Received: by 2002:a25:23cc:0:0:0:0:0 with SMTP id j195csp286582ybj; Wed, 6 May 2020 17:43:40 -0700 (PDT) X-Google-Smtp-Source: APiQypJo0WXenWMUjQM+vh9Vu5fP1xPHR/0GxO2/IjZv0vOv5eoMkgbaSYz3X+BIAvciSs7z8++e X-Received: by 2002:a17:906:b246:: with SMTP id ce6mr2712982ejb.181.1588812219905; Wed, 06 May 2020 17:43:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588812219; cv=none; d=google.com; s=arc-20160816; b=AcYW0cVhz4THwa5Kd+HIlCUcDuh1KunY39u19iG7TH5PESPsh9cvSCGkivzM0qQOwe Hs3R+IVUuRdrbo82wRWHa07IWIhr8d3NFralMq39CFTu6BKBnoRKqbn2Eoq5SDNWgUwo k5fXMA1fchY4Eh2jN5lAbc22jG/xOXPfFzmR2iSCDZ3y4zhVpVU2/9lY+hKM19oJaccW LEdb3M2QUyC6K6a5BGrq3tBFdYtvsnegl2+N0qi3+Bd3ldN9XCATNHlYw7WNHtIRsj8E iFhjmbxFjyPm7/wKLTekAxY7QhJBexslGEViyvKckOuO1THTYpwUxgBoW6NI9leBEiAu H5Ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from; bh=qBjPaXpwKXHCSKjCTNG83pWatvoETyM8WmsBxDUG3E4=; b=nzIAb+78FNgenXJa4yYtH9SMu2rtz0zM5xgcf/z2yLIh/bNjIvC/blC8iTP6bGTHQO +c3QBJ17TdomwPu9tEEcJsqUaX6E4yLKBM7dJEcYzqpR/FtoYXbh6Ts2KakaJstodwYV 4fvE1adZREzZrhoZOz1Qh61gH6IrUteB3TLRajU1NS9MoPLVxTD7+piSupk9G8AVetva vDeo9/9nZDGucRUA02dxlxoqgmGmjP5ItTJQy7y0CKhRWXewyXD4AivJSGtAvPXuNAVJ pszP4UwepQjBMFVGybSAGsUagenFysX/yGWoUOINbmLQcqT8Lj55wHL029IO+Y2fflcd r9jQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p23si2199275eju.299.2020.05.06.17.43.17; Wed, 06 May 2020 17:43:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726690AbgEGAlu (ORCPT + 99 others); Wed, 6 May 2020 20:41:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33188 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725966AbgEGAlu (ORCPT ); Wed, 6 May 2020 20:41:50 -0400 Received: from Galois.linutronix.de (Galois.linutronix.de [IPv6:2a0a:51c0:0:12e:550::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5EAD5C061A0F; Wed, 6 May 2020 17:41:50 -0700 (PDT) Received: from p5de0bf0b.dip0.t-ipconnect.de ([93.224.191.11] helo=nanos.tec.linutronix.de) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1jWUbT-0006e2-IH; Thu, 07 May 2020 02:41:31 +0200 Received: by nanos.tec.linutronix.de (Postfix, from userid 1000) id DE860102652; Thu, 7 May 2020 02:41:30 +0200 (CEST) From: Thomas Gleixner To: "Dr. Greg" , Jarkko Sakkinen Cc: torvalds@linux-foundation.org, linux-kernel@vger.kernel.org, x86@kernel.org, linux-sgx@vger.kernel.org, akpm@linux-foundation.org, dave.hansen@intel.com, sean.j.christopherson@intel.com, nhorman@redhat.com, npmccallum@redhat.com, haitao.huang@intel.com, andriy.shevchenko@linux.intel.com, kai.svahn@intel.com, bp@alien8.de, josh@joshtriplett.org, luto@kernel.org, kai.huang@intel.com, rientjes@google.com, cedric.xing@intel.com, puiterwijk@redhat.com Subject: Re: [PATCH v29 00/20] Intel SGX foundations In-Reply-To: <20200426165753.GA11046@wind.enjellic.com> References: <20200421215316.56503-1-jarkko.sakkinen@linux.intel.com> <20200426165753.GA11046@wind.enjellic.com> Date: Thu, 07 May 2020 02:41:30 +0200 Message-ID: <87d07gk24l.fsf@nanos.tec.linutronix.de> MIME-Version: 1.0 Content-Type: text/plain X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Greg, "Dr. Greg" writes: > As an aside, for those who haven't spent the last 5+ years of their > life working with this technology. SGX2 hardware platforms have the > ability to allow unrestricted code execution in enclave context. Unrestricted code execution even before loaded? Unrestricted by priviledge levels? > No amount of LSM or IMA interventions can provide any control over > that. They can restrict what is started and loaded before anything SGX happens. If you want to make real technical arguments then please be specific and precise and spare us the handwaving marketing speak. > In fact, the Confidential Computing Consortium, sponsored by none > other then the Linux Foundation, has at its fundamental tenant, And that's relevant to the technical question in which way? > the notion of developing an eco-system that allows the execution of > code and processing of data, over which, the owner or administrator of > the platform has no visibility or control. It would seem only logical > that adversarial interests would indulge themseleves in those > capabilities as well. > > With respect to SGX and these issues, cryptographic policy management > is important for the same reason that 2-factor authentication is now > considered standard practice in the security industry. > > We appreciate, Jarkko, that you feel that such infrastructure is > optional, like virtualization support, and is something that can go in > after the driver is mainlined. As the diffstat for our patch points > out, the proposed support has virtually no impact on the driver, the > same cannot be said for virtualization capabilities. The diffstat of your patch is irrelevant. What's relevant is the fact that it is completely unreviewed and that it creates yet another user space visible ABI with a noticable lack of documentation. > Moreover, adding support for key based policy management later would > require the addition of another ioctl in order to avoid ABI > compatibility issues. And that's a problem because? > The current initialization ioctl is best suited, from an engineering > perspective, to support this type of infrastructure. What's wrong with having IOCTL_INIT_TYPE_A and IOCTL_INIT_TYPE_B? Nothing at all. It's pretty straight forward and in fact a better solution than a duct taped multiplexing all in one IOCTL_INIT_PONIES approach. > In fact, the necessary support was removed from the ioctl for > political reasons rather then for any valid engineering rationale on > flexible launch control platforms, particularly with our patch or an > equivalent approach. You're surely making a convincing technical argument by claiming that this was a political decision. The amount of non-technical, i.e. political arguments in your mail is definitely larger than the technical content. > Hopefully this is a reasoned technical approach to what has been a > long standing issue surrounding this technology. It's an approach which guarantees that the driver will miss the next merge window. If that's your intention, then please let us know. Merging the current set of patches does not prevent anything you want to be added. It's an extension to the base implementation and not a prerequisite. > Best wishes for a productive week. > > Dr. Greg Thanks a lot for the best wishes. Unfortunately reading this email was not necessarily productive for me, but I surely wish that you can make productive use of my reply. Thanks, tglx > ------------------------------------------------------------------------------ > "Opportunity is missed by most people because it is dressed in overalls > and looks like work." > -- Thomas Edison ------------------------------------------------------------------------------ "Failure is simply the opportunity to begin again, this time more intelligently" -- Henry Ford