Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp3822436ybt; Tue, 30 Jun 2020 11:53:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy8WfvQu1Dx1vI7tgQrwkhr/++UFC/JPfZKZeNg8juk3HyNglo0Wi9wgKkRl9duxmjAxbnV X-Received: by 2002:a17:906:7686:: with SMTP id o6mr20244151ejm.326.1593542817266; Tue, 30 Jun 2020 11:46:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593542817; cv=none; d=google.com; s=arc-20160816; b=gHeeLaFyGIdmFpCZZIAnyG1irJqHQevewMWzzICxUtkZqzXYNYCgCH9kAYprC+Wi9M BSvVar/3X09SrYF9zmXReXa7JXA3q8ufsphWhPhXF5J8OpDgOQefFOQ2DsWZ//Wo+K96 4Jx39w79sUOQ60fAw1lScV1qtboJBCO5YfkvrGEpIEnUa6uorP3SqFd4Qu53r3KPcR+n GJCok6vcEVM3FhQPe+wuD4wiSYSLmYCRn3ne4IOiYfFIGEUxQXAgoTunoPiMngOTRPTF sPXj7IC3a9I9qg+M6frUfEmWfT1bZ9RGMmCmEzrGOaeW+tiS3og8uo+wEjCc6P+8vTSw 5FVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Lt6JVw6L/zSguu/k74tDMY6iFZxgzeanIERO4gD46IM=; b=p4swibVpyZmXJTjBK4gKm39l3+ENJikGlCTjdavjerACfddqLDW5aPX8ZTy3kNzJCC issPL6yDvHkaBtR+HQjiujzqaXLstk0WUxukIQSG1n0wep/Q72qZkirwwNQ9tBAAfUBG SkZ+8atoGHEfRU1pyv2DxWxhaJZbeOmj1Gw3RwiFeTJeov8TptY8lVRpUByNY07HNrko yx18uyu0zX8MnsWRV8m+RYwnks99nLVr0u7PcQX6TfsOs3/M+fi84N/p8tK1uHMpwFPR BaeBKTpXaesUUnZJwrtIW7kWKQ7qjPzyOvpnl09Fg8mMjQutty2AMN1CsEl1riCAvdfp /djg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=g0VCHu5y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h27si466329ejd.190.2020.06.30.11.46.33; Tue, 30 Jun 2020 11:46:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=g0VCHu5y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729963AbgF3RNO (ORCPT + 99 others); Tue, 30 Jun 2020 13:13:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:34238 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387878AbgF3RNO (ORCPT ); Tue, 30 Jun 2020 13:13:14 -0400 Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5445920826 for ; Tue, 30 Jun 2020 17:13:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593537193; bh=diSO1CamvrQdtfEI+H7me6fxh/KtADWecbcfO1/wVoo=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=g0VCHu5yhHihJYjJCE25aVIaqOgxXTAQluoAB712i8ttmyZBEH9ahl4xnIRcJWtkS iVwKR3YMRuPh4XPkXtCRNRTnWn9b1ECnWaMeQehaphzIFVerVBpEe7M17DThvkJ1sZ P3nA8JAbWGtM8U7nCzhsIFDigcair9/tQBjbwc0U= Received: by mail-wm1-f46.google.com with SMTP id q15so19534006wmj.2 for ; Tue, 30 Jun 2020 10:13:13 -0700 (PDT) X-Gm-Message-State: AOAM530e/enI6/AE4C7tLif5horTVuyn6KKKlkp7G7P/V0ERZq8FGrkC 9AbjTJaRfyVF0fcLiZgjAcvMk8NgddzOt0qWZxXITg== X-Received: by 2002:a1c:a304:: with SMTP id m4mr23802567wme.49.1593537191719; Tue, 30 Jun 2020 10:13:11 -0700 (PDT) MIME-Version: 1.0 References: <20200617220844.57423-1-jarkko.sakkinen@linux.intel.com> <20200617220844.57423-13-jarkko.sakkinen@linux.intel.com> <20200629160242.GB32176@zn.tnic> <20200629220400.GI12312@linux.intel.com> <20200630084956.GB1093@zn.tnic> <20200630142027.GA7733@linux.intel.com> In-Reply-To: <20200630142027.GA7733@linux.intel.com> From: Andy Lutomirski Date: Tue, 30 Jun 2020 10:13:00 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v33 12/21] x86/sgx: Allow a limited use of ATTRIBUTE.PROVISIONKEY for attestation To: Sean Christopherson Cc: Borislav Petkov , Jarkko Sakkinen , X86 ML , linux-sgx@vger.kernel.org, LKML , LSM List , Jethro Beekman , Andy Lutomirski , Andrew Morton , Andy Shevchenko , asapek@google.com, "Xing, Cedric" , chenalexchen@google.com, conradparker@google.com, cyhanish@google.com, Dave Hansen , "Huang, Haitao" , Josh Triplett , "Huang, Kai" , "Svahn, Kai" , kmoy@google.com, Christian Ludloff , Neil Horman , npmccallum@redhat.com, puiterwijk@redhat.com, David Rientjes , Thomas Gleixner , yaozhangx@google.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 30, 2020 at 7:20 AM Sean Christopherson wrote: > > On Tue, Jun 30, 2020 at 10:49:56AM +0200, Borislav Petkov wrote: > > On Mon, Jun 29, 2020 at 03:04:00PM -0700, Sean Christopherson wrote: > > > /dev/sgx/provision is root-only by default, the expectation is that the admin > > > will configure the system to grant only specific enclaves access to the > > > PROVISION_KEY. > > > > Uuh, I don't like "the expectation is" - the reality happens to turn > > differently, more often than not. > > Would it help if I worded it as "only root should ever be able to run an > enclave with access to PROVISION_KEY"? We obviously can't control what > admins actually do, hence my wording of it as the expected behavior. > > > > In this series, access is fairly binary, i.e. there's no additional kernel > > > infrastructure to help userspace make per-enclave decisions. There have been > > > more than a few proposals on how to extend the kernel to help provide better > > > granularity, e.g. LSM hooks, but it was generally agreed to punt that stuff > > > to post-upstreaming to keep things "simple" once we went far enough down > > > various paths to ensure we weren't painting ourselves into a corner. > > > > So this all sounds to me like we should not upstream /dev/sgx/provision > > now but delay it until the infrastructure for that has been made more > > concrete. We can always add it then. Changing it after the fact - > > if we have to and for whatever reason - would be a lot harder for a > > user-visible interface which someone has started using already. > > The userspace and attestation infrastructure is very concrete, i.e. the > need for userspace to be able to access PROVISION_KEY is there, as is the > desire to be able to restrict access to PROVISION_KEY, e.g. I believe Andy > Lutomirski originally requested the ability to restrict access. > > The additional infrastructure for per-enclave decisions is somewhat > orthogonal to the PROVISION_KEY, e.g. they won't necessarily be employed > by everyone running enclaves, and environments that do have per-enclave > policies would still likely want the extra layer of restriction for > PROVISION_KEY. I only brought the additional policy crud to call out that > we've done enough path-finding on additional restrictions to have strong > confidence that adding /dev/sgx/provision won't prevent us from adding more > fine grained control in the future. I agree. I anticipate that most of the nasty fine-grained stuff will end up in userspace down the road. Systems can be configured such that provisioning is done as root, or systems can end up with fancy SELinux rules or daemons that pass around fds or whatever, but all of this can be done with the kernel code in this patchset.