From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: linux-sgx@vger.kernel.org, Dave Hansen <dave.hansen@intel.com>,
Cedric Xing <cedric.xing@intel.com>,
Andy Lutomirski <luto@kernel.org>,
Jethro Beekman <jethro@fortanix.com>,
"Dr . Greg Wettstein" <greg@enjellic.com>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits
Date: Wed, 19 Jun 2019 08:20:18 -0700 [thread overview]
Message-ID: <20190619152018.GC1203@linux.intel.com> (raw)
In-Reply-To: <dc3d59c2783ea81d85d4d447bd1a4a2d5fe51421.camel@linux.intel.com>
On Wed, Jun 19, 2019 at 05:43:11PM +0300, Jarkko Sakkinen wrote:
> On Mon, 2019-06-17 at 15:24 -0700, Sean Christopherson wrote:
> > + __u32 flags;
>
> This should be changed to secinfo_flags_mask containing a mask of the
> allowed bits for the secinfo flags because of two obvious reasons:
>
> 1. Protection flags are used mainly with syscalls and contain also other
> things than just the permissions that do not apply in this context.
> 2. Having a mask for all secinfo flags is more future proof.
>
> With the protection flags you end up reserving bits forever for things
> that we will never have any use for (e.g. PROT_SEM).
>
> Looking the change you convert 'flags' (wondering why it isn't called
> 'prot') to VM flags, which means that you essentially gain absolutely
> nothing and loose some potential versatility as a side-effect by doing
> that.
Ah, I see where you're coming from. My intent was that supported flags
would be SGX specific, not generic PROT_* flags. I.e. bits 2:0 are used
for PROT_{READ,WRITE,EXEC}, bit 7 can be used for SGX_ZERO_PAGE, etc...
I have two objections to 'secinfo_flags_mask':
- A full SECINFO mask is problematic for literally every other bit/field
currently defined in SECINFO.FLAGS, e.g. masking PAGE_TYPE, PENDING
and MODIFIED adds no value that I can think of, but would require the
kernel do to weird things like reject page types and EMODPR requests
(due to their PENDING/MODIFIED interaction).
- The kernel doesn't actually restrict SECINFO based on the param, it's
restricting VM_MAY* flags in the vmas. 'secinfo_flags_mask' implies
the kernel is somehow masking SECINFO.
What about something like this?
/**
* struct sgx_enclave_add_page - parameter structure for the
* %SGX_IOC_ENCLAVE_ADD_PAGE ioctl
* @addr: address within the ELRANGE
* @src: address for the page data
* @secinfo: address for the SECINFO data
* @mrmask: bitmask for the measured 256 byte chunks
* @prot: maximal PROT_{READ,WRITE,EXEC} permissions for the page
*/
struct sgx_enclave_add_page {
__u64 addr;
__u64 src;
__u64 secinfo;
__u16 mrmask;
__u8 prot;
__u8 pad;
__u64[2] reserved;
};
next prev parent reply other threads:[~2019-06-19 15:20 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-17 22:24 [RFC PATCH v3 00/12] security: x86/sgx: SGX vs. LSM, round 3 Sean Christopherson
2019-06-17 22:24 ` [RFC PATCH v3 01/12] x86/sgx: Add mm to enclave at mmap() Sean Christopherson
2019-06-17 22:32 ` Dave Hansen
2019-06-17 23:42 ` Andy Lutomirski
2019-06-18 14:11 ` Sean Christopherson
2019-06-18 16:06 ` Sean Christopherson
2019-06-19 12:56 ` Jarkko Sakkinen
2019-06-19 13:00 ` Jarkko Sakkinen
2019-06-20 20:09 ` Jarkko Sakkinen
2019-06-17 22:24 ` [RFC PATCH v3 02/12] x86/sgx: Do not naturally align MAP_FIXED address Sean Christopherson
2019-06-19 13:24 ` Jarkko Sakkinen
2019-06-19 14:08 ` Sean Christopherson
2019-06-20 22:07 ` Jarkko Sakkinen
2019-06-17 22:24 ` [RFC PATCH v3 03/12] selftests: x86/sgx: Mark the enclave loader as not needing an exec stack Sean Christopherson
2019-06-17 22:24 ` [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits Sean Christopherson
2019-06-19 14:43 ` Jarkko Sakkinen
2019-06-19 15:20 ` Sean Christopherson [this message]
2019-06-20 22:17 ` Jarkko Sakkinen
2019-07-07 19:08 ` Sean Christopherson
2019-07-08 15:23 ` Jarkko Sakkinen
2019-07-08 16:19 ` Sean Christopherson
2019-07-09 16:06 ` Jarkko Sakkinen
2019-07-10 17:25 ` Sean Christopherson
2019-07-15 22:29 ` Andy Lutomirski
2019-08-01 16:38 ` Jarkko Sakkinen
2019-08-04 22:20 ` Andy Lutomirski
2019-08-05 20:51 ` Jarkko Sakkinen
2019-08-05 21:30 ` Andy Lutomirski
2019-08-07 18:51 ` Jarkko Sakkinen
2019-06-17 22:24 ` [RFC PATCH v3 05/12] x86/sgx: Enforce noexec filesystem restriction for enclaves Sean Christopherson
2019-06-19 14:46 ` Jarkko Sakkinen
2019-06-17 22:24 ` [RFC PATCH v3 06/12] mm: Introduce vm_ops->may_mprotect() Sean Christopherson
2019-06-17 22:24 ` [RFC PATCH v3 07/12] LSM: x86/sgx: Introduce ->enclave_map() hook for Intel SGX Sean Christopherson
2019-06-17 22:24 ` [RFC PATCH v3 08/12] security/selinux: Require SGX_EXECMEM to map enclave page WX Sean Christopherson
2019-06-17 22:24 ` [RFC PATCH v3 09/12] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX Sean Christopherson
2019-06-19 14:56 ` Jarkko Sakkinen
2019-06-19 21:13 ` James Morris
2019-06-20 9:28 ` Dr. Greg
2019-06-20 22:22 ` Jarkko Sakkinen
2019-06-23 17:16 ` Dr. Greg
2019-06-26 20:39 ` James Morris
2019-06-17 22:24 ` [RFC PATCH v3 10/12] security/selinux: Add enclave_load() implementation Sean Christopherson
2019-06-18 14:49 ` Stephen Smalley
2019-06-19 20:59 ` Sean Christopherson
2019-06-17 22:24 ` [RFC PATCH v3 11/12] security/apparmor: " Sean Christopherson
2019-06-17 22:24 ` [RFC PATCH v3 12/12] LSM: x86/sgx: Show line of sight to LSM support SGX2's EAUG Sean Christopherson
2019-06-18 13:38 ` [RFC PATCH v3 00/12] security: x86/sgx: SGX vs. LSM, round 3 Stephen Smalley
2019-06-18 13:55 ` Sean Christopherson
2019-06-18 15:13 ` Stephen Smalley
2019-06-25 16:29 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190619152018.GC1203@linux.intel.com \
--to=sean.j.christopherson@intel.com \
--cc=cedric.xing@intel.com \
--cc=dave.hansen@intel.com \
--cc=greg@enjellic.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jethro@fortanix.com \
--cc=linux-sgx@vger.kernel.org \
--cc=luto@kernel.org \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.