Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3385255pxb; Mon, 17 Jan 2022 19:15:59 -0800 (PST) X-Google-Smtp-Source: ABdhPJxyiOt5qeC9axFKGmkObP0ojL9/sa17fJ8r5YTR9riTEo8PxkUyUaJlFl/46Tc7RQ14aUA4 X-Received: by 2002:a17:903:2342:b0:14a:6059:5d94 with SMTP id c2-20020a170903234200b0014a60595d94mr26250183plh.45.1642475759237; Mon, 17 Jan 2022 19:15:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642475759; cv=none; d=google.com; s=arc-20160816; b=kbtRrrdWVua/liiQRFqjQYkEeW3Ra8Vi5eUdsnWYnehFlB3sOeHIa+v6PQPeEqU45u 0e3NECyk1P6vhv5ZSlXFbL7aYJ2E/A/pksaXiffyEh5JCu1moOiILM5iripI8dkc6T7j gPXsFvTzVLSofcH568+ZcRzO2EZYlL6CqJ+9dHWy3ag3iikUYCMTbbP8w1JjD94OrQ7K rAPNn1LsERzapGFNGPzBSO8RQRlQxAYSr1d7BFULwou5mgFEciQ41wwY39nKFfwidOTg f1AybO5dWWutKQik8LTyAvmW7wFiBHKu2aO3A9KCmNb6YIWrZVaZo1WXRvjhhBLlyv2g fA5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=OAs4sIiulBY07y+BOax8h0nCrvifGnrsFTSK/pHtYYY=; b=i4fC9kENEx/EdOnTZCk5hjGRPJWcjTuR6gD7Tt9RUHF79pA6+7hScbBYihvu9neZFK KhJ0hxJZVFmS7d/MbcqgH/hYX0UBKMXHbgGAHZGMoL8VZNQz3AiHnTYxR0fvT61t08pu Em6YFLfjsmUWnXurlo3j0VtphimphElypaF0Du7Os/oLX0v/VNxbaj1LPEUeaFP64l/l nuBjHsCBuZOwHJ9JBY3Fs7CKdiQOYrY3azu20558F6odf658FRn6pmLfOidW8zozQrLD Lo3jMl0C+zvuxcEp8l7rB0jZqJOunUfK4usKdKxA0CnP+9BVTkZNA5bIv8Ndkc8wtiGp DXkQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=mc4XhQx8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q13si18657560plh.467.2022.01.17.19.15.48; Mon, 17 Jan 2022 19:15:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=mc4XhQx8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245012AbiARCYU (ORCPT + 99 others); Mon, 17 Jan 2022 21:24:20 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57336 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245122AbiARCXD (ORCPT ); Mon, 17 Jan 2022 21:23:03 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4A748C0613E3; Mon, 17 Jan 2022 18:23:02 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 059DCB8122C; Tue, 18 Jan 2022 02:23:01 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 55AD1C36AEB; Tue, 18 Jan 2022 02:22:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1642472579; bh=uwSXBDaHlurEkOctOLsRQNIiAyTTLUDQ1Gyqx78oCZw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=mc4XhQx8joJC04FZuQUX4YUb62f7WhZ3ed1d0wa+zch3BI3a1MA5RgijGzbcSZ2aH 1hifwTgdf9Q7VNxD9j1tTtT5YZO08XHlSjqkQNvmvcC1FWy+15wdj8ZTTS+uOQlg66 +fwEyeKuHuWtkn21QAULqk067kEn8wQXmuU4hbX+RmWhZ15swlLef6l0pihTEWgqnu 6lVw1/gxpHwNqIN/n7I3biONwxm2Kyq/BxCv1/9YBMC3rcWZLd8m+ahpTPKOlQ4ih5 d3WpT+GqC26i1UeRsfyXWjogGLVjwdzfbp5kNvV+D6E85XbJqVUZfHDFK00EAc3tqH KUeyaJWkam0+A== Date: Tue, 18 Jan 2022 04:22:45 +0200 From: Jarkko Sakkinen To: Nathaniel McCallum Cc: Reinette Chatre , Haitao Huang , Andy Lutomirski , dave.hansen@linux.intel.com, tglx@linutronix.de, bp@alien8.de, mingo@redhat.com, linux-sgx@vger.kernel.org, x86@kernel.org, seanjc@google.com, kai.huang@intel.com, cathy.zhang@intel.com, cedric.xing@intel.com, haitao.huang@intel.com, mark.shanahan@intel.com, hpa@zytor.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH 05/25] x86/sgx: Introduce runtime protection bits Message-ID: References: <6e1cb295-b86e-ae09-2cf0-cfefd1a10e65@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 18, 2022 at 03:59:29AM +0200, Jarkko Sakkinen wrote: > On Mon, Jan 17, 2022 at 08:13:32AM -0500, Nathaniel McCallum wrote: > > On Sat, Jan 15, 2022 at 6:57 AM Jarkko Sakkinen wrote: > > > > > > On Sat, Jan 15, 2022 at 03:18:04AM +0200, Jarkko Sakkinen wrote: > > > > On Fri, Jan 14, 2022 at 04:41:59PM -0800, Reinette Chatre wrote: > > > > > Hi Jarkko, > > > > > > > > > > On 1/14/2022 4:27 PM, Jarkko Sakkinen wrote: > > > > > > On Fri, Jan 14, 2022 at 04:01:33PM -0800, Reinette Chatre wrote: > > > > > >> Hi Jarkko, > > > > > >> > > > > > >> On 1/14/2022 3:15 PM, Jarkko Sakkinen wrote: > > > > > >>> On Fri, Jan 14, 2022 at 03:05:21PM -0800, Reinette Chatre wrote: > > > > > >>>> Hi Jarkko, > > > > > >>> > > > > > >>> How enclave can check a page range that EPCM has the expected permissions? > > > > > >> > > > > > >> Only way to change EPCM permissions from outside enclave is to run ENCLS[EMODPR] > > > > > >> that needs to be accepted from within the enclave via ENCLU[EACCEPT]. At that > > > > > >> time the enclave provides the expected permissions and that will fail > > > > > >> if there is a mismatch with the EPCM permissions (SGX_PAGE_ATTRIBUTES_MISMATCH). > > > > > > > > > > > > This is a very valid point but that does make the introspection possible > > > > > > only at the time of EACCEPT. > > > > > > > > > > > > It does not give tools for enclave to make sure that EMODPR-ETRACK dance > > > > > > was ever exercised. > > > > > > > > > > Could you please elaborate? EACCEPT is available to the enclave as a tool > > > > > and it would fail if ETRACK was not completed (error SGX_NOT_TRACKED). > > > > > > > > > > Here is the relevant snippet from the SDM from the section where it > > > > > describes EACCEPT: > > > > > > > > > > IF (Tracking not correct) > > > > > THEN > > > > > RFLAGS.ZF := 1; > > > > > RAX := SGX_NOT_TRACKED; > > > > > GOTO DONE; > > > > > FI; > > > > > > > > > > Reinette > > > > > > > > Yes, if enclave calls EACCEPT it does the necessary introspection and makes > > > > sure that ETRACK is completed. I have trouble understanding how enclave > > > > makes sure that EACCEPT was called. > > > > > > I'm not concerned of anything going wrong once EMODPR has been started. > > > > > > The problem nails down to that the whole EMODPR process is spawned by > > > the entity that is not trusted so maybe that should further broke down > > > to three roles: > > > > > > 1. Build process B > > > 2. Runner process R. > > > 3. Enclave E. > > > > > > And to the costraint that we trust B *more* than R. Once B has done all the > > > needed EMODPR calls it would send the file descriptor to R. Even if R would > > > have full access to /dev/sgx_enclave, it would not matter, since B has done > > > EMODPR-EACCEPT dance with E. > > > > > > So what you can achieve with EMODPR is not protection against mistrusted > > > *OS*. There's absolutely no chance you could use it for that purpose > > > because mistrusted OS controls the whole process. > > > > > > EMODPR is to help to protect enclave against mistrusted *process*, i.e. > > > in the above scenario R. > > > > There are two general cases that I can see. Both are valid. > > > > 1. The OS moves from a trusted to an untrusted state. This could be > > the multi-process system you've described. But it could also be that > > the kernel becomes compromised after the enclave is fully initialized. > > > > 2. The OS is untrustworthy from the start. > > > > The second case is the stronger one and if you can solve it, the first > > one is solved implicitly. And our end goal is that if the OS does > > anything malicious we will crash in a controlled way. > > > > A defensive enclave will always want to have the least number of > > privileges for the maximum protection. Therefore, the enclave will > > want the OS to call EMODPR. If that were it, the host could just lie. > > But the enclave also verifies that the EMODPR operation was, in fact, > > executed by doing EACCEPT. When the enclave calls EACCEPT, if the > > kernel hasn't restricted permissions then we get a controlled crash. > > Therefore, we have solved the second case. > > So you're referring to this part of the SDM pseude code in the SDM: > > (* Check the destination EPC page for concurrency *) > IF ( EPC page in use ) > THEN #GP(0); FI; > > I wonder does "EPC page in use" unconditionally trigger when EACCEPT > is invoked for a page for which all of these conditions hold: > > - .PR := 0 (no EMODPR in progress) > - .MODIFIED := 0 (no EMODT in progress) > - .PENDING := 0 (no EMODPR in progress) > > I don't know the exact scope and scale of "EPC page in use". > > Then, yes, EACCEPT could be at least used to validate that one of the > three operations above was requested. However, enclave thread cannot say > which one was it, so it is guesswork. OK, I got it, and this last paragraph is not true. SECINFO given EACCEPT will lock in rest of the details and make the operation deterministic. The only question mark then is the condition when no requests are active. /Jarkko