Received: by 2002:a25:2c96:0:0:0:0:0 with SMTP id s144csp578232ybs; Sun, 24 May 2020 14:31:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw4hOx2ESOJU9yUdrksw0+Elt70LkOwF7r6LVvkqkZdhMIodlRqcjNmsdVbnhECf9VKlXLA X-Received: by 2002:a50:eb0a:: with SMTP id y10mr12458036edp.312.1590355890631; Sun, 24 May 2020 14:31:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590355890; cv=none; d=google.com; s=arc-20160816; b=yd9Yu893H+vsJ76OjWBWKjuiWRJtnGeraxdt6YHARViovKtsHIwOZS1xpBS/0RsSXp wAZoOrKl8R06VdDT6CHfkcaT/4PJZGx8Jf9A94N7tUQcrO64go87OtirA2yAJIeY7Ly1 BaDvTodIp8yIZaoDFCpcKdHdmkB1+kZDkJepf4c3w5W0cCyo92bYFRPEZISXmxqlppCr 6BJFqxzvv7wqG1YrG0hO/dICf7I2YwSqZiBe3/ei38R11JHrYivQIpaPyE1wdZMnrCTO lwgfLHUxCBKhs2EA62vKMKoihwQEFxxW/9Si0a5GhhaxdpYV7zI8K6zikQanf0pRS0PF /OkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=Q/baZgJFjT3uM5ZnpqOzaygs/RSJj693srSnJhpduaE=; b=obR4DJ7Q9bXq3QAcM4QghM5UMtsFh3PE2HO6oPXE73LtEoX+EwNxH4mGafMpvAUs0d eSsRsJJNAo7ry35bM+RXmawdyLE/CXA5OAfATU86li9G4kjfY84w3IZWtJ0Rlvaujb9G n8fon8ilxy9/DZF6m+nzO9DVjaYzDbCBaIRjp3GoSRygj+tFTj05OgRoiSovKjq8sXn+ wEMgzKQ3b9psVnBKfN0CnB3OsKUBClmPHKdAafENBQe9OQZ0i2kAGqsDwt2cbELmbtl8 p71mgajpeqbRVwlCwpxp0hx8IYu5q2tQZsohVhSAHcxkT2Yh7TaxQZYl/fTny/ij87f9 PMUQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a28si8163364edm.309.2020.05.24.14.31.08; Sun, 24 May 2020 14:31:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387914AbgEXV1W (ORCPT + 99 others); Sun, 24 May 2020 17:27:22 -0400 Received: from jabberwock.ucw.cz ([46.255.230.98]:57496 "EHLO jabberwock.ucw.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387830AbgEXV1W (ORCPT ); Sun, 24 May 2020 17:27:22 -0400 Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id CF0E11C02AB; Sun, 24 May 2020 23:27:20 +0200 (CEST) Date: Sun, 24 May 2020 23:27:19 +0200 From: Pavel Machek To: "Dr. Greg" Cc: Sean Christopherson , Thomas Gleixner , Jarkko Sakkinen , torvalds@linux-foundation.org, linux-kernel@vger.kernel.org, x86@kernel.org, linux-sgx@vger.kernel.org, akpm@linux-foundation.org, dave.hansen@intel.com, nhorman@redhat.com, npmccallum@redhat.com, haitao.huang@intel.com, andriy.shevchenko@linux.intel.com, kai.svahn@intel.com, bp@alien8.de, josh@joshtriplett.org, luto@kernel.org, kai.huang@intel.com, rientjes@google.com, cedric.xing@intel.com, puiterwijk@redhat.com Subject: Re: [PATCH v29 00/20] Intel SGX foundations Message-ID: <20200524212719.GA1192@bug> References: <20200421215316.56503-1-jarkko.sakkinen@linux.intel.com> <20200426165753.GA11046@wind.enjellic.com> <87d07gk24l.fsf@nanos.tec.linutronix.de> <20200508190226.GA31465@wind.enjellic.com> <20200508195635.GR27052@linux.intel.com> <20200514091637.GA25156@wind.enjellic.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200514091637.GA25156@wind.enjellic.com> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi! > > > At the very least a modular form of the driver should be > > > considered that would allow alternate implementations. Sean > > > indicated that there was a 'kludgy' approach that would allow an > > > alternate modular implementation alongside the in-kernel driver. > > > I believe that Andy has already indicated that may not be an > > > advisable approach. > > > Modularizing the the driver does nothing for your use case. The > > "driver" is a relatively lightweight wrapper, removing that is akin > > to making /dev/sgx/enclave inaccessible, i.e. it doesn't make the Well... SGX is proprietary feature of Intel. I don't see any effort for standartization so that other architectures could use it. Yet it provides userspace interface... You clearly want distros to enable it, but that will waste memory on non-Intel systems. That is not good. > Here in a nutshell is the paradox the kernel faces: > > No one seems to be disputing the fact that the primary focus of this > driver will be to support the notion of 'runtime encryption' and > Confidential Computing. The whole premise of the concept and economic > predicate of the initiative is that the owner/manager of the platform > has no visibility into what is being done on the platform. Well, in my eyes preventing owner of the machine from accessing all its parts is pretty questionable. Physics says it is impossible, many tried, and many failed. Why it should be different this time? > If the Linux community believes that standard platform security > controls can make qualitatively good judgements on what enclave based > execution is doing, it is effectively making the statement that the > very concept of runtime encryption and by extension Confidential > Computing is invalid. And yes, I believe that concept of Confidential Computing is invalid.. and we should simply not merge this support. It provides false sense of security, and I'm afraid big companies will try to force people to use it. "DRM, now with hardware support". "Finally advertisments you can not skip". "Just run this piece of code on your machine to access your bank account. Trust us!" :-(. Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html