From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751409AbdKTWhx (ORCPT <rfc822;w@1wt.eu>);
        Mon, 20 Nov 2017 17:37:53 -0500
Received: from mga03.intel.com ([134.134.136.65]:41032 "EHLO mga03.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751149AbdKTWhv (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 20 Nov 2017 17:37:51 -0500
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.44,430,1505804400"; 
   d="scan'208";a="175911655"
Date: Tue, 21 Nov 2017 00:37:41 +0200
From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: Borislav Petkov <bp@alien8.de>
Cc: intel-sgx-kernel-dev@lists.01.org, platform-driver-x86@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5 11/11] intel_sgx: driver documentation
Message-ID: <20171120223741.52dj6gevcwn5jzag@linux.intel.com>
References: <20171113194528.28557-1-jarkko.sakkinen@linux.intel.com>
 <20171113194528.28557-12-jarkko.sakkinen@linux.intel.com>
 <20171114083647.uxlaov56s2xw3pua@pd.tnic>
 <20171114204948.f6g2m62kx5gr5xtw@linux.intel.com>
 <20171114215327.qiqze33uvhlu555g@pd.tnic>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20171114215327.qiqze33uvhlu555g@pd.tnic>
Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Nov 14, 2017 at 10:53:27PM +0100, Borislav Petkov wrote:
> On Tue, Nov 14, 2017 at 10:49:48PM +0200, Jarkko Sakkinen wrote:
> > Pre-boot firmware could potentially configure the root key hash for the
> > enclave that signs launch tokens for other enclaves i.e. the launch
> > enclave that is built and signed during the kbuild.
> 
> So how about firmware doesn't do anything and the machine owner decide
> what enclaves get launched and what key hashes to load for a change?
> I.e., let the owner really own the hardware she paid money for.
> 
> Or are we doing encrypted enclaves but then the firmware vendor can look
> inside too?
> 
> -- 
> Regards/Gruss,
>     Boris.

Firmware cannot access the memory inside an enclave. CPU asserts every
memory access coming outside the enclave.

/Jarkko