linux-sgx.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Ayoun, Serge" <serge.ayoun@intel.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
	"linux-sgx@vger.kernel.org" <linux-sgx@vger.kernel.org>
Cc: "Christopherson, Sean J" <sean.j.christopherson@intel.com>
Subject: RE: [PATCH 4/5] x86/sgx: Validate TCS permssions in sgx_validate_secinfo()
Date: Thu, 22 Aug 2019 11:33:35 +0000	[thread overview]
Message-ID: <88B7642769729B409B4A93D7C5E0C5E7C661E7A7@hasmsx108.ger.corp.intel.com> (raw)
In-Reply-To: <20190821184544.ii37h7hhxjiocbb4@linux.intel.com>

> From: linux-sgx-owner@vger.kernel.org <linux-sgx-owner@vger.kernel.org>
> On Behalf Of Jarkko Sakkinen
> Sent: Wednesday, August 21, 2019 21:46
> To: linux-sgx@vger.kernel.org
> Cc: Christopherson, Sean J <sean.j.christopherson@intel.com>
> Subject: Re: [PATCH 4/5] x86/sgx: Validate TCS permssions in
> sgx_validate_secinfo()
> 
> On Mon, Aug 19, 2019 at 06:25:43PM +0300, Jarkko Sakkinen wrote:
> > The validation of TCS permissions was missing from
> > sgx_validate_secinfo(). This patch adds the validation.
> >
> > Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> > ---
> >  arch/x86/kernel/cpu/sgx/driver/ioctl.c | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > diff --git a/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> > b/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> > index 99b1b9776c3a..2415dcb20a6e 100644
> > --- a/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> > +++ b/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> > @@ -423,6 +423,12 @@ static int sgx_validate_secinfo(struct sgx_secinfo
> *secinfo)
> >  	if ((perm & SGX_SECINFO_W) && !(perm & SGX_SECINFO_R))
> >  		return -EINVAL;
> >
> > +	/* CPU will silently overwrite the permissions as zero, which means
> > +	 * that we need to validate it ourselves.
> > +	 */
> > +	if (page_type == SGX_SECINFO_TCS && perm)
> > +		return -EINVAL;
> > +
> >  	if (secinfo->flags & SGX_SECINFO_RESERVED_MASK)
> >  		return -EINVAL;
> >
> > --
> > 2.20.1
> >
> 
> OK, just found out that this patch did not end up to my test image and
> causes a regression.
> 
> I think this should be fixed in sgx_encl_may_map() by having the
> following special case for TCS (in addition to the change in this
> patch of course):
> 
> 1. Check if we encounter a TCS page.
> 2. If yes, we evaluate RW for the VM flags.
> 

Also replying to Sean.
Sean is right that never mind the value in secsinfo->flags, HW will reset RWX
For TCS pages.
So basically you may not enforce and and could not check those but... The signature depends
On those flags, so if you put a non-zero flag value, eadd will pass but if you
compute the signature according to this non zero value then you will have
a delta between ur signature and HW's signature: einit will fail.
So this is tricky and more a usability issue.
I vote for checking the flag is zeroed.
---------------------------------------------------------------------
Intel Israel (74) Limited

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.


  reply	other threads:[~2019-08-22 11:33 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-19 15:25 [PATCH 0/5] x86/sgx: Improve permission handing Jarkko Sakkinen
2019-08-19 15:25 ` [PATCH 1/5] x86/sgx: Document permission handling better Jarkko Sakkinen
2019-08-22  3:43   ` Sean Christopherson
2019-08-22 16:04     ` Jarkko Sakkinen
2019-08-19 15:25 ` [PATCH 2/5] x86/sgx: Use memchr_inv() in sgx_validate_secinfo() Jarkko Sakkinen
2019-08-22  3:47   ` Sean Christopherson
2019-08-22 16:20     ` Jarkko Sakkinen
2019-08-19 15:25 ` [PATCH 3/5] x86/sgx: Make sgx_validate_secinfo() more readable Jarkko Sakkinen
2019-08-22  3:48   ` Sean Christopherson
2019-08-22 16:26     ` Jarkko Sakkinen
2019-08-22 10:39   ` Ayoun, Serge
2019-08-22 16:45     ` Jarkko Sakkinen
2019-08-19 15:25 ` [PATCH 4/5] x86/sgx: Validate TCS permssions in sgx_validate_secinfo() Jarkko Sakkinen
2019-08-21 18:45   ` Jarkko Sakkinen
2019-08-22 11:33     ` Ayoun, Serge [this message]
2019-08-22 14:27       ` Sean Christopherson
2019-08-22 16:46       ` Jarkko Sakkinen
2019-08-22 16:59         ` Jarkko Sakkinen
2019-08-22  3:55   ` Sean Christopherson
2019-08-22 16:31     ` Jarkko Sakkinen
2019-08-22 16:34       ` Sean Christopherson
2019-08-23  0:39         ` Jarkko Sakkinen
2019-08-23  0:57           ` Jarkko Sakkinen
2019-08-23  2:05             ` Sean Christopherson
2019-08-23 13:41               ` Jarkko Sakkinen
2019-08-22 16:38       ` Jarkko Sakkinen
2019-08-19 15:25 ` [PATCH 5/5] x86/sgx: Rename vm_prot_bits as max_vm_flags Jarkko Sakkinen
2019-08-22  4:00   ` Sean Christopherson
2019-08-22 16:43     ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=88B7642769729B409B4A93D7C5E0C5E7C661E7A7@hasmsx108.ger.corp.intel.com \
    --to=serge.ayoun@intel.com \
    --cc=jarkko.sakkinen@linux.intel.com \
    --cc=linux-sgx@vger.kernel.org \
    --cc=sean.j.christopherson@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).