Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp960343ybi; Fri, 24 May 2019 14:31:14 -0700 (PDT) X-Google-Smtp-Source: APXvYqz812j9WIgd/MRVKdr5jLwmXiek7JoL2aNTLC98EATak0EFDJRGR4iBswuSBwHVmof1K0As X-Received: by 2002:a17:902:e40a:: with SMTP id ci10mr61886485plb.195.1558733474449; Fri, 24 May 2019 14:31:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558733474; cv=none; d=google.com; s=arc-20160816; b=J2bSk4udJ0nwg9Ysn/gG9P24Mr27G0ku+pqrap7/SQb2EJFKTm0R3FvWIQXpGhbwxd 9Aq9SBpH7S1Ljp5CVgh2HUEapIgsCtZFoWbM1h/Zy9oFb1yZo8jO785iCkQV9aRS1TDs 0RJseorpBSLkWW+pE0w+4Jl26dDJb6/bwdOdjp+OOdpMZiWfpj/FwIVE1EFLuHgLNmjr 8NBJ9mPcVOMUIZn5qcKL/cw3/MNoV9BxdfOGB332p/lVh7Ui4hfO574HUKVNIepx7J+8 U0qL2DabCph0h1CrFJ7w/GeE99t5BNa6e0v/lhugyXaFwtNldfPlaA+sjQteT16Z4EDg whiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=shb/5pj06Vrbo5vzUFcorckCf3ETm+1ZEEnVWHKArsQ=; b=jlTqHD9KTWsV56cNgt3viWhtlRrQyqlu6rOKpGwavAL41ZOlqOTCnU2BJ8NDjkgbYO GOxjoo28iBsafqGKwEEionnWfpM+3mrH1ya0cMW6aXkQLosmIVQQakJHYvF0cvUWuG7F EM9wtH0st9vH2kBb0RehJuE/mUcLL/LwXwNNwqzerTMcl2lOm7NsVn44s+cM38AnQdrq qIww2MJWBa3JnOEHtd249NmFTwK+Odukwq4LV1H2NnqVVMsoE6Wmjwm2MrYW+ct0UMnP GGqy24gEQ1rppx54z62umB2B23voO+82yaohepoAQ1Ay7uR3fMSzZwn0AVq+rc/WDc65 HfXg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0JGJB4h+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i195si6662152pfe.20.2019.05.24.14.30.57; Fri, 24 May 2019 14:31:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0JGJB4h+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404285AbfEXV1v (ORCPT + 99 others); Fri, 24 May 2019 17:27:51 -0400 Received: from mail.kernel.org ([198.145.29.99]:60590 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404279AbfEXV1u (ORCPT ); Fri, 24 May 2019 17:27:50 -0400 Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 92180218A5 for ; Fri, 24 May 2019 21:27:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1558733268; bh=lYZ/zudY+xu5Tnp4RjFaSiBIAvLoW/eSULQY+XTsmB0=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=0JGJB4h+D9j0ddlAUz9g50NndJ0gLLwGmUqN1hvMw6D4tflMRdf5hZOowZbD/sSk4 KCsScGmqrRQq0ou0NJ72nJq/c7tzqtrm5Bzvy2ECWR6w/Hnp4SZzlyxpREO3ol6HKy VCzEaV6pXU1pu1iXoBn2chS039FLon9BSBUVinwU= Received: by mail-wr1-f42.google.com with SMTP id w13so2928377wru.11 for ; Fri, 24 May 2019 14:27:48 -0700 (PDT) X-Gm-Message-State: APjAAAX70R0dc7rbtTuW1Z5PcBWSg5utBsh6QTC/T6d0MatDV0xT2jti vKNSASxcBesoIOuL6Qj4CYi5J/iRnhox3hY94mdzNQ== X-Received: by 2002:a5d:5506:: with SMTP id b6mr63690967wrv.221.1558733266996; Fri, 24 May 2019 14:27:46 -0700 (PDT) MIME-Version: 1.0 References: <20190523141752.GA12078@linux.intel.com> <20190523234044.GC12078@linux.intel.com> <960B34DE67B9E140824F1DCDEC400C0F654E8956@ORSMSX116.amr.corp.intel.com> <20190524174243.GA365@linux.intel.com> <20190524175458.GB365@linux.intel.com> <960B34DE67B9E140824F1DCDEC400C0F654E8E1D@ORSMSX116.amr.corp.intel.com> <20190524200333.GF365@linux.intel.com> In-Reply-To: <20190524200333.GF365@linux.intel.com> From: Andy Lutomirski Date: Fri, 24 May 2019 14:27:34 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: SGX vs LSM (Re: [PATCH v20 00/28] Intel SGX1 support) To: Sean Christopherson Cc: Andy Lutomirski , "Xing, Cedric" , Stephen Smalley , Jarkko Sakkinen , James Morris , "Serge E. Hallyn" , LSM List , Paul Moore , Eric Paris , "selinux@vger.kernel.org" , Jethro Beekman , "Hansen, Dave" , Thomas Gleixner , "Dr. Greg" , Linus Torvalds , LKML , X86 ML , "linux-sgx@vger.kernel.org" , Andrew Morton , "nhorman@redhat.com" , "npmccallum@redhat.com" , "Ayoun, Serge" , "Katz-zamir, Shay" , "Huang, Haitao" , Andy Shevchenko , "Svahn, Kai" , Borislav Petkov , Josh Triplett , "Huang, Kai" , David Rientjes Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 24, 2019 at 1:03 PM Sean Christopherson wrote: > > On Fri, May 24, 2019 at 12:37:44PM -0700, Andy Lutomirski wrote: > > On Fri, May 24, 2019 at 11:34 AM Xing, Cedric wrote: > > > > > > If "initial permissions" for enclaves are less restrictive than shared > > > objects, then it'd become a backdoor for circumventing LSM when enclave > > > whitelisting is *not* in place. For example, an adversary may load a page, > > > which would otherwise never be executable, as an executable page in EPC. > > > > > > In the case a RWX page is needed, the calling process has to have a RWX > > > page serving as the source for EADD so PROCESS__EXECMEM will have been > > > checked. For SGX2, changing an EPC page to RWX is subject to FILE__EXECMEM > > > on /dev/sgx/enclave, which I see as a security benefit because it only > > > affects the enclave but not the whole process hosting it. > > > > So the permission would be like FILE__EXECMOD on the source enclave > > page, because it would be mapped MAP_ANONYMOUS, PROT_WRITE? > > MAP_SHARED, PROT_WRITE isn't going to work because that means you can > > modify the file. > > Was this in response to Cedric's comment, or to my comment? Yours. I think that requiring source pages to be actually mapped W is not such a great idea. > > > I'm starting to think that looking at the source VMA permission bits > > or source PTE permission bits is putting a bit too much policy into > > the driver as opposed to the LSM. How about delegating the whole > > thing to an LSM hook? The EADD operation would invoke a new hook, > > something like: > > > > int security_enclave_load_bytes(void *source_addr, struct > > vm_area_struct *source_vma, loff_t source_offset, unsigned int > > maxperm); > > > > Then you don't have to muck with mapping anything PROT_EXEC. Instead > > you load from a mapping of a file and the LSM applies whatever policy > > it feels appropriate. If the first pass gets something wrong, the > > application or library authors can take it up with the SELinux folks > > without breaking the whole ABI :) > > > > (I'm proposing passing in the source_vma because this hook would be > > called with mmap_sem held for read to avoid a TOCTOU race.) > > > > If we go this route, the only substantial change to the existing > > driver that's needed for an initial upstream merge is the maxperm > > mechanism and whatever hopefully minimal API changes are needed to > > allow users to conveniently set up the mappings. And we don't need to > > worry about how to hack around mprotect() calling into the LSM, > > because the LSM will actually be aware of SGX and can just do the > > right thing. > > This doesn't address restricting which processes can run which enclaves, > it only allows restricting the build flow. Or are you suggesting this > be done in addition to whitelisting sigstructs? In addition. But I named the function badly and gave it a bad signature, which confused you. Let's try again: int security_enclave_load_from_memory(const struct vm_area_struct *source, unsigned int maxperm); Maybe some really fancy future LSM would also want loff_t source_offset, but it's probably not terribly useful. This same callback would be used for EAUG. Following up on your discussion with Cedric about sigstruct, the other callback would be something like: int security_enclave_init(struct file *sigstruct_file); The main issue I see is that we also want to control the enclave's ability to have RWX pages or to change a W page to X. We might also want: int security_enclave_load_zeros(unsigned int maxperm); An enclave that's going to modify its own code will need memory with maxperm = RWX or WX. But this is a bit awkward if the LSM's decision depends on the sigstruct. We could get fancy and require that the sigstruct be supplied before any EADD operations so that the maxperm decisions can depend on the sigstruct. Am I making more sense now?