Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp5278708ybi; Tue, 4 Jun 2019 04:19:22 -0700 (PDT) X-Google-Smtp-Source: APXvYqwG5TYRm/zh/gKHizbFpKOcP8ZG8o9DHKojK5bpR1Wl0mZD54PAowU9DSBB/1AUSBx2I3Rm X-Received: by 2002:a17:90a:9306:: with SMTP id p6mr35078282pjo.6.1559647162708; Tue, 04 Jun 2019 04:19:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559647162; cv=none; d=google.com; s=arc-20160816; b=wYxj5SEp3l63WwAvtEhV87nsWONmXU8R+QCacX63AevclS+1V3cjonnlfPUn9rZ7gj R5pIm08VhZXf2J5WNb37VuiHO7Ene5zDEoXIjDNb5zHwklo0Gz+eiUSdjF1PbsMcSF/k lP9on85Qk6AqabB0kNXRJ/zViTObNeXkog2XWXdpatrHg5KJN8TNwD79i2mXv6MBHnEh qTrHt4aIY6om8VckVOqqEdBVW/VqQTo+fVkVoyjrYBQNQFXsnmNHzq+MxlrOUztepEV+ AEQ4X7nZ4biGCmZ/AEiIeiYOBAvKuCjqMvFxIp6nKIybYs+9X8fG8BcuZQnoKqf58nBz TpEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:organization:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=0Wgz9i2MCtbn2cdeq/9ZEWT+EP1ObJfnGBf663eMekg=; b=HMr0ZJPt0t8w5AI7JV6at1+Ua9n1eouM8YgicW9+ZYpoEb8z792RT45j1B0LLNfFcX VR0djaRjV4r6t7bh02/ZJtbjtmjV/OPnXerRg46z39Lt02fAzN7oyJCT0ojKh8NWKJVX Pjr974OR7/7NQpPPqmdVDcutBgTVjv1G+Ki6qFmFZguv4lenyGSBb65Ny1p1RRIVo/Dy ZRYHdT+aD8DDdcDgCD2FLWIONmXeMmZiqwr4/q6HnCgnAduxslc1xA4/SbCu3koLi3JJ H/DJRoDG3QN5GcwYZUA/pByVZvS0he3rGkISprjaHrWJEJAwcoa0N2uySKRs0lKNHl69 +lNA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v11si21541274pjn.108.2019.06.04.04.19.04; Tue, 04 Jun 2019 04:19:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727693AbfFDLPl (ORCPT + 99 others); Tue, 4 Jun 2019 07:15:41 -0400 Received: from mga11.intel.com ([192.55.52.93]:64072 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727323AbfFDLPl (ORCPT ); Tue, 4 Jun 2019 07:15:41 -0400 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 04 Jun 2019 04:15:40 -0700 X-ExtLoop1: 1 Received: from jsakkine-mobl1.tm.intel.com (HELO localhost) ([10.237.50.189]) by fmsmga001.fm.intel.com with ESMTP; 04 Jun 2019 04:15:33 -0700 Date: Tue, 4 Jun 2019 14:15:33 +0300 From: Jarkko Sakkinen To: Sean Christopherson Cc: Andy Lutomirski , Cedric Xing , Stephen Smalley , James Morris , "Serge E . Hallyn" , LSM List , Paul Moore , Eric Paris , selinux@vger.kernel.org, Jethro Beekman , Dave Hansen , Thomas Gleixner , Linus Torvalds , LKML , X86 ML , linux-sgx@vger.kernel.org, Andrew Morton , nhorman@redhat.com, npmccallum@redhat.com, Serge Ayoun , Shay Katz-zamir , Haitao Huang , Andy Shevchenko , Kai Svahn , Borislav Petkov , Josh Triplett , Kai Huang , David Rientjes , William Roberts , Philip Tricca Subject: Re: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM Message-ID: <20190604111533.GA15393@linux.intel.com> References: <20190531233159.30992-1-sean.j.christopherson@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190531233159.30992-1-sean.j.christopherson@intel.com> Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 31, 2019 at 04:31:50PM -0700, Sean Christopherson wrote: > This series is the result of a rather absurd amount of discussion over > how to get SGX to play nice with LSM policies, without having to resort > to evil shenanigans or put undue burden on userspace. The discussion > definitely wandered into completely insane territory at times, but I > think/hope we ended up with something reasonable. By definition this is a broken series because it does not apply to mainline. Even RFC series should at least apply. Would be better idea to discuss design ideas and use snippets instead. Now you have to take original v20 and apply to these patches to evaluate anything. > The basic gist of the approach is to require userspace to declare what > protections are maximally allowed for any given page, e.g. add a flags > field for loading enclave pages that takes ALLOW_{READ,WRITE,EXEC}. LSMs > can then adjust the allowed protections, e.g. clear ALLOW_EXEC to prevent > ever mapping the page with PROT_EXEC. SGX enforces the allowed perms > via a new mprotect() vm_ops hook, e.g. like regular mprotect() uses > MAY_{READ,WRITE,EXEC}. mprotect() does not use MAY_{READ,WRITE,EXEC} constants. It uses VM_MAY{READ,WRITE,EXEC,SHARED} constants. What are ALLOW_{READ,WRITE,EXEC} and how they are used? What does the hook do and why it is in vm_ops and not in file_operations? Are they arguments to the ioctl or internal variables that are set based on SECINFO? /Jarkko