From: Jarkko Sakkinen <jarkko@kernel.org>
To: Reinette Chatre <reinette.chatre@intel.com>
Cc: linux-sgx@vger.kernel.org,
Nathaniel McCallum <nathaniel@profian.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
"maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)"
<x86@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>,
"open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)"
<linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v3] x86/sgx: Do not limit EAUG'd pages by pre-initialization policy
Date: Sat, 5 Mar 2022 03:59:56 +0200 [thread overview]
Message-ID: <YiLEHBlXAz+sUheO@kernel.org> (raw)
In-Reply-To: <684930a2-a247-7d5e-90e8-6e80db618c4c@intel.com>
On Fri, Mar 04, 2022 at 11:09:36AM -0800, Reinette Chatre wrote:
> Hi Jarkko,
>
> On 3/3/2022 7:39 PM, Jarkko Sakkinen wrote:
> > Pre-initialization policy is meant for EADD'd pages because they are
> > part of the enclave identity. It's a good practice to not let touch the
> > permissions after initialization, and does provide guarantees to e.g.
> > LSM's about the enclave.
>
> I disagree. There are scenarios where it is indeed good practice to
> modify the permissions after initialization. For example, pages that
> may be used for relocatable code can start with RWX permissions but once
> the pages have been populated with the code they should be able to restrict
> permissions to RX only. It is not good practice to require RWX permission
> over their entire lifetime. Ideally pages should only have the lowest
> permissions possible.
The only permissions kernel has real control is PTE permissions when
the enclave has been initialized.
You are introducing an artificial limitation with vm_run_prot_bits
that makes e.g. EMODPE more costly for no good reason, and in-kernel
variable has nothing to do with the permissions. They are located
in EPCM.
> Supporting the modification of permissions after initialization enables
> the security conscious enclave owner to support the security
> principle of least privilege.
1. Kernel has the control of PTE permissions.
2. Enclave has the control of EPCM permissions.
vm_run_prot_bits does not help making anything more secure.
BR, Jarkko
prev parent reply other threads:[~2022-03-05 2:00 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-04 3:39 [PATCH v3] x86/sgx: Do not limit EAUG'd pages by pre-initialization policy Jarkko Sakkinen
2022-03-04 19:09 ` Reinette Chatre
2022-03-05 1:59 ` Jarkko Sakkinen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YiLEHBlXAz+sUheO@kernel.org \
--to=jarkko@kernel.org \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=nathaniel@profian.com \
--cc=reinette.chatre@intel.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.