Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1200226ybi; Fri, 14 Jun 2019 10:17:19 -0700 (PDT) X-Google-Smtp-Source: APXvYqzZ3QbT9/Xz/aw6rTeEhwwtaGyNP9SYsKf08qL4U19ROggVZRawQAWNisouXabpmpOJH56c X-Received: by 2002:a17:90a:a008:: with SMTP id q8mr12337807pjp.114.1560532639237; Fri, 14 Jun 2019 10:17:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560532639; cv=none; d=google.com; s=arc-20160816; b=d5VJmTMAziq4iWBhtShAOhb1qTZgwD0Bm369s5HJbDcubwBTvQJ7F80KkCHIrQkBIg lxXwD/EkeUj90/bS1JZf0kbwaSV84OPGKOEIqOJd0VtN+O8FKFfVwBTQPHyxqO9OjAZJ ujRKWo1jtoQrQpTEWWMEzirAMOHDHjT5CRgqauj+yfLEeMrNExSsMKaLAaw6/Wa0zqRg IfL1sUtoWQUPU3Segx4qMHnwMTW5D5F6DLQfq1RU5VxOJGd61nxSP/EaZAYbjYhldgRh tdaypnk6hiA9IfJ9mlSGpna0wUyjrahO8KE/0EaNjV4DmDjtYb+4Zf+7wR9bgwxxLNYH 4MPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :dlp-reaction:dlp-version:dlp-product:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from; bh=DErq7IlKVEF7F2oJTpjtF+F65YVe4qF+/iEALSt5AWg=; b=uiN+JYvrerEP59vXCOD+0qnDCVNm5/lSAJ1J98JrX7hT3TnVKpjX1NO0/Ze3Utnnl5 WM3sfZU5+vkF2J8xDtUuwdMk9waXi4WnDvnCp3i+gebtO0biadndQCFSL1NF0bX7or9h KAlKaACKkI+Nyy/34JgQrYmTEwD2A1/myDmWFoKmoETEAlXv8FvAJLmHa9wogY0xk6Gr KSOn3f6n1xC/FUOB/3op3quNnBx2FY02jd/IdSQrdTgKeXKrIpwVKFJz+B+GsRkMos46 3asLcZa/4DY5pZqhVIGjFqPl1j1sUBwxcBWEBsGSq1wiviMOdEyMD0MS2OfYdEip+rBz uXzQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 62si1943455pff.216.2019.06.14.10.17.04; Fri, 14 Jun 2019 10:17:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726178AbfFNRQ7 convert rfc822-to-8bit (ORCPT + 99 others); Fri, 14 Jun 2019 13:16:59 -0400 Received: from mga18.intel.com ([134.134.136.126]:6857 "EHLO mga18.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725852AbfFNRQ7 (ORCPT ); Fri, 14 Jun 2019 13:16:59 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Jun 2019 10:16:57 -0700 X-ExtLoop1: 1 Received: from orsmsx106.amr.corp.intel.com ([10.22.225.133]) by fmsmga001.fm.intel.com with ESMTP; 14 Jun 2019 10:16:55 -0700 Received: from orsmsx116.amr.corp.intel.com ([169.254.7.166]) by ORSMSX106.amr.corp.intel.com ([169.254.1.121]) with mapi id 14.03.0415.000; Fri, 14 Jun 2019 10:16:56 -0700 From: "Xing, Cedric" To: "Christopherson, Sean J" , "Stephen Smalley" CC: "linux-security-module@vger.kernel.org" , "selinux@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-sgx@vger.kernel.org" , "jarkko.sakkinen@linux.intel.com" , "luto@kernel.org" , "jmorris@namei.org" , "serge@hallyn.com" , "paul@paul-moore.com" , "eparis@parisplace.org" , "jethro@fortanix.com" , "Hansen, Dave" , "tglx@linutronix.de" , "torvalds@linux-foundation.org" , "akpm@linux-foundation.org" , "nhorman@redhat.com" , "pmccallum@redhat.com" , "Ayoun, Serge" , "Katz-zamir, Shay" , "Huang, Haitao" , "andriy.shevchenko@linux.intel.com" , "Svahn, Kai" , "bp@alien8.de" , "josh@joshtriplett.org" , "Huang, Kai" , "rientjes@google.com" , "Roberts, William C" , "Tricca, Philip B" Subject: RE: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux Thread-Topic: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux Thread-Index: AQHVH1ilvNGS2ZisK0eWTCWidam/YaaW7RmAgACMWICAAtC5gIAAgY8AgACfZrA= Date: Fri, 14 Jun 2019 17:16:55 +0000 Message-ID: <960B34DE67B9E140824F1DCDEC400C0F65504665@ORSMSX116.amr.corp.intel.com> References: <20190611220243.GB3416@linux.intel.com> <8d99d8fb-a921-286a-8cf0-cd522e09b37c@tycho.nsa.gov> <20190614004600.GF18385@linux.intel.com> In-Reply-To: <20190614004600.GF18385@linux.intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMWE0YzkzNzUtZjZlZS00Y2EzLTg2ZTktOGE4MGExZDU2YzRhIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiOTkzQ0VCMnlHNU1RcllOWVlwalhGUnU1U2R0UXRPd3E2cnRId2FlMFF0QnNObFdKWU9WS1hSQVk5MXoyZW5tNSJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.22.254.140] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > From: Christopherson, Sean J > Sent: Thursday, June 13, 2019 5:46 PM > > On Thu, Jun 13, 2019 at 01:02:17PM -0400, Stephen Smalley wrote: > > On 6/11/19 6:02 PM, Sean Christopherson wrote: > > >On Tue, Jun 11, 2019 at 09:40:25AM -0400, Stephen Smalley wrote: > > >>I haven't looked at this code closely, but it feels like a lot of > > >>SGX-specific logic embedded into SELinux that will have to be > > >>repeated or reused for every security module. Does SGX not track > this state itself? > > > > > >SGX does track equivalent state. > > > > > >There are three proposals on the table (I think): > > > > > > 1. Require userspace to explicitly specificy (maximal) enclave > page > > > permissions at build time. The enclave page permissions are > provided > > > to, and checked by, LSMs at enclave build time. > > > > > > Pros: Low-complexity kernel implementation, straightforward > auditing > > > Cons: Sullies the SGX UAPI to some extent, may increase > complexity of > > > SGX2 enclave loaders. > > > > > > 2. Pre-check LSM permissions and dynamically track mappings to > enclave > > > pages, e.g. add an SGX mprotect() hook to restrict W->X and WX > > > based on the pre-checked permissions. > > > > > > Pros: Does not impact SGX UAPI, medium kernel complexity > > > Cons: Auditing is complex/weird, requires taking enclave- > specific > > > lock during mprotect() to query/update tracking. > > > > > > 3. Implement LSM hooks in SGX to allow LSMs to track enclave > regions > > > from cradle to grave, but otherwise defer everything to LSMs. > > > > > > Pros: Does not impact SGX UAPI, maximum flexibility, precise > auditing > > > Cons: Most complex and "heaviest" kernel implementation of the > three, > > > pushes more SGX details into LSMs. > > > > > >My RFC series[1] implements #1. My understanding is that Andy > > >(Lutomirski) prefers #2. Cedric's RFC series implements #3. > > > > > >Perhaps the easiest way to make forward progress is to rule out the > > >options we absolutely *don't* want by focusing on the potentially > > >blocking issue with each option: > > > > > > #1 - SGX UAPI funkiness > > > > > > #2 - Auditing complexity, potential enclave lock contention > > > > > > #3 - Pushing SGX details into LSMs and complexity of kernel > > > implementation > > > > > > > > >[1] > > >https://lkml.kernel.org/r/20190606021145.12604-1-sean.j.christopherso > > >n@intel.com > > > > Given the complexity tradeoff, what is the clear motivating example > > for why > > #1 isn't the obvious choice? That the enclave loader has no way of > > knowing a priori whether the enclave will require W->X or WX? But > > aren't we better off requiring enclaves to be explicitly marked as > > needing such so that we can make a more informed decision about > > whether to load them in the first place? > > Andy and/or Cedric, can you please weigh in with a concrete (and > practical) use case that will break if we go with #1? The auditing > issues for #2/#3 are complex to say the least... How does enclave loader provide per-page ALLOW_* flags? And a related question is why they are necessary for enclaves but unnecessary for regular executables or shared objects. What's the story for SGX2 if mmap()'ing non-existing pages is not allowed? What's the story for auditing? After everything above has been taken care of properly, will #1 still be simpler than #2/#3?