RE: [RFC PATCH 6/9] x86/sgx: Require userspace to provide allowed prots to ADD_PAGES

[RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Sean Christopherson <hidden> · 2019-05-31
[RFC PATCH 1/9] x86/sgx: Remove unused local variable in sgx_encl_release() · Sean Christopherson <hidden> · 2019-05-31
Re: [RFC PATCH 1/9] x86/sgx: Remove unused local variable in sgx_encl_release() · Jarkko Sakkinen <hidden> · 2019-06-04
[RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Sean Christopherson <hidden> · 2019-05-31
RE: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Sean Christopherson <hidden> · 2019-06-03
Re: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Sean Christopherson <hidden> · 2019-06-03
RE: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Sean Christopherson <hidden> · 2019-06-04
Re: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Andy Lutomirski <luto@kernel.org> · 2019-06-04
RE: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Xing, Cedric <hidden> · 2019-06-04
Re: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Dave Hansen <hidden> · 2019-06-03
Re: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Sean Christopherson <hidden> · 2019-06-03
Re: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Dave Hansen <hidden> · 2019-06-03
RE: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Sean Christopherson <hidden> · 2019-06-04
Re: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Jarkko Sakkinen <hidden> · 2019-06-04
[RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves · Sean Christopherson <hidden> · 2019-05-31
RE: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves · Andy Lutomirski <luto@kernel.org> · 2019-06-04
Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves · Jarkko Sakkinen <hidden> · 2019-06-04
Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves · Andy Lutomirski <luto@kernel.org> · 2019-06-04
Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves · Sean Christopherson <hidden> · 2019-06-04
RE: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves · Xing, Cedric <hidden> · 2019-06-04
Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves · Jarkko Sakkinen <hidden> · 2019-06-05
Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves · Sean Christopherson <hidden> · 2019-06-06
[RFC PATCH 9/9] security/selinux: Add enclave_load() implementation · Sean Christopherson <hidden> · 2019-05-31
Re: [RFC PATCH 9/9] security/selinux: Add enclave_load() implementation · Stephen Smalley <hidden> · 2019-06-03
Re: [RFC PATCH 9/9] security/selinux: Add enclave_load() implementation · Sean Christopherson <hidden> · 2019-06-03
[RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Sean Christopherson <hidden> · 2019-05-31
RE: [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Stephen Smalley <hidden> · 2019-06-03
Re: [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Sean Christopherson <hidden> · 2019-06-03
Re: [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Stephen Smalley <hidden> · 2019-06-03
Re: [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Dave Hansen <hidden> · 2019-06-03
Re: [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Andy Lutomirski <luto@kernel.org> · 2019-06-04
Re: [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Sean Christopherson <hidden> · 2019-06-04
RE: [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Xing, Cedric <hidden> · 2019-06-04
Re: [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Sean Christopherson <hidden> · 2019-06-06
[RFC PATCH 5/9] x86/sgx: Restrict mapping without an enclave page to PROT_NONE · Sean Christopherson <hidden> · 2019-05-31
RE: [RFC PATCH 5/9] x86/sgx: Restrict mapping without an enclave page to PROT_NONE · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 5/9] x86/sgx: Restrict mapping without an enclave page to PROT_NONE · Jarkko Sakkinen <hidden> · 2019-06-04
[RFC PATCH 4/9] mm: Introduce vm_ops->mprotect() · Sean Christopherson <hidden> · 2019-05-31
RE: [RFC PATCH 4/9] mm: Introduce vm_ops->mprotect() · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 4/9] mm: Introduce vm_ops->mprotect() · Jarkko Sakkinen <hidden> · 2019-06-04
Re: [RFC PATCH 4/9] mm: Introduce vm_ops->mprotect() · Andy Lutomirski <luto@kernel.org> · 2019-06-04
[RFC PATCH 6/9] x86/sgx: Require userspace to provide allowed prots to ADD_PAGES · Sean Christopherson <hidden> · 2019-05-31
RE: [RFC PATCH 6/9] x86/sgx: Require userspace to provide allowed prots to ADD_PAGES · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 6/9] x86/sgx: Require userspace to provide allowed prots to ADD_PAGES · Jarkko Sakkinen <hidden> · 2019-06-04
Re: [RFC PATCH 6/9] x86/sgx: Require userspace to provide allowed prots to ADD_PAGES · Sean Christopherson <hidden> · 2019-06-04
Re: [RFC PATCH 6/9] x86/sgx: Require userspace to provide allowed prots to ADD_PAGES · Jarkko Sakkinen <hidden> · 2019-06-05
Re: [RFC PATCH 6/9] x86/sgx: Require userspace to provide allowed prots to ADD_PAGES · Andy Lutomirski <luto@kernel.org> · 2019-06-04
RE: [RFC PATCH 6/9] x86/sgx: Require userspace to provide allowed prots to ADD_PAGES · Ayoun, Serge <hidden> · 2019-06-05
Re: [RFC PATCH 6/9] x86/sgx: Require userspace to provide allowed prots to ADD_PAGES · Sean Christopherson <hidden> · 2019-06-05
[RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Sean Christopherson <hidden> · 2019-05-31
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Jarkko Sakkinen <hidden> · 2019-06-04
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Andy Lutomirski <luto@kernel.org> · 2019-06-04
RE: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Xing, Cedric <hidden> · 2019-06-04
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Sean Christopherson <hidden> · 2019-06-05
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Jarkko Sakkinen <hidden> · 2019-06-05
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Andy Lutomirski <luto@amacapital.net> · 2019-06-05
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Jarkko Sakkinen <hidden> · 2019-06-06
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Jarkko Sakkinen <hidden> · 2019-06-13
RE: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Xing, Cedric <hidden> · 2019-06-13
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Sean Christopherson <hidden> · 2019-06-13
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Jarkko Sakkinen <hidden> · 2019-06-14
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Jarkko Sakkinen <hidden> · 2019-06-05
RE: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Xing, Cedric <hidden> · 2019-06-02
Re: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Sean Christopherson <hidden> · 2019-06-03
RE: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Sean Christopherson <hidden> · 2019-06-04
Re: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Stephen Smalley <hidden> · 2019-06-04
Re: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Sean Christopherson <hidden> · 2019-06-04
RE: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Xing, Cedric <hidden> · 2019-06-04
Re: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Stephen Smalley <hidden> · 2019-06-03
RE: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Jarkko Sakkinen <hidden> · 2019-06-04

From: Xing, Cedric <hidden>
Date: 2019-06-03 06:28:58
Also in: lkml, selinux

From: Christopherson, Sean J
Sent: Friday, May 31, 2019 4:32 PM

...to support (the equivalent) of existing Linux Security Module functionality.

Because SGX manually manages EPC memory, all enclave VMAs are backed by the same vm_file,
i.e. /dev/sgx/enclave, so that SGX can implement the necessary hooks to move pages in/out
of the EPC.  And because EPC pages for any given enclave are fundamentally shared between
processes, i.e.
CoW semantics are not possible with EPC pages, /dev/sgx/enclave must always be MAP_SHARED.
Lastly, all real world enclaves will need read, write and execute permissions to EPC pages.
As a result, SGX does not play nice with existing LSM behavior as it is impossible to
apply policies to enclaves with any reasonable granularity, e.g. an LSM can deny access to
EPC altogether, but can't deny potentially dangerous behavior such as mapping pages RW->RW
or RWX.

To give LSMs enough information to implement their policies without having to resort to
ugly things, e.g. holding a reference to the vm_file of each enclave page, require
userspace to explicitly state the allowed protections for each page (region), i.e. take
ALLOW_{READ,WRITE,EXEC} in the ADD_PAGES ioctl.

The ALLOW_* flags will be passed to LSMs so that they can make informed decisions when the
enclave is being built, i.e. when the source vm_file is available.  For example, SELinux's
EXECMOD permission can be required if an enclave is requesting both ALLOW_WRITE and
ALLOW_EXEC.

Update the mmap()/mprotect() hooks to enforce the ALLOW_* protections, a la the standard
VM_MAY{READ,WRITE,EXEC} flags.

The ALLOW_EXEC flag also has a second (important) use in that it can be used to prevent
loading an enclave from a noexec file system, on
SGX2 hardware (regardless of kernel support for SGX2), userspace could EADD from a noexec
path using read-only permissions and later mprotect() and ENCLU[EMODPE] the page to gain
execute permissions.  By requiring ALLOW_EXEC up front, SGX will be able to enforce noexec
paths when building the enclave.

ALLOW_* flags shall be kept internal to LSM.

This patch is completely unnecessary.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help