From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: linux-sgx@vger.kernel.org, Dave Hansen <dave.hansen@intel.com>,
Cedric Xing <cedric.xing@intel.com>,
Andy Lutomirski <luto@kernel.org>,
Jethro Beekman <jethro@fortanix.com>,
"Dr . Greg Wettstein" <greg@enjellic.com>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits
Date: Wed, 10 Jul 2019 10:25:54 -0700 [thread overview]
Message-ID: <20190710172553.GE4348@linux.intel.com> (raw)
In-Reply-To: <20190709160634.3yupyabf5svnj4ds@linux.intel.com>
On Tue, Jul 09, 2019 at 07:06:34PM +0300, Jarkko Sakkinen wrote:
> On Mon, Jul 08, 2019 at 09:19:32AM -0700, Sean Christopherson wrote:
> > > 2. Probably some "user story" type of examples would help with the
> > > discussion overall [1] i.e. how one would use this for
> > > her own good.
> >
> > The compelling story is Andy's original concern that userspace could
> > circumvent existing security policies by running code in an enclave.
> >
> > AIUI, closing the LSM loophole is the minimal requirement to get SGX
> > upstreamed. The extensive discussion has largely been focused on
> > ensuring that whatever mechanism is used to close the loophole will
> > play nice with future SGX functionality and/or LSM security policies.
>
> OK, might be getting here where I fall out of the wagon so:
>
> Doesn't Andy's example anyway require a process that has privileges to
> make pages executable i.e. it could run arbitrary code even without an
> enclave?
Ah, no. He did raise that concern, but it'd only be an issue if the
enclave fd were backed by an anon inode, in which case all enclaves would
need EXECMEM in order to gain PROT_EXEC on EPC. Because the fd is backed
/dev/sgx/enclave, userspace just needs FILE__EXECUTE on /dev/sgx/enclave.
next prev parent reply other threads:[~2019-07-10 17:25 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-17 22:24 [RFC PATCH v3 00/12] security: x86/sgx: SGX vs. LSM, round 3 Sean Christopherson
2019-06-17 22:24 ` [RFC PATCH v3 01/12] x86/sgx: Add mm to enclave at mmap() Sean Christopherson
2019-06-17 22:32 ` Dave Hansen
2019-06-17 23:42 ` Andy Lutomirski
2019-06-18 14:11 ` Sean Christopherson
2019-06-18 16:06 ` Sean Christopherson
2019-06-19 12:56 ` Jarkko Sakkinen
2019-06-19 13:00 ` Jarkko Sakkinen
2019-06-20 20:09 ` Jarkko Sakkinen
2019-06-17 22:24 ` [RFC PATCH v3 02/12] x86/sgx: Do not naturally align MAP_FIXED address Sean Christopherson
2019-06-19 13:24 ` Jarkko Sakkinen
2019-06-19 14:08 ` Sean Christopherson
2019-06-20 22:07 ` Jarkko Sakkinen
2019-06-17 22:24 ` [RFC PATCH v3 03/12] selftests: x86/sgx: Mark the enclave loader as not needing an exec stack Sean Christopherson
2019-06-17 22:24 ` [RFC PATCH v3 04/12] x86/sgx: Require userspace to define enclave pages' protection bits Sean Christopherson
2019-06-19 14:43 ` Jarkko Sakkinen
2019-06-19 15:20 ` Sean Christopherson
2019-06-20 22:17 ` Jarkko Sakkinen
2019-07-07 19:08 ` Sean Christopherson
2019-07-08 15:23 ` Jarkko Sakkinen
2019-07-08 16:19 ` Sean Christopherson
2019-07-09 16:06 ` Jarkko Sakkinen
2019-07-10 17:25 ` Sean Christopherson [this message]
2019-07-15 22:29 ` Andy Lutomirski
2019-08-01 16:38 ` Jarkko Sakkinen
2019-08-04 22:20 ` Andy Lutomirski
2019-08-05 20:51 ` Jarkko Sakkinen
2019-08-05 21:30 ` Andy Lutomirski
2019-08-07 18:51 ` Jarkko Sakkinen
2019-06-17 22:24 ` [RFC PATCH v3 05/12] x86/sgx: Enforce noexec filesystem restriction for enclaves Sean Christopherson
2019-06-19 14:46 ` Jarkko Sakkinen
2019-06-17 22:24 ` [RFC PATCH v3 06/12] mm: Introduce vm_ops->may_mprotect() Sean Christopherson
2019-06-17 22:24 ` [RFC PATCH v3 07/12] LSM: x86/sgx: Introduce ->enclave_map() hook for Intel SGX Sean Christopherson
2019-06-17 22:24 ` [RFC PATCH v3 08/12] security/selinux: Require SGX_EXECMEM to map enclave page WX Sean Christopherson
2019-06-17 22:24 ` [RFC PATCH v3 09/12] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX Sean Christopherson
2019-06-19 14:56 ` Jarkko Sakkinen
2019-06-19 21:13 ` James Morris
2019-06-20 9:28 ` Dr. Greg
2019-06-20 22:22 ` Jarkko Sakkinen
2019-06-23 17:16 ` Dr. Greg
2019-06-26 20:39 ` James Morris
2019-06-17 22:24 ` [RFC PATCH v3 10/12] security/selinux: Add enclave_load() implementation Sean Christopherson
2019-06-18 14:49 ` Stephen Smalley
2019-06-19 20:59 ` Sean Christopherson
2019-06-17 22:24 ` [RFC PATCH v3 11/12] security/apparmor: " Sean Christopherson
2019-06-17 22:24 ` [RFC PATCH v3 12/12] LSM: x86/sgx: Show line of sight to LSM support SGX2's EAUG Sean Christopherson
2019-06-18 13:38 ` [RFC PATCH v3 00/12] security: x86/sgx: SGX vs. LSM, round 3 Stephen Smalley
2019-06-18 13:55 ` Sean Christopherson
2019-06-18 15:13 ` Stephen Smalley
2019-06-25 16:29 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190710172553.GE4348@linux.intel.com \
--to=sean.j.christopherson@intel.com \
--cc=cedric.xing@intel.com \
--cc=dave.hansen@intel.com \
--cc=greg@enjellic.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jethro@fortanix.com \
--cc=linux-sgx@vger.kernel.org \
--cc=luto@kernel.org \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.