Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp2152497pxb; Sat, 21 Nov 2020 10:39:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJyLsYmRAbS1IroNvOuUB1gHe7lTSj8orq+fSsL9LKBD1hA4fEamw6CUg9F37crQrnY9XOrZ X-Received: by 2002:a17:906:490:: with SMTP id f16mr679711eja.12.1605983972526; Sat, 21 Nov 2020 10:39:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605983972; cv=none; d=google.com; s=arc-20160816; b=lzk4F+CWMdVna6NxkWTgPu5xox1uTtbLlCfK3/2JKnG0rrEY5A7Sc3muAZ7z1NEafs /VvYTHuRcHxje0EHr83LldSMcixDRMSsdzfqznYoMpA0xMFSUlfclLwLP/Lbt0poxY9D vzTnOOx7zXB/ap4MD4WlIOyEKzjSqs1RYSOmDURmazdc35lZq0IgUn2W4LgqverOwbHp bYAVbzCbeTI/VX3vzWUBkwV7L1/vd3NnbwzdJtS8ZhUTIWoa8unRlBz5UotcZlg1lssw UAyEexmESEpPC8Hn9R2W4YlEpiFqYiPJDqSY/3xYgoJAVj9sxMH19+Al9R2f1mlHfjZW fWLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=GKCE+yfAor3MDd5pmHaT1uX5obsKXGeMZ06ZZCEYejU=; b=Z9cQ8dCY2+fexWHc6dfF//1JN011jN1coyJSJCTTFJgsZLP//4aEsFVr+JN9s8t+AX ZQXF7NkImSs32Eka0gRQVJF8GSHWP1ZM7U69/VIGtGFomNp6/W1o72R8mj4O6q9rIw33 RqhLJmbR22OdMO1wCu6Oo29YG8CDRMibUGV2h/p/3GNT3KMQK6Ax1uFgCjqBBehefWZ7 BqF7uY2w8hdLrpMehpcUNOdf/FBQErCi7NdbBiG8iGociVYx3RvaSroIvLPIa7Bl5HUC RbxXX803D8ZlWbAD5yjNzavHgoP4WIphE48fXwqEYllmFeb0QBfQC698uW3YrpfIgQg2 Iz4Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="Y4NAE/tE"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j13si3742139ejy.399.2020.11.21.10.39.09; Sat, 21 Nov 2020 10:39:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="Y4NAE/tE"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728260AbgKUShS (ORCPT + 99 others); Sat, 21 Nov 2020 13:37:18 -0500 Received: from mail.kernel.org ([198.145.29.99]:48232 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727171AbgKUShR (ORCPT ); Sat, 21 Nov 2020 13:37:17 -0500 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7C9C22224A for ; Sat, 21 Nov 2020 18:37:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1605983836; bh=k4bb1XSryjOjrKpxNZH2F9eH58+fbIVd+aoQp0laXe4=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=Y4NAE/tEqUg/gNMrQ7inrCvPTLXMwTuIj3xOAWqsXeKJ+KzxTBJwDo9ThXWitboWn DcLN36fXAWIljW5O/B76tftncEDlzr9WVJZs5/K56Edt42vSlCydm8qtp7i75IQ4es 9z1GViBGnY+3/drXDznTvhLlCyIiqi59OB1O/rXI= Received: by mail-wm1-f50.google.com with SMTP id p19so10448559wmg.0 for ; Sat, 21 Nov 2020 10:37:16 -0800 (PST) X-Gm-Message-State: AOAM531kbJ98WFYRjhZ8t7Pteoo0sz7zCiAYwSd5JQ89+KC6uH1wLYhi olAbqz5QQx2rygha6HOgrOitOyB3D/120FOtX0yrWw== X-Received: by 2002:a7b:c92a:: with SMTP id h10mr15913375wml.138.1605983835075; Sat, 21 Nov 2020 10:37:15 -0800 (PST) MIME-Version: 1.0 References: <20201104145430.300542-1-jarkko.sakkinen@linux.intel.com> <20201121151259.GA3948@wind.enjellic.com> In-Reply-To: <20201121151259.GA3948@wind.enjellic.com> From: Andy Lutomirski Date: Sat, 21 Nov 2020 10:36:58 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v40 00/24] Intel SGX foundations To: "Dr. Greg" Cc: Jarkko Sakkinen , X86 ML , linux-sgx@vger.kernel.org, LKML , Andrew Morton , Andy Shevchenko , asapek@google.com, Borislav Petkov , "Xing, Cedric" , chenalexchen@google.com, Conrad Parker , cyhanish@google.com, Dave Hansen , "Huang, Haitao" , "Huang, Kai" , "Svahn, Kai" , Keith Moyer , Christian Ludloff , Andrew Lutomirski , Neil Horman , Nathaniel McCallum , Patrick Uiterwijk , David Rientjes , "Christopherson, Sean J" , Thomas Gleixner , yaozhangx@google.com, Mikko Ylinen Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Dr. Greg, I know you like sending these emails, but they're not really helpful for Linux kernel development. Please see below. On Sat, Nov 21, 2020 at 7:13 AM Dr. Greg wrote: > > On Wed, Nov 04, 2020 at 04:54:06PM +0200, Jarkko Sakkinen wrote: > > Good morning, I hope the weekend is going well for everyone. > > > Important Kernel Touch Points > > ============================= > > > > This implementation is picky and will decline to work on hardware which > > is locked to Intel's root of trust. > > Given that this driver is no longer locked to the Intel trust root, by > virtue of being restricted to run only on platforms which support > Flexible Launch Control, there is no longer any legitimate technical > reason to not expose all of the functionality of the hardware. I read this three times, and I can't tell what functionality you're referring to. > > The patch that I am including below implements signature based policy > controls for enclave initialization. It does so in a manner that is > completely transparent to the default behavior of the driver, which is > to initialize any enclave passed to it with the exception of enclaves > that set the PROVISION_KEY attribute bit. It's completely unreviewable. It's an ABI patch, and it does not document what it does, nor does it document why it does it. It's just a bunch of code. NAK. To be crystal clear, I will not review, and I will NAK outright, any patches of this sort, until ALL of the following conditions are met: a) Either a functioning SGX driver lands in a -rc kernel or there is an excellent justification for why a change of this sort is needed prior to a release. Dr. Greg, you seem to be interested in SGX actually landing upstream, but these patches are just causing delays. Please stop. b) The patch needs to explain what problem it solves and why it is a good solution to that problem. c) The patch needs to explain, either in a changelog or in a text file in the patch, *exactly* what it does. Imagine MSDN-like documentation in the good old days. The documentation needs to be sufficiently clear that a userspace programmer could use your mechanism without reference to your implementation and that a kernel programmer could, in principle, re-implement your code from the description. Unless all three of these are met, your patch is going nowhere, and I think no one should waste their time trying to read it. > > Secondary to the discussions that have been ongoing regarding the > restriction of mmap/mprotect, this patch has been extended to > implement signature based controls on dynamic enclaves. The default > behavior of the driver under this patch is to reject mmap/mprotect on > initialized enclaves, unless the platform owner has elected to allow > the enclave signer the option to implement 'dynamic' enclaves, > ie. enclaves that are allowed to modify their page permissions after > initialization. You have sent this change repeatedly, and now for some reason you're sending it mixed in with unrelated changes. Please stop. At no point have you explained why this approach is better than anything else. It has the obnoxious side effect that you can't usefully SCM_RIGHTS an enclave to a different process with your patch applied, which is at least a minor disadvantage. You have not explained any advantage to your patch at all. Dr Greg, before you hit send on further emails about SGX, could you kindly try to imagine you're a kernel maintainer, read your own email, and consider whether how to make it add something useful to the discussion? Thanks, Andy