From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 302FEC31E5B for ; Wed, 19 Jun 2019 15:20:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1056121897 for ; Wed, 19 Jun 2019 15:20:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726109AbfFSPUT (ORCPT ); Wed, 19 Jun 2019 11:20:19 -0400 Received: from mga01.intel.com ([192.55.52.88]:28992 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725899AbfFSPUT (ORCPT ); Wed, 19 Jun 2019 11:20:19 -0400 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Jun 2019 08:20:18 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.63,392,1557212400"; d="scan'208";a="170591956" Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.36]) by orsmga002.jf.intel.com with ESMTP; 19 Jun 2019 08:20:18 -0700 Date: Wed, 19 Jun 2019 08:20:18 -0700 From: Sean Christopherson To: Jarkko Sakkinen Cc: linux-sgx@vger.kernel.org, Dave Hansen , Cedric Xing , Andy Lutomirski , Jethro Beekman , "Dr . Greg Wettstein" , Stephen Smalley Subject: Re: [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits Message-ID: <20190619152018.GC1203@linux.intel.com> References: <20190617222438.2080-1-sean.j.christopherson@intel.com> <20190617222438.2080-5-sean.j.christopherson@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-sgx-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-sgx@vger.kernel.org On Wed, Jun 19, 2019 at 05:43:11PM +0300, Jarkko Sakkinen wrote: > On Mon, 2019-06-17 at 15:24 -0700, Sean Christopherson wrote: > > + __u32 flags; > > This should be changed to secinfo_flags_mask containing a mask of the > allowed bits for the secinfo flags because of two obvious reasons: > > 1. Protection flags are used mainly with syscalls and contain also other > things than just the permissions that do not apply in this context. > 2. Having a mask for all secinfo flags is more future proof. > > With the protection flags you end up reserving bits forever for things > that we will never have any use for (e.g. PROT_SEM). > > Looking the change you convert 'flags' (wondering why it isn't called > 'prot') to VM flags, which means that you essentially gain absolutely > nothing and loose some potential versatility as a side-effect by doing > that. Ah, I see where you're coming from. My intent was that supported flags would be SGX specific, not generic PROT_* flags. I.e. bits 2:0 are used for PROT_{READ,WRITE,EXEC}, bit 7 can be used for SGX_ZERO_PAGE, etc... I have two objections to 'secinfo_flags_mask': - A full SECINFO mask is problematic for literally every other bit/field currently defined in SECINFO.FLAGS, e.g. masking PAGE_TYPE, PENDING and MODIFIED adds no value that I can think of, but would require the kernel do to weird things like reject page types and EMODPR requests (due to their PENDING/MODIFIED interaction). - The kernel doesn't actually restrict SECINFO based on the param, it's restricting VM_MAY* flags in the vmas. 'secinfo_flags_mask' implies the kernel is somehow masking SECINFO. What about something like this? /** * struct sgx_enclave_add_page - parameter structure for the * %SGX_IOC_ENCLAVE_ADD_PAGE ioctl * @addr: address within the ELRANGE * @src: address for the page data * @secinfo: address for the SECINFO data * @mrmask: bitmask for the measured 256 byte chunks * @prot: maximal PROT_{READ,WRITE,EXEC} permissions for the page */ struct sgx_enclave_add_page { __u64 addr; __u64 src; __u64 secinfo; __u16 mrmask; __u8 prot; __u8 pad; __u64[2] reserved; };