Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1458688pxk; Fri, 25 Sep 2020 15:47:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw6si8EpM/WSkNILTnkuJiQrboC8E+Yycx//1OXFFdg79YYBMfk4Y6KHAxVGJT85UbQ63iD X-Received: by 2002:a17:907:2139:: with SMTP id qo25mr4872490ejb.547.1601074055146; Fri, 25 Sep 2020 15:47:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601074055; cv=none; d=google.com; s=arc-20160816; b=jjFjVvCREoI7HuZITsGsfeR7O4/o5hXg9AsnVi43nUtSYp41KKqPz28mTedJn+zYy2 qRcbb3xbjZeSHtQ/ZfBCjPqSNhf47e42b03vo8DvVLCOoxbA+GDoIUaECYXqFs9zC1xi T4gxVo5SNquuhFV4ptChs+29sjr3B7AeyCfCOdIL0j1XXsP9Ass17auUMmQxCwKxWfga +LgcneKoBskRviTMsqsnVHSmHhDxTWgxbc75NF6kvBGwEaV7honw5q7ghsRBOIIp+E0F 2GGvBHUxaIsESBdGe/E/EfQ08ITuO9Io2CS/D0ZUarFOLMoaEnYAe/gjWxgOjAxNtuP7 Krcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :ironport-sdr:ironport-sdr; bh=G7LLtW2BH9qae6Wuenz0yOVF5JvZmpho7NCId/rp/fM=; b=ShTzuRcpU53kWB1fmbOMfQ6ihIaTLBqCoAlZegkJ2cJT/kuQL5zQanfyOalUYmDNhL 9FITGw/L4YJrTBb4G6sB6kLGydLY0WsCBWZFVDHsvVp7ils4B847uNVtATPfFaMKN8Tg R3REQRXSv/A5o6qX4ZEo3x3sxsN8v4lJO9S5l6ehdH2s/Ee7jjdupCXF6J2CgZ1onaJn 9oJI4ypbxWvJ03/8yQilvog8kzO4TB3Wf7TC4bmbHgR19rSzsxv1rAqcw9Eukm88jVvZ 612Ky3hfp6jDi8IyB2V9dbbPFa/KpfIJhRQqozesfw3a/TruZnwgtKKrFRxki5T1IoV/ Joxg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o11si3304160ejx.443.2020.09.25.15.47.12; Fri, 25 Sep 2020 15:47:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729113AbgIYWpH (ORCPT + 99 others); Fri, 25 Sep 2020 18:45:07 -0400 Received: from mga04.intel.com ([192.55.52.120]:53529 "EHLO mga04.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726210AbgIYWpH (ORCPT ); Fri, 25 Sep 2020 18:45:07 -0400 IronPort-SDR: 8oNG5lL73a2zMqeLrCsFY6iKaE/OT1r/tyY4b6g4qcPuTl5MTds+L3QWJpuA4JAJQErvTJ8mSB P+5ukRk6gE0w== X-IronPort-AV: E=McAfee;i="6000,8403,9755"; a="159019383" X-IronPort-AV: E=Sophos;i="5.77,303,1596524400"; d="scan'208";a="159019383" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Sep 2020 12:43:06 -0700 IronPort-SDR: 0cmbbxIOq+DRBwDZXU8oN+OtguZDJAfmZzzlqB5HURVs+a31qryQUHYiY8WcGsB/JaPgA3UctT bNXULHS8KJnA== X-IronPort-AV: E=Sophos;i="5.77,303,1596524400"; d="scan'208";a="291893055" Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.160]) by fmsmga007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Sep 2020 12:43:05 -0700 Date: Fri, 25 Sep 2020 12:43:04 -0700 From: Sean Christopherson To: Dave Hansen Cc: Haitao Huang , Jarkko Sakkinen , Andy Lutomirski , X86 ML , linux-sgx@vger.kernel.org, LKML , Linux-MM , Andrew Morton , Matthew Wilcox , Jethro Beekman , Darren Kenny , Andy Shevchenko , asapek@google.com, Borislav Petkov , "Xing, Cedric" , chenalexchen@google.com, Conrad Parker , cyhanish@google.com, "Huang, Haitao" , Josh Triplett , "Huang, Kai" , "Svahn, Kai" , Keith Moyer , Christian Ludloff , Neil Horman , Nathaniel McCallum , Patrick Uiterwijk , David Rientjes , Thomas Gleixner , yaozhangx@google.com Subject: Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect() Message-ID: <20200925194304.GE31528@linux.intel.com> References: <20200924192853.GA18826@linux.intel.com> <20200924200156.GA19127@linux.intel.com> <20200924202549.GB19127@linux.intel.com> <20200924230501.GA20095@linux.intel.com> <20200925000052.GA20333@linux.intel.com> <32fc9df4-d4aa-6768-aa06-0035427b7535@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <32fc9df4-d4aa-6768-aa06-0035427b7535@intel.com> User-Agent: Mutt/1.5.24 (2015-08-30) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Sep 25, 2020 at 10:18:28AM -0700, Dave Hansen wrote: > Thanks for the walkthrough. The thing that clicked for me seeing those > examples was how the earlier ioctl(ADD_PAGE) is "bound" to later > enforcement actions at enclave PTE creation time. > > On 9/24/20 5:00 PM, Sean Christopherson wrote: > > My concern is that if we merge this > > > > ioctl(sgx_fd, ENCLAVE_ADD_PAGE, SGX_PROT_READ | SGX_PROT_EXEC, ptr, size); > > > > without ->mprotect(), we can't actually enforce the declared protections. And > > if we drop the field altogether: > > > > ioctl(sgx_fd, ENCLAVE_ADD_PAGE, ptr, size); > > > > then we can't implement security_enclave_load(). > > To me, it's perfectly OK to have parts of the ABI which are unused. It > sure makes them harder to test if there are no actual users in the code, > but if it solves a real problem with the ABI, I'm fine with it. > > Let's see if I can put all the pieces together. > > Background: > > 1. SGX enclave pages are populated with data by copying data to them > from normal memory via: ioctl(sgx_fd, ENCLAVE_ADD_PAGE, src_ptr...); > 2. We want to be able to restrict those normal memory data sources. For > instance, before copying data to an executable enclave page, we might > ensure that the source is executable. > 3. Enclave page permissions are dynamic just like normal permissions and > can be adjusted at runtime with mprotect() (along with a > corresponding special instruction inside the enclave) > 4. The original data source may have have long since vanished at the > time when enclave page permission are established (mmap() or > mprotect()) > > Solution: > > The solution is to force enclaves creators to declare their intent up > front to ioctl(ENCLAVE_ADD_PAGE). This intent can me immediately > compared to the source data mapping (and rejected if necessary). It is > also stashed off and then later compared with enclave PTEs to ensure > that any future mmap()/mprotect() operations performed by the enclave > creator or the enclave itself are consistent with the earlier declared > permissions. > > Essentially, this means that whenever the kernel is asked to change an > enclave PTE, it needs to ensure the change is consistent with that > stashed intent. There is an existing vm_ops->mmap() hook which allows > SGX to do that for mmap(). However, there is no ->mprotect() hook. Add > a vm_ops->mprotect() hook so that mprotect() operations which are > inconsistent with any page's stashed intent can be rejected by the driver. Yes to all of the above. > Implications: > > However, there is currently no implementation of the intent checks at > the time of ioctl(ENCLAVE_ADD_PAGE). Correct. > That means that the intent argument (SGX_PROT_*) is currently unused. No, the intent argument is used (eventually) by SGX's ->mprotect() implementation, i.e. sgx_mprotect() enforces that the actual protections are a subset of the declared/intended protections. If ->mprotect() is not merged, then it yes, it will be unused. And therein lies the problem as the kernel can't start using/enforcing the intent without breaking userspace. E.g. an enclave loaded with SGX_PROT_READ but mprotect()'d with PROT_READ | PROT_EXEC would break if sgx_mprotect() came along. One way to avoid introducing ->mprotect() would be to require all enclaves to declare all pages with READ|WRITE|EXEC. Then we could drop sgx_mprotect() since the mprotect() permissions are guaranteed to be a subset of the declared permissions. That would have the added bonus of eliminating the per-page checks in sgx_mmap()/sgx_mprotect(), though I've no idea if that is a meaningful optmization or it's lost in the noise. The big downside of requiring READ|WRITE|EXEC is that it will make life hell for a LSM policy owner if they ever want to apply EXECMEM or EXECMOD style restritions on enclaves, i.e. if SELinux folks want to add security_enclave_load(). I find that I'm more or less ok with that approach, in no small part because introducing security_enclave_load() might be a pretty big "if", e.g. security folks may decide that they'd rather allow/deny enclaves based on the measurement or signer of the enclave and eschew per-page checks entirely. > -- > > Is that all correct? Did I miss anything?