Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1855883ybi; Sun, 16 Jun 2019 15:17:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqxdfDQQv9dObxd7XfMCsjw0SD019LEzEaNPnkeutSn1/QhkF5S50omPfl+eAKa8V96eCsgJ X-Received: by 2002:a17:90a:bb94:: with SMTP id v20mr23354160pjr.88.1560723465254; Sun, 16 Jun 2019 15:17:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560723465; cv=none; d=google.com; s=arc-20160816; b=EZ41bZfkSuhApHFgH6m0kJgCUU1xPcJrp0Ezr8axYU2prsz61c/c1ZB9mW7xBLKm+4 rLJlxHD2uKFLYv6a95YoBZ2VK84PNyqeILdTHiNXAC65w9weeOdSunUdRxUusquSKVVM x5h2Hc6IsWCPDgG2wAAgXi8keLL4Ad/zUxOyDP/x1c4h26GB0yo1KrqvIwR2hVnPpKpe TPKUMqGNUuRK8pjeyA4s4lAh0lT/f03/JT6GNVpP9D3IenCgB4gTMHOCyIiQ8/5p6h+D bjKe88IrfiO/VSdFXOKVF6JAmE8CwXlE/Frk2JHHG+6bo/cR2oz2zlxfbG1+oC3f2ZWi mJcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=50rM+qZ0L/NdVPU2gS8b7oBjQ1qqC4FHM2HWz4d4fwQ=; b=ZnduN5o5KwTZa8Pn+jCSr8WRdSdxXHEy8ELZ0izrJ3cS0V/dbTAr/q5IkurgzKh9mt eqS/3C1CA1fxDgt0mnHHb0NfPiRO51jaANDlD8Bu7KhuT+7yJ/J1IjQ/vleoy1hTGiop oE3k/J3jV0mWPLvQslE8c1nHeb2EsDDJCBKMAsk8niY4lDJD/0sstRIGNnt118XdU7sR Nt85w/j/NGEu+0ARIHhY4xRJT2SRMTLiEJFFgkkwwvNe51v3WNc3ZP1pFSH79qcIuqj8 z4yDG6yePDYj7zeVTnKsSprfOQiwkZ8YjcNq1SVGoLPDSoVxK01d3eET/wqTcfcCQyNO xI3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=VN+jNLPt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e11si8639777pgs.31.2019.06.16.15.17.18; Sun, 16 Jun 2019 15:17:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=VN+jNLPt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727440AbfFPWPG (ORCPT + 99 others); Sun, 16 Jun 2019 18:15:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:40738 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727209AbfFPWPG (ORCPT ); Sun, 16 Jun 2019 18:15:06 -0400 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AAC532133D for ; Sun, 16 Jun 2019 22:15:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1560723304; bh=T8BMYPj/+axcxNZqcbu8ibBvh7s2DD0/VdD4zxhxLeA=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=VN+jNLPtlAM7yZMEdaYpwcykUv6qxdTjPO0oXTcaVnCq9Ot23vztZl9zAcZ3SZjrA ZExNDIwyC1Blo1869ze4J0f7lM6CdziDs9Dlw4WdRUH08Fy61ulU/hqc+NrryXvESP D2qpeKonufelOAvIYcL1UWEn3X7LCG2oEMG/HRe4= Received: by mail-wm1-f50.google.com with SMTP id z23so7098345wma.4 for ; Sun, 16 Jun 2019 15:15:04 -0700 (PDT) X-Gm-Message-State: APjAAAW3JTNdnKowx1oJi7541M7OJv8pxcf5xxc++CSFprSGC4R6IoUx T5Qx+m4ArcsRuH3nxXOfpA+cAIX9Qmj6NRg8AJjXfA== X-Received: by 2002:a7b:cd84:: with SMTP id y4mr16244320wmj.79.1560723303094; Sun, 16 Jun 2019 15:15:03 -0700 (PDT) MIME-Version: 1.0 References: <20190611220243.GB3416@linux.intel.com> <8d99d8fb-a921-286a-8cf0-cd522e09b37c@tycho.nsa.gov> <20190614004600.GF18385@linux.intel.com> <20190614153840.GC12191@linux.intel.com> In-Reply-To: <20190614153840.GC12191@linux.intel.com> From: Andy Lutomirski Date: Sun, 16 Jun 2019 15:14:51 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux To: Sean Christopherson Cc: Stephen Smalley , Cedric Xing , LSM List , selinux@vger.kernel.org, LKML , linux-sgx@vger.kernel.org, Jarkko Sakkinen , Andrew Lutomirski , James Morris , "Serge E. Hallyn" , Paul Moore , Eric Paris , Jethro Beekman , Dave Hansen , Thomas Gleixner , Linus Torvalds , Andrew Morton , nhorman@redhat.com, pmccallum@redhat.com, "Ayoun, Serge" , "Katz-zamir, Shay" , "Huang, Haitao" , Andy Shevchenko , "Svahn, Kai" , Borislav Petkov , Josh Triplett , "Huang, Kai" , David Rientjes , "Roberts, William C" , Philip Tricca Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 14, 2019 at 8:38 AM Sean Christopherson wrote: > > On Thu, Jun 13, 2019 at 05:46:00PM -0700, Sean Christopherson wrote: > > On Thu, Jun 13, 2019 at 01:02:17PM -0400, Stephen Smalley wrote: > > > On 6/11/19 6:02 PM, Sean Christopherson wrote: > > > >On Tue, Jun 11, 2019 at 09:40:25AM -0400, Stephen Smalley wrote: > > > >>I haven't looked at this code closely, but it feels like a lot of > > > >>SGX-specific logic embedded into SELinux that will have to be repeated or > > > >>reused for every security module. Does SGX not track this state itself? > > > > > > > >SGX does track equivalent state. > > > > > > > >There are three proposals on the table (I think): > > > > > > > > 1. Require userspace to explicitly specificy (maximal) enclave page > > > > permissions at build time. The enclave page permissions are provided > > > > to, and checked by, LSMs at enclave build time. > > > > > > > > Pros: Low-complexity kernel implementation, straightforward auditing > > > > Cons: Sullies the SGX UAPI to some extent, may increase complexity of > > > > SGX2 enclave loaders. > > > > > > > > 2. Pre-check LSM permissions and dynamically track mappings to enclave > > > > pages, e.g. add an SGX mprotect() hook to restrict W->X and WX > > > > based on the pre-checked permissions. > > > > > > > > Pros: Does not impact SGX UAPI, medium kernel complexity > > > > Cons: Auditing is complex/weird, requires taking enclave-specific > > > > lock during mprotect() to query/update tracking. > > > > > > > > 3. Implement LSM hooks in SGX to allow LSMs to track enclave regions > > > > from cradle to grave, but otherwise defer everything to LSMs. > > > > > > > > Pros: Does not impact SGX UAPI, maximum flexibility, precise auditing > > > > Cons: Most complex and "heaviest" kernel implementation of the three, > > > > pushes more SGX details into LSMs. > > > > > > > >My RFC series[1] implements #1. My understanding is that Andy (Lutomirski) > > > >prefers #2. Cedric's RFC series implements #3. > > > > > > > >Perhaps the easiest way to make forward progress is to rule out the > > > >options we absolutely *don't* want by focusing on the potentially blocking > > > >issue with each option: > > > > > > > > #1 - SGX UAPI funkiness > > > > > > > > #2 - Auditing complexity, potential enclave lock contention > > > > > > > > #3 - Pushing SGX details into LSMs and complexity of kernel implementation > > > > > > > > > > > >[1] https://lkml.kernel.org/r/20190606021145.12604-1-sean.j.christopherson@intel.com > > > > > > Given the complexity tradeoff, what is the clear motivating example for why > > > #1 isn't the obvious choice? That the enclave loader has no way of knowing a > > > priori whether the enclave will require W->X or WX? But aren't we better > > > off requiring enclaves to be explicitly marked as needing such so that we > > > can make a more informed decision about whether to load them in the first > > > place? > > > > Andy and/or Cedric, can you please weigh in with a concrete (and practical) > > use case that will break if we go with #1? The auditing issues for #2/#3 > > are complex to say the least... The most significant issue I see is the following. Consider two cases. First, an SGX2 enclave that dynamically allocates memory but doesn't execute code from dynamic memory. Second, an SGX2 enclave that *does* execute code from dynamic memory. In #1, the untrusted stack needs to decide whether to ALLOW_EXEC when the memory is allocated, which means that it either needs to assume the worst or it needs to know at allocation time whether the enclave ever intends to change the permission to X. I suppose there's a middle ground. The driver could use model #1 for driver-filled pages and model #2 for dynamic pages. I haven't tried to fully work it out, but I think there would be the ALLOW_READ / ALLOW_WRITE / ALLOW_EXEC flag for EADD-ed pages but, for EAUG-ed pages, there would be a different policy. This might be as simple as internally having four flags instead of three: ALLOW_READ, ALLOW_WRITE, ALLOW_EXEC: as before ALLOW_EXEC_COND: set implicitly by the driver for EAUG. As in #1, if you try to mmap or protect a page with neither ALLOW_EXEC variant, it fails (-EACCES, perhaps). But, if you try to mmap or mprotect an ALLOW_EXEC_COND page with PROT_EXEC, you ask LSM for permission. There is no fancy DIRTY tracking here, since it's reasonable to just act as though *every* ALLOW_EXEC_COND page is dirty. There is no real auditing issue here, since LSM can just log what permission is missing. Does this seem sensible? It might give us the best of #1 and #2. > > Follow-up question, is #1 any more palatable if SELinux adds SGX specific > permissions and ties them to the process (instead of the vma or sigstruct)? I'm not sure this makes a difference. It simplifies SIGSTRUCT handling, which is handy.