Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp2054390pxu; Tue, 24 Nov 2020 16:02:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJz/pTDlskXy1yg22frKKshZISgZ9rOcM5wMZXbPaw9h2VnSrzzG39dKJDMRK17WPmAw5npM X-Received: by 2002:a17:906:a856:: with SMTP id dx22mr916176ejb.134.1606262524205; Tue, 24 Nov 2020 16:02:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606262524; cv=none; d=google.com; s=arc-20160816; b=0qiYRm57wkVecy/ZWfMd3YfWCjxR5l9u/y0JOvHZKLzhqjeRYiBE2JqCIAmxC47vZb e/R5fUqUhNAGb2E8Huk3Ranjmy9wHx1lWbUXB1WprQQbzIgcDdJ+vKmlSC5Z47n/ck+J oO8iOLrYqAlpxiYnxUoeJi0ZEQ+byCe1Fq9Qd4NEwoAeCdMXr+F4nrYgB8sRv7Fpy6DQ bKdRlV4tzoAC6HyUSRhdUvNYjnEycy6efjYzZwIOqMRvrePZ9uXMPLQ9f73qBSQr3KwD kTIMnKbSgrMeRAicG0chGZHMlwB1WhubdM8kQRQGxMjQhIolehACXAA2K3yI8nfs1fqz mbzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Bg5JE6fMvFu0cGLckudu2MaZj+aIWP3E4q4ft5LEqGw=; b=KZcwv5Lj2kgJD56Uj88kOBOPvdzYlND1GJdWIuQ8VVAd4icozIwvCqCwcBYSA8zd7a r2y25r+m420BGXZ9Ln/uyTqsZycUL7k9F0Za+iRqmJ7ZwOzpkR4iSD8QGm54lXSazz3U zwTdDHOv6VxAwIrw8fBNDYzs72iPpy8nUnlsY8lzjW8eIuuhv7CLIsIY4KQZ9fJ1fLVv XFHZcRgI5VhTbjY3GYwLNcW7xrsTrRTWzGLx4hYXBn6RGI///7RkjXSBn4NlomwBZpJK LGuuc8o/Qqu6610bffGJ2YoImlNcVN2EY7nZephSdLapgiV2+g4xcQnhKt+WeS/Ii1dc OeSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=tF7koIwH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j11si175377edy.158.2020.11.24.16.01.41; Tue, 24 Nov 2020 16:02:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=tF7koIwH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388066AbgKXV5R (ORCPT + 99 others); Tue, 24 Nov 2020 16:57:17 -0500 Received: from mail.kernel.org ([198.145.29.99]:46288 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731696AbgKXV5R (ORCPT ); Tue, 24 Nov 2020 16:57:17 -0500 Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CBB5820715 for ; Tue, 24 Nov 2020 21:57:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1606255036; bh=NKTa7dLhb4WX8DpX7xxrijkL1HVS8VWwDbB2EYzcFFE=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=tF7koIwHqUeAdU8NWI/Ej9UosKw2qWRr+G7VezLm2Ut1X1AZtEUzEoKlI4TV5PwqH Bw/Tp2DNpIvXuxgWuuypsFuvMLNa0Fa5BE3cwQmoMom9lEscuo35I/08SpNcTxkzrW aaPmSsB4q5Zv5pmYvp/7c1DhpM4X37R4HBId+jmA= Received: by mail-wr1-f50.google.com with SMTP id t4so10918304wrr.12 for ; Tue, 24 Nov 2020 13:57:15 -0800 (PST) X-Gm-Message-State: AOAM532QQh2LNOSwF6AuRpOD+PKxdy9WK6+phrhu7k6SgN1Tfcb9WuQ6 JPBEAexO9msb+fWmxTlByRiXPNK9RIht9fkBaRx7kw== X-Received: by 2002:a5d:4e87:: with SMTP id e7mr634055wru.70.1606255034259; Tue, 24 Nov 2020 13:57:14 -0800 (PST) MIME-Version: 1.0 References: <20201104145430.300542-1-jarkko.sakkinen@linux.intel.com> <20201121151259.GA3948@wind.enjellic.com> <20201124184039.GA22484@wind.enjellic.com> In-Reply-To: <20201124184039.GA22484@wind.enjellic.com> From: Andy Lutomirski Date: Tue, 24 Nov 2020 13:57:00 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v40 00/24] Intel SGX foundations To: "Dr. Greg" Cc: Andy Lutomirski , Jarkko Sakkinen , X86 ML , linux-sgx@vger.kernel.org, LKML , Andrew Morton , Andy Shevchenko , asapek@google.com, Borislav Petkov , "Xing, Cedric" , chenalexchen@google.com, Conrad Parker , cyhanish@google.com, Dave Hansen , "Huang, Haitao" , "Huang, Kai" , "Svahn, Kai" , Keith Moyer , Christian Ludloff , Neil Horman , Nathaniel McCallum , Patrick Uiterwijk , David Rientjes , "Christopherson, Sean J" , Thomas Gleixner , yaozhangx@google.com, Mikko Ylinen Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 24, 2020 at 10:40 AM Dr. Greg wrote: > > On Sat, Nov 21, 2020 at 10:36:58AM -0800, Andy Lutomirski wrote: > > Intel SGX developer licensing requires that you provide application > recipients with a full and complete runtime along with the signed > application. Our developer license allowed us to substitute our > runtime for Intel's. Upstream Linux wants nothing to do with Intel's developer licensing. > > > Given that this driver is no longer locked to the Intel trust root, by > > > virtue of being restricted to run only on platforms which support > > > Flexible Launch Control, there is no longer any legitimate technical > > > reason to not expose all of the functionality of the hardware. > > > I read this three times, and I can't tell what functionality you're > > referring to. > > Yes you do, as I mentioned to Dave in my last e-mail, we have been > disagreeing about this for a year. No, I don't. It's entirely possible that I'm aware of the functionality you're referring to, but that doesn't mean that your description quoted above is sufficient for me to have the slightest idea which functionality you mean right here. > > You were at some kind of seminar where SGX was discussed. Based on > that you developed a 'manifesto' regarding how Linux should implement > the technology. That manifesto indicated there would be no place for > cryptographic policy control on enclaves. That's not what I said. Paraphrasing myself, I said that there is no place for a driver in upstream Linux that allows only Intel-approved code to run. That is not at all the same thing as saying we won't support cryptographic policy in a way that allows the platform owner an appropriate degree of control. Actually supporting launch control (the EINIT-enforced kind) in upstream Linux will be tricky but is surely possible. It would probably help if Intel or firmware vendors had some clear specification of exactly how they intend for platform owners to select an SGXLEPUBKEYHASH value. (A nice spec in which an authenticated UEFI variable contained the desired SGXLEPUBKEYHASH and lock state might be an excellent start.) Supporting this in upstream Linux will also require decoupling the user code that creates an enclave from the user code that invokes the LE. Jarkko already wrote some code for this, and it could be revived. If this ends up being inconsistent with Intel's licensing requirements, then Intel can change their licensing requirements or people can just ignore Intel and use a different signing key. Frankly, using Intel's signing key in SGXLEPUBKEYHASH offers a dubious degree of protection in the first place -- it assumes that Intel will never approve a malware enclave, and it also assumes that the lack of functioning EINITTOKEN revocation won't break the whole scheme. > > A well taken and considered point on a locked launch control platform > but completely irrelevant for this driver, that only operates on > Flexible Launch Control platforms. By demanding compliance with only > that vision you deny platform owners a final measure of defense > against anonymous code execution. I am denying Intel the chance to impose their licensing requirements. The fact that Intel chose to poison the well with their licensing system and that, as a result, Linux won't support the Intel model of launch control to protect platform owners is an unfortunate side effect. > > > > The patch that I am including below implements signature based policy > > > controls for enclave initialization. It does so in a manner that is > > > completely transparent to the default behavior of the driver, which is > > > to initialize any enclave passed to it with the exception of enclaves > > > that set the PROVISION_KEY attribute bit. > > > It's completely unreviewable. It's an ABI patch, and it does not > > document what it does, nor does it document why it does it. It's > > just a bunch of code. NAK. > > You can certainly NAK-away Andy[0]. I've had sufficent private > feedback from reasoned and informed individuals that I've made my > point that this isn't about technical considerations. Depends on what you mean by "technical". In the submitting-patches guide (https://www.kernel.org/doc/html/v5.9/process/submitting-patches.html), you will find instructions to "describe your changes" and "separate your changes". If you can produce a reasonably, reviewable submission of your code, I will review it. But I am not going to dig through your diff to try to find the hidden technical merit. > > Here is the link, again, to the patch in 'git am' compliant format. > > ftp://ftp.enjellic.com/pub/sgx/kernel/SFLC-v41.patch > > I've been watching Linux patches go by for close to 30 years. If this > is completely unreviewable garbage, legitimate concerns can be raised > about what is getting pushed into the kernel. The kernel review process is by no means perfect. That does not mean that you get to apply your unreviewable garbage just because other people have pulled it off in the past. > For the LKML record, absent our patch the driver has an open security > issue with respect to anonymous code execution that should be > addressed, if that issue is indeed of any concern. What do you mean? > The only thing that I can think of is that you disagree with the > optional capability of blocking the enclave from implementing > anonymously executable memory. Absent that ability there is the > security issue that has now been extensively discussed. You keep sending a patch that blocks mmap and mprotect on an initialized enclave. As far as I can tell, you haven't explained how it's any better than the code it replaces. The code it replaces enforces per-page maximum permissions, and all the infrastructure is in place for the platform owner to be able to enforce their rules without breaking ABI. Your proposal appears to accomplish something a little bit like what the code in -tip does, except without as much room for future improvements. Since you haven't tried to explain why you think it's better, I can't really evaluate it.