:a63:dc09:: with SMTP id s9mr67028712pgg.425.1558726760428; Fri, 24 May 2019 12:39:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558726760; cv=none; d=google.com; s=arc-20160816; b=jLhKeNEnwVUrNxq1hESOapHgO7odtf4ecpbuiRersvtaNBWp4IXNCQepUqvQVdDXkt XFtwwB9gNwtEx/AsfabyTU0xrt9Jm4Z11sybcJdA5cNdC6RgUZlo22sViGazcisUzL5x qeEL6u2xPpMFQ6nyzFXT2Nq7W7hAakVfelIs92dWX4TyJ4um5WghdpOwsRpTF6eq+MCU e/MjQQwyE4fRUKwKzyc+4Wta3ZFPsxzcJREnrxmCR2kAFuAAUoAoun9AjYjmHgAnv15v lt7Mud3qSI1hIbrfu5tgZ0GvRSKksNwdFdMnTnwLiP5b+Bj9CMNEDhgFvSIXCVQAB7wk 2UXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=nOjaKb57Kha2ECQBQgTRotCg006F8uSOBBahhLVKjUY=; b=s5QbLbqRg/75tRCKZpyJ/pBPjpyMRhoU464w3JDlO1HBRdDXuAgNECvQE7BP7JLiKU I7Dz87F8i1YMxWfk31sONsZhNCufo9J9n2i5xNHcTNW92a8JvnOPMUyDSWQNJC+E5SUx N5/VNvAavZUpUhTL5K2WlgvHpQMuVYXiuhCLZFdA1jxqOg+3RxsASZjoLqs//XTKS+Mc qE8UJU29IgUbGUVnSRVz/GlV520QcXc3/jaUmScHMgAKIXoHRUZlF5RzWIo03Wyc04CZ 52P5Jxnb6y662GmThpXVDa24AsXJjn4UATGIRxJanbfVJ/PpnJbWy7eDmMAQjxARXuJA mBbA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=L9Xq9286; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d6si5444631plo.396.2019.05.24.12.39.04; Fri, 24 May 2019 12:39:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=L9Xq9286; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732115AbfEXTh7 (ORCPT + 99 others); Fri, 24 May 2019 15:37:59 -0400 Received: from mail.kernel.org ([198.145.29.99]:51338 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729918AbfEXTh7 (ORCPT ); Fri, 24 May 2019 15:37:59 -0400 Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D18252189D for ; Fri, 24 May 2019 19:37:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1558726678; bh=zeXvSbypTKhRfRRi8ROgKjL9915ASKgLD4WTaDTJcsU=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=L9Xq9286wjZcFleforj8AYP5lih/NPKby+xmRc+h3k3H7d3lLLCrNPbYubi13DNCs IfhUJRelKVp+LrLEwsaLcfiXWZ0gB0WsoGmAM14MWO9oXPJlSWGHtGF9q6qVlHLBZa DWq+ASWxROyaqTxSo6WWLjquaUebsZ2hL1IJh/UI= Received: by mail-wr1-f51.google.com with SMTP id t4so2806907wrx.7 for ; Fri, 24 May 2019 12:37:57 -0700 (PDT) X-Gm-Message-State: APjAAAWvI3ng30kDoQSNwlDDcWZEROS2hrvT/drG0P5+5jX0xUyOy0T4 uWzk1NAE4L/r+iB1i/19O/28btFS+c4WIW429XQQXg== X-Received: by 2002:a5d:5506:: with SMTP id b6mr63452555wrv.221.1558726676250; Fri, 24 May 2019 12:37:56 -0700 (PDT) MIME-Version: 1.0 References: <20190523023517.GA31950@linux.intel.com> <20190523102628.GC10955@linux.intel.com> <20190523141752.GA12078@linux.intel.com> <20190523234044.GC12078@linux.intel.com> <960B34DE67B9E140824F1DCDEC400C0F654E8956@ORSMSX116.amr.corp.intel.com> <20190524174243.GA365@linux.intel.com> <20190524175458.GB365@linux.intel.com> <960B34DE67B9E140824F1DCDEC400C0F654E8E1D@ORSMSX116.amr.corp.intel.com> In-Reply-To: <960B34DE67B9E140824F1DCDEC400C0F654E8E1D@ORSMSX116.amr.corp.intel.com> From: Andy Lutomirski Date: Fri, 24 May 2019 12:37:44 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: SGX vs LSM (Re: [PATCH v20 00/28] Intel SGX1 support) To: "Xing, Cedric" Cc: "Christopherson, Sean J" , Stephen Smalley , Andy Lutomirski , Jarkko Sakkinen , James Morris , "Serge E. Hallyn" , LSM List , Paul Moore , Eric Paris , "selinux@vger.kernel.org" , Jethro Beekman , "Hansen, Dave" , Thomas Gleixner , "Dr. Greg" , Linus Torvalds , LKML , X86 ML , "linux-sgx@vger.kernel.org" , Andrew Morton , "nhorman@redhat.com" , "npmccallum@redhat.com" , "Ayoun, Serge" , "Katz-zamir, Shay" , "Huang, Haitao" , Andy Shevchenko , "Svahn, Kai" , Borislav Petkov , Josh Triplett , "Huang, Kai" , David Rientjes Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 24, 2019 at 11:34 AM Xing, Cedric wrote= : > > > From: linux-sgx-owner@vger.kernel.org [mailto:linux-sgx- > > owner@vger.kernel.org] On Behalf Of Sean Christopherson > > Sent: Friday, May 24, 2019 10:55 AM > > > > On Fri, May 24, 2019 at 10:42:43AM -0700, Sean Christopherson wrote: > > > Hmm, I've been thinking more about pulling permissions from the sourc= e > > > page. Conceptually I'm not sure we need to meet the same requirement= s > > as > > > non-enclave DSOs while the enclave is being built, i.e. do we really > > need > > > to force userspace to fully map the enclave in normal memory? > > > > > > Consider the Graphene scenario where it's building an enclave on the > > fly. > > > Pulling permissions from the source VMAs means Graphene has to map th= e > > > code pages of the enclave with X. This means Graphene will need > > EXEDMOD > > > (or EXECMEM if Graphene isn't careful). In a non-SGX scenario this > > makes > > > perfect sense since there is no way to verify the end result of RW->R= X. > > > > > > But for SGX, assuming enclaves are whitelisted by their sigstruct > > (checked > > > at EINIT) and because page permissions affect sigstruct.MRENCLAVE, it > > *is* > > > possible to verify the resulting RX contents. E.g. for the purposes > > of > > > LSMs, can't we use the .sigstruct file as a proxy for the enclave and > > > require FILE__EXECUTE on the .sigstruct inode to map/run the enclave? > > > > > > Stephen, is my logic sound? > > > > > > > > > If so... > > > > > > - Require FILE__READ+FILE__EXECUTE on .sigstruct to mmap() the > > enclave. > > > > > > - Prevent userspace from mapping the enclave with permissions beyon= d > > the > > > original permissions of the enclave. This can be done by > > populating > > > VM_MAY{READ,WRITE,EXEC} from the SECINFO (same basic concept as > > Andy's > > > proposals). E.g. pre-EINIT, mmap() and mprotect() can only > > succeed > > > with PROT_NONE. > > > > > > - Require FILE__{READ,WRITE,EXECUTE} on /dev/sgx/enclave for > > simplicity, > > > or provide an alternate SGX_IOC_MPROTECT if we want to sidestep > > the > > > FILE__WRITE requirement. > > > > One more thought. EADD (and the equivalent SGX2 flow) could do > > security_mmap_file() with a NULL file on the SECINFO permissions, which > > would trigger PROCESS_EXECMEM if an enclave attempts to map a page RWX. > > If "initial permissions" for enclaves are less restrictive than shared ob= jects, then it'd become a backdoor for circumventing LSM when enclave white= listing is *not* in place. For example, an adversary may load a page, which= would otherwise never be executable, as an executable page in EPC. > > In the case a RWX page is needed, the calling process has to have a RWX p= age serving as the source for EADD so PROCESS__EXECMEM will have been check= ed. For SGX2, changing an EPC page to RWX is subject to FILE__EXECMEM on /d= ev/sgx/enclave, which I see as a security benefit because it only affects t= he enclave but not the whole process hosting it. So the permission would be like FILE__EXECMOD on the source enclave page, because it would be mapped MAP_ANONYMOUS, PROT_WRITE? MAP_SHARED, PROT_WRITE isn't going to work because that means you can modify the file. I'm starting to think that looking at the source VMA permission bits or source PTE permission bits is putting a bit too much policy into the driver as opposed to the LSM. How about delegating the whole thing to an LSM hook? The EADD operation would invoke a new hook, something like: int security_enclave_load_bytes(void *source_addr, struct vm_area_struct *source_vma, loff_t source_offset, unsigned int maxperm); Then you don't have to muck with mapping anything PROT_EXEC. Instead you load from a mapping of a file and the LSM applies whatever policy it feels appropriate. If the first pass gets something wrong, the application or library authors can take it up with the SELinux folks without breaking the whole ABI :) (I'm proposing passing in the source_vma because this hook would be called with mmap_sem held for read to avoid a TOCTOU race.) If we go this route, the only substantial change to the existing driver that's needed for an initial upstream merge is the maxperm mechanism and whatever hopefully minimal API changes are needed to allow users to conveniently set up the mappings. And we don't need to worry about how to hack around mprotect() calling into the LSM, because the LSM will actually be aware of SGX and can just do the right thing. --Andy