Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp4081448pxk; Tue, 22 Sep 2020 09:46:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyu9VwEwQxxsdDdgVr3515vljyt0SOCLww/fMXSScfXPpgzHv7TrVo2Ru0bPyVBO5ujiqDE X-Received: by 2002:a05:6402:187:: with SMTP id r7mr4705827edv.360.1600793205076; Tue, 22 Sep 2020 09:46:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600793205; cv=none; d=google.com; s=arc-20160816; b=pyafLgbm0IU87CpFGBOmO2SfQQtMC+XtPFO4H2ikKcvh+YZTlypZLvQ9WxT+0xdejM cUoVT5S19hGpwL6bS25ALTyB+038/p2d09Aqyg8e3T2DeT3RaLdT/LE2LWppBUum2HN7 sgaIRgSwHeAbpomoOWLuN+/D/e8qfcGsnnYwq5xpzicZJFw+DKYhDAf9BuAqWHVas1tT lIQ+T8My30E9aHLt/C2dUx+QgX7hmkkSFVLZVg6u7JqQSUfdJe2NphnydEy86duQwmu7 uASixiAj9F6I3m+uUxNn6DVxSVLvqAujnR+tOKNTzsEuNuUs2dXEiQNO9urIz1kCIQ83 BuoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :ironport-sdr:ironport-sdr; bh=vgG0YFHS+VTSH12tvhhrYdTd1ap+WZZNChMqjRE6BfU=; b=r/rgk7Nnl6fYE7qZ+0OFXKD+kdPm06YI9n5pYDg7XnrCDVFIWxhCgF4eiTC+0XKrXQ WqJl3SXLp+xxp4N9mCLQfgBNzw9APLVP5qolYztxU647EvJ5/CU4+hnUr+np2jyg4ux4 ulMER24PVoIHqJt8LNgSLqrSKpCVFdE0trP2qwJlJHyW+BVS5H09Bx3y16Z4/QQaAMDH 1l9p57vZ5t/Cq9WMdbR6Rl0XzWtOBDADfDutmkk1Gc6ioaOzKmVnULsX7MMK3bxDwTgM qHXPkCrWnSpBw89g72zjPG6Is2yO24JeO8dqWUk38PRt2hr0t9XsUjeMwgJ0BK6+M1I/ qdPw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z9si11314799edp.477.2020.09.22.09.46.19; Tue, 22 Sep 2020 09:46:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726709AbgIVQnF (ORCPT + 99 others); Tue, 22 Sep 2020 12:43:05 -0400 Received: from mga06.intel.com ([134.134.136.31]:25876 "EHLO mga06.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726614AbgIVQnF (ORCPT ); Tue, 22 Sep 2020 12:43:05 -0400 IronPort-SDR: rj0xtPbnqH98QrdCs9e4A3S8Z/anJl/palp08sBuNk5N1eBjTtCOGOZjC0cHBFWiPfUf6FHa7s /Z4FFDn37uJA== X-IronPort-AV: E=McAfee;i="6000,8403,9752"; a="222246218" X-IronPort-AV: E=Sophos;i="5.77,291,1596524400"; d="scan'208";a="222246218" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Sep 2020 09:43:04 -0700 IronPort-SDR: 4oSWxbAXMAdIjFSfeAITRunkFUGcGO10gjSXJM/fC/GptPlBIhLFx0AbArKAFk2jKBb8H5RNPl +Q7JSufRXtkw== X-IronPort-AV: E=Sophos;i="5.77,291,1596524400"; d="scan'208";a="342086235" Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.160]) by fmsmga002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Sep 2020 09:43:04 -0700 Date: Tue, 22 Sep 2020 09:43:02 -0700 From: Sean Christopherson To: Jarkko Sakkinen Cc: Andy Lutomirski , X86 ML , linux-sgx@vger.kernel.org, LKML , Linux-MM , Andrew Morton , Matthew Wilcox , Jethro Beekman , Darren Kenny , Andy Shevchenko , asapek@google.com, Borislav Petkov , "Xing, Cedric" , chenalexchen@google.com, Conrad Parker , cyhanish@google.com, Dave Hansen , "Huang, Haitao" , Josh Triplett , "Huang, Kai" , "Svahn, Kai" , Keith Moyer , Christian Ludloff , Neil Horman , Nathaniel McCallum , Patrick Uiterwijk , David Rientjes , Thomas Gleixner , yaozhangx@google.com Subject: Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect() Message-ID: <20200922164301.GB30874@linux.intel.com> References: <20200915112842.897265-1-jarkko.sakkinen@linux.intel.com> <20200915112842.897265-11-jarkko.sakkinen@linux.intel.com> <20200918235337.GA21189@sjchrist-ice> <20200921124946.GF6038@linux.intel.com> <20200921165758.GA24156@linux.intel.com> <20200921210736.GB58176@linux.intel.com> <20200921211849.GA25403@linux.intel.com> <20200922052957.GA97272@linux.intel.com> <20200922053515.GA97687@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200922053515.GA97687@linux.intel.com> User-Agent: Mutt/1.5.24 (2015-08-30) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 22, 2020 at 08:35:15AM +0300, Jarkko Sakkinen wrote: > On Tue, Sep 22, 2020 at 08:30:06AM +0300, Jarkko Sakkinen wrote: > > On Mon, Sep 21, 2020 at 02:18:49PM -0700, Sean Christopherson wrote: > > > Userspace can add the page without EXEC permissions in the EPCM, and thus > > > avoid the noexec/VM_MAYEXEC check. The enclave can then do EMODPE to gain > > > EXEC permissions in the EPMC. Without the ->mprotect() hook, we wouldn't > > > be able to detect/prevent such shenanigans. > > > > Right, the VM_MAYEXEC in the code is nested under VM_EXEC check. > > > > I'm only wondering why not block noexec completely with any permissions, > > i.e. why not just have unconditional VM_MAYEXEC check? > > I.e. why not this: > > static int __sgx_encl_add_page(struct sgx_encl *encl, > struct sgx_encl_page *encl_page, > struct sgx_epc_page *epc_page, > struct sgx_secinfo *secinfo, unsigned long src) > { > struct sgx_pageinfo pginfo; > struct vm_area_struct *vma; > struct page *src_page; > int ret; > > vma = find_vma(current->mm, src); > if (!vma) > return -EFAULT; > > if (!(vma->vm_flags & VM_MAYEXEC)) > return -EACCES; > > I'm not seeing the reason for "partial support" for noexec partitions. > > If there is a good reason, fine, let's just then document it. There are scenarios I can contrive, e.g. loading an enclave from a noexec filesystem without having to copy the entire enclave to anon memory, or loading a data payload from a noexec FS. They're definitely contrived scenarios, but given that we also want the ->mprotect() hook/behavior for potential LSM interaction, supporting said contrived scenarios costs is "free".