Re: [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX

[RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Sean Christopherson <hidden> · 2019-05-31
[RFC PATCH 1/9] x86/sgx: Remove unused local variable in sgx_encl_release() · Sean Christopherson <hidden> · 2019-05-31
Re: [RFC PATCH 1/9] x86/sgx: Remove unused local variable in sgx_encl_release() · Jarkko Sakkinen <hidden> · 2019-06-04
[RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Sean Christopherson <hidden> · 2019-05-31
RE: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Sean Christopherson <hidden> · 2019-06-03
Re: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Sean Christopherson <hidden> · 2019-06-03
RE: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Sean Christopherson <hidden> · 2019-06-04
Re: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Andy Lutomirski <luto@kernel.org> · 2019-06-04
RE: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Xing, Cedric <hidden> · 2019-06-04
Re: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Dave Hansen <hidden> · 2019-06-03
Re: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Sean Christopherson <hidden> · 2019-06-03
Re: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Dave Hansen <hidden> · 2019-06-03
RE: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Sean Christopherson <hidden> · 2019-06-04
Re: [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() · Jarkko Sakkinen <hidden> · 2019-06-04
[RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves · Sean Christopherson <hidden> · 2019-05-31
RE: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves · Andy Lutomirski <luto@kernel.org> · 2019-06-04
Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves · Jarkko Sakkinen <hidden> · 2019-06-04
Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves · Andy Lutomirski <luto@kernel.org> · 2019-06-04
Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves · Sean Christopherson <hidden> · 2019-06-04
RE: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves · Xing, Cedric <hidden> · 2019-06-04
Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves · Jarkko Sakkinen <hidden> · 2019-06-05
Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves · Sean Christopherson <hidden> · 2019-06-06
[RFC PATCH 9/9] security/selinux: Add enclave_load() implementation · Sean Christopherson <hidden> · 2019-05-31
Re: [RFC PATCH 9/9] security/selinux: Add enclave_load() implementation · Stephen Smalley <hidden> · 2019-06-03
Re: [RFC PATCH 9/9] security/selinux: Add enclave_load() implementation · Sean Christopherson <hidden> · 2019-06-03
[RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Sean Christopherson <hidden> · 2019-05-31
RE: [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Stephen Smalley <hidden> · 2019-06-03
Re: [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Sean Christopherson <hidden> · 2019-06-03
Re: [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Stephen Smalley <hidden> · 2019-06-03
Re: [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Dave Hansen <hidden> · 2019-06-03
Re: [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Andy Lutomirski <luto@kernel.org> · 2019-06-04
Re: [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Sean Christopherson <hidden> · 2019-06-04
RE: [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Xing, Cedric <hidden> · 2019-06-04
Re: [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Sean Christopherson <hidden> · 2019-06-06
[RFC PATCH 5/9] x86/sgx: Restrict mapping without an enclave page to PROT_NONE · Sean Christopherson <hidden> · 2019-05-31
RE: [RFC PATCH 5/9] x86/sgx: Restrict mapping without an enclave page to PROT_NONE · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 5/9] x86/sgx: Restrict mapping without an enclave page to PROT_NONE · Jarkko Sakkinen <hidden> · 2019-06-04
[RFC PATCH 4/9] mm: Introduce vm_ops->mprotect() · Sean Christopherson <hidden> · 2019-05-31
RE: [RFC PATCH 4/9] mm: Introduce vm_ops->mprotect() · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 4/9] mm: Introduce vm_ops->mprotect() · Jarkko Sakkinen <hidden> · 2019-06-04
Re: [RFC PATCH 4/9] mm: Introduce vm_ops->mprotect() · Andy Lutomirski <luto@kernel.org> · 2019-06-04
[RFC PATCH 6/9] x86/sgx: Require userspace to provide allowed prots to ADD_PAGES · Sean Christopherson <hidden> · 2019-05-31
RE: [RFC PATCH 6/9] x86/sgx: Require userspace to provide allowed prots to ADD_PAGES · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 6/9] x86/sgx: Require userspace to provide allowed prots to ADD_PAGES · Jarkko Sakkinen <hidden> · 2019-06-04
Re: [RFC PATCH 6/9] x86/sgx: Require userspace to provide allowed prots to ADD_PAGES · Sean Christopherson <hidden> · 2019-06-04
Re: [RFC PATCH 6/9] x86/sgx: Require userspace to provide allowed prots to ADD_PAGES · Jarkko Sakkinen <hidden> · 2019-06-05
Re: [RFC PATCH 6/9] x86/sgx: Require userspace to provide allowed prots to ADD_PAGES · Andy Lutomirski <luto@kernel.org> · 2019-06-04
RE: [RFC PATCH 6/9] x86/sgx: Require userspace to provide allowed prots to ADD_PAGES · Ayoun, Serge <hidden> · 2019-06-05
Re: [RFC PATCH 6/9] x86/sgx: Require userspace to provide allowed prots to ADD_PAGES · Sean Christopherson <hidden> · 2019-06-05
[RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Sean Christopherson <hidden> · 2019-05-31
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Jarkko Sakkinen <hidden> · 2019-06-04
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Andy Lutomirski <luto@kernel.org> · 2019-06-04
RE: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Xing, Cedric <hidden> · 2019-06-04
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Sean Christopherson <hidden> · 2019-06-05
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Jarkko Sakkinen <hidden> · 2019-06-05
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Andy Lutomirski <luto@amacapital.net> · 2019-06-05
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Jarkko Sakkinen <hidden> · 2019-06-06
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Jarkko Sakkinen <hidden> · 2019-06-13
RE: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Xing, Cedric <hidden> · 2019-06-13
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Sean Christopherson <hidden> · 2019-06-13
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Jarkko Sakkinen <hidden> · 2019-06-14
Re: [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address · Jarkko Sakkinen <hidden> · 2019-06-05
RE: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Xing, Cedric <hidden> · 2019-06-02
Re: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Sean Christopherson <hidden> · 2019-06-03
RE: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Sean Christopherson <hidden> · 2019-06-04
Re: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Stephen Smalley <hidden> · 2019-06-04
Re: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Sean Christopherson <hidden> · 2019-06-04
RE: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Xing, Cedric <hidden> · 2019-06-04
Re: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Stephen Smalley <hidden> · 2019-06-03
RE: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Xing, Cedric <hidden> · 2019-06-03
Re: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM · Jarkko Sakkinen <hidden> · 2019-06-04

From: Sean Christopherson <hidden>
Date: 2019-06-04 20:36:51
Also in: lkml, selinux

On Tue, Jun 04, 2019 at 01:29:10PM -0700, Andy Lutomirski wrote:

On Fri, May 31, 2019 at 4:32 PM Sean Christopherson
[off-list ref] wrote:

quoted

 static int sgx_encl_add_page(struct sgx_encl *encl, unsigned long addr,

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 47f58cfb6a19..0562775424a0 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h

@@ -1446,6 +1446,14 @@
  * @bpf_prog_free_security:
  *     Clean up the security information stored inside bpf prog.
  *
+ * Security hooks for Intel SGX enclaves.
+ *
+ * @enclave_load:
+ *     On success, returns 0 and optionally adjusts @allowed_prot
+ *     @vma: the source memory region of the enclave page being loaded.
+ *     @prot: the initial protection of the enclave page.

What do you mean "initial"?  The page is always mapped PROT_NONE when
this is called, right?  I feel like I must be missing something here.

Initial protection in the EPCM.  Yet another reason to ignore SECINFO.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help