From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: Sean Christopherson <sean.j.christopherson@intel.com>
Cc: linux-sgx@vger.kernel.org, Borislav Petkov <bp@suse.de>
Subject: Re: [PATCH] x86/sgx: Roof the number of pages process in SGX_IOC_ENCLAVE_ADD_PAGES
Date: Mon, 14 Sep 2020 21:09:13 +0300 [thread overview]
Message-ID: <20200914180913.GE9369@linux.intel.com> (raw)
In-Reply-To: <20200911155125.GA4344@sjchrist-ice>
On Fri, Sep 11, 2020 at 08:51:27AM -0700, Sean Christopherson wrote:
> On Fri, Sep 11, 2020 at 02:43:15PM +0300, Jarkko Sakkinen wrote:
> > On Tue, Sep 08, 2020 at 10:30:33PM -0700, Sean Christopherson wrote:
> > > > for (c = 0 ; c < addp.length; c += PAGE_SIZE) {
> > > > - if (signal_pending(current)) {
> > > > - ret = -EINTR;
> > > > + if (c == SGX_MAX_ADD_PAGES_LENGTH || signal_pending(current)) {
> > > > + ret = c;
> > >
> > > I don't have an opinion on returning count vs. EINTR, but I don't see the
> > > point in arbitrarily capping the number of pages that can be added in a
> > > single ioctl(). It doesn't provide any real protection, e.g. userspace
> > > can simply restart the ioctl() with updated offsets and continue spamming
> > > EADDs. We are relying on other limits, e.g. memcg, rlimits, etc... to
> > > reign in malicious/broken userspace.
> > >
> > > There is nothing inherently dangerous about spending time in the kernel so
> > > long as appropriate checks are made, e.g. for a pending signel and resched.
> > > If we're missing checks, adding an arbitrary limit won't fix the underlying
> > > problem, at least not in a deterministic way.
> > >
> > > If we really want a limit of some form, adding a knob to control the max
> > > size of an enclave seems like the way to go. But even that is of dubious
> > > value as I'd rather rely on existing limits for virtual and physical memory,
> > > and add a proper EPC cgroup to account and limit EPC memory.
> >
> > It is better to have a contract in the API that the number of processed
> > pages can be less than given, not unlike in syscalls such as write().
>
> That can be handled by a comment, no? If we want to "enforce" the behavior,
> I'd rather bail out of the loop after a random number of pages than have a
> completely arbitrary limit. The arbitrary limit will create a contract of
> its own and may lead to weird guest implementations.
I don't understand.
It is already a random number given that also signal can cause this.
/Jarkko
next prev parent reply other threads:[~2020-09-14 18:10 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-08 19:00 [PATCH] x86/sgx: Roof the number of pages process in SGX_IOC_ENCLAVE_ADD_PAGES Jarkko Sakkinen
2020-09-09 5:30 ` Sean Christopherson
[not found] ` <20200911114315.GA6760@linux.intel.com>
2020-09-11 15:51 ` Sean Christopherson
2020-09-11 17:38 ` Haitao Huang
2020-09-14 18:07 ` Jarkko Sakkinen
2020-09-14 18:09 ` Jarkko Sakkinen [this message]
2020-09-09 9:55 ` Darren Kenny
2020-09-11 11:50 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200914180913.GE9369@linux.intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=bp@suse.de \
--cc=linux-sgx@vger.kernel.org \
--cc=sean.j.christopherson@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.