Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp4592604pxu; Tue, 20 Oct 2020 23:38:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwR4vb/UfJA8iyGW5V5eQ6+3quZx4oRuhOsbpuLanIoxaYHyTdnet/yhxrGxRDzp+4gy2+j X-Received: by 2002:a17:906:c315:: with SMTP id s21mr1874320ejz.296.1603262292227; Tue, 20 Oct 2020 23:38:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603262292; cv=none; d=google.com; s=arc-20160816; b=t285MB7Pr/CI46R+V9wBu5i2Fqm5jfOb3lq+6c7XOQh7sretkX2FPFzpBl3GLa+TLo vI6kdHVTBOto13K5IKsU3glcaWU3XqOkrkA3oBcMtgKaHAevY05Z1znJxXI3hByvbcSt XnCIjuDYCrWMeURwK2r+4i8V69XobDHOzHkk0Uo4we/dOp0/7R79Gr/MUQg5yzxDbA37 nLjeKM+OPjCOnY0ji5k91PRksyH4A3my5keqHvH2AhdIZ+bX0yU8JAaZEuTPa9ya7Psy N65FDgFihkL5g/KG5fXRx+J6y3+VpzC90Gfbhsv0Cw9LSJ3p+Lenbj1dyLR6vxiRq3M0 asfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :ironport-sdr:ironport-sdr; bh=a1aMpqeQ0ggHUAKxJr+qc47TN+iVqv1heSRoHz9X+pQ=; b=uJhY456PbLMqIDWkOL1HWhM6Wu0lqlClIIsXdzLpcHlIzovCgP3e92N4M9codIoasH dLVerEjQzcS4usFZTE7VE/QzT0rZt8/pC88/OwSz9rSyPgo+1LGK9JKcZ4YK21v0g+bo aNQ3uPK9h9KhT8kN7OUVhkBvIRyVjj9CKBAOOFFq+9HGfpNLenqIhWJAKemgI81mnP0r YVvjqAYXApnwGjRHjjrZxFDADEI72Eu6NJjtR3rE2CUqjF8LG8GRE1THmGKbddrZp4m3 D2lrI6YbquQT/Ak4jl0GHdsShOZeKuuQlViCZP4yQjzZjWgXjIcT3lWeCLtJiNJEberI s8tQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a20si750211eda.489.2020.10.20.23.37.50; Tue, 20 Oct 2020 23:38:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2394773AbgJTQkJ (ORCPT + 99 others); Tue, 20 Oct 2020 12:40:09 -0400 Received: from mga03.intel.com ([134.134.136.65]:24589 "EHLO mga03.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387765AbgJTQkJ (ORCPT ); Tue, 20 Oct 2020 12:40:09 -0400 IronPort-SDR: Zskibe4fzMQ5nMuv8p/SVRcW8tfYMGz6vw/Xu8VQs8zwEL4jGFb19JCbZwsp/fPH712I69/VuB auq9vQ8twTYw== X-IronPort-AV: E=McAfee;i="6000,8403,9780"; a="167330795" X-IronPort-AV: E=Sophos;i="5.77,397,1596524400"; d="scan'208";a="167330795" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Oct 2020 09:40:04 -0700 IronPort-SDR: MoYFv3g53SAR0EFIb6i0dukRHdLLl8fsDnFqcj06Q4tcaNv6xZzgBKy/8/bgaBTFdgv7YwWv4O QAE+1UeOOkxg== X-IronPort-AV: E=Sophos;i="5.77,397,1596524400"; d="scan'208";a="522439848" Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.160]) by fmsmga006-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Oct 2020 09:40:02 -0700 Date: Tue, 20 Oct 2020 09:40:00 -0700 From: Sean Christopherson To: "Dr. Greg" Cc: Dave Hansen , Jarkko Sakkinen , Haitao Huang , Andy Lutomirski , X86 ML , linux-sgx@vger.kernel.org, LKML , Linux-MM , Andrew Morton , Matthew Wilcox , Jethro Beekman , Darren Kenny , Andy Shevchenko , asapek@google.com, Borislav Petkov , "Xing, Cedric" , chenalexchen@google.com, Conrad Parker , cyhanish@google.com, "Huang, Haitao" , Josh Triplett , "Huang, Kai" , "Svahn, Kai" , Keith Moyer , Christian Ludloff , Neil Horman , Nathaniel McCallum , Patrick Uiterwijk , David Rientjes , Thomas Gleixner , yaozhangx@google.com Subject: Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect() Message-ID: <20201020163959.GB28909@linux.intel.com> References: <20200925000052.GA20333@linux.intel.com> <32fc9df4-d4aa-6768-aa06-0035427b7535@intel.com> <20200925194304.GE31528@linux.intel.com> <230ce6da-7820-976f-f036-a261841d626f@intel.com> <20200928005347.GB6704@linux.intel.com> <6eca8490-d27d-25b8-da7c-df4f9a802e87@intel.com> <20201018084920.GA19255@wind.enjellic.com> <20201019213105.GE23072@linux.intel.com> <20201020100118.GA6957@wind.enjellic.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201020100118.GA6957@wind.enjellic.com> User-Agent: Mutt/1.5.24 (2015-08-30) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 20, 2020 at 05:01:18AM -0500, Dr. Greg wrote: > On Mon, Oct 19, 2020 at 02:31:05PM -0700, Sean Christopherson wrote: > > Good morning, I hope the day is starting well for everyone. > > > On Sun, Oct 18, 2020 at 03:49:20AM -0500, Dr. Greg wrote: > > > Is this even a relevant control if we cede the notion of dynamically > > > loadable enclave code, which is the objective of SGX2 hardware, which > > > will in all likelihood be the only relevant hardware implementation in > > > the future? > > > Yes, it's still relevant. Giving the thumbs up to dynamically > > loadable code is not a purely binary decision, e.g. a user/admin can > > allow RW->RX transitions but still disallow full RWX permissions. > > With respect to the security issue at hand, the only relevant issue > would seem to be if a page had write permissions at one time in its > trajectory to having execute permisions, isn't this correct? No. RW->RX has different properties than RWX. E.g. an enclave that dynamically loads code is not the same thing as an enclave that allows simultaneously writing and executing a page. > The next paragraph of my reply wasn't included in your reply, but I > did state that the mprotect hook would be relevant if its purpose was > to disallow this permission trajectory and in the process disable > enclave dynamic code loading and execution. > > So to assist everyone in understanding this issue and the security > implications involved, is the ultimate purpose of the mprotect hook to > disable dynamic code loading? No, it's to provide line of sight to enforcing granular LSM checks on enclave pages. Jumping back to the RWX thing, as a defense in depth measure, a policy owner could set an SELinux policy to never allow RWX, even for enclaves that dynamically load code. Whether or not having per-page granluarity on enclave permission checks is valuable/interesting is debatable, e.g. it's why LSM integration is notably absent from the this series. But, adding the ->mprotect() hook is relatively cheap and can always be removed if it's deemed unnecessary in the long run. The reverse is not true; omitting ->mprotect() commits the kernel to an ABI that is either ugly and potentially painful (require all enclaves to declare full RWX permissions), or flat out prevents adding granular LSM support in the future (do nothing).