From: Dave Hansen <dave.hansen@intel.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: linux-kernel@vger.kernel.org, x86@kernel.org,
linux-sgx@vger.kernel.org, akpm@linux-foundation.org,
sean.j.christopherson@intel.com, nhorman@redhat.com,
npmccallum@redhat.com, serge.ayoun@intel.com,
shay.katz-zamir@intel.com, haitao.huang@intel.com,
andriy.shevchenko@linux.intel.com, tglx@linutronix.de,
kai.svahn@intel.com, bp@alien8.de, josh@joshtriplett.org,
luto@kernel.org, kai.huang@intel.com, rientjes@google.com,
cedric.xing@intel.com
Subject: Re: [PATCH v22 00/24] Intel SGX foundations
Date: Sat, 14 Sep 2019 08:32:38 -0700 [thread overview]
Message-ID: <8339d3c0-8e80-9cd5-948e-47733f7c29b7@intel.com> (raw)
In-Reply-To: <20190914134136.GG9560@linux.intel.com>
On 9/14/19 6:41 AM, Jarkko Sakkinen wrote:
>
> The proposed LSM hooks give the granularity to make yes/no decision
> based on the
>
> * The origin of the source of the source for the enclave.
> * The requested permissions for the added or mapped peage.
>
> The hooks to do these checks are provided for mmap() and EADD
> operations.
>
> With just file permissions you can still limit mmap() by having a
> privileged process to build the enclaves and pass the file descriptor
> to the enclave user who can mmap() the enclave within the constraints
> set by the enclave pages (their permissions refine the roof that you
> can mmap() any memory range within an enclave).
The LSM hooks are presumably fixing a problem that these patches
introduce. What's that problem?
next prev parent reply other threads:[~2019-09-14 15:32 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-03 14:26 [PATCH v22 00/24] Intel SGX foundations Jarkko Sakkinen
2019-09-03 14:26 ` [PATCH v22 01/24] x86/cpufeatures: x86/msr: Add Intel SGX hardware bits Jarkko Sakkinen
2019-09-24 15:28 ` Borislav Petkov
2019-09-24 16:11 ` Sean Christopherson
2019-09-24 16:25 ` Borislav Petkov
2019-09-03 14:26 ` [PATCH v22 02/24] x86/cpufeatures: x86/msr: Intel SGX Launch Control " Jarkko Sakkinen
2019-09-24 15:52 ` Borislav Petkov
2019-09-24 20:22 ` Sean Christopherson
2019-09-25 8:51 ` Borislav Petkov
2019-09-25 17:18 ` Sean Christopherson
2019-09-25 18:31 ` Borislav Petkov
2019-09-25 19:08 ` Sean Christopherson
2019-09-27 16:11 ` Jarkko Sakkinen
2019-09-25 14:09 ` Jarkko Sakkinen
2019-09-25 14:10 ` Jarkko Sakkinen
2019-09-25 14:38 ` Jarkko Sakkinen
2019-09-25 15:19 ` Borislav Petkov
2019-09-25 16:49 ` Sean Christopherson
2019-09-25 17:28 ` Borislav Petkov
2019-09-25 18:18 ` Sean Christopherson
2019-09-03 14:26 ` [PATCH v22 03/24] x86/mm: x86/sgx: Signal SIGSEGV with PF_SGX Jarkko Sakkinen
2019-09-24 16:04 ` Borislav Petkov
2019-09-25 14:16 ` Jarkko Sakkinen
2019-09-03 14:26 ` [PATCH v22 04/24] x86/cpu/intel: Detect SGX supprt Jarkko Sakkinen
2019-09-24 16:13 ` Borislav Petkov
2019-09-24 17:43 ` Sean Christopherson
2019-09-24 18:21 ` Borislav Petkov
2019-09-25 14:46 ` Jarkko Sakkinen
2019-09-03 14:26 ` [PATCH v22 05/24] x86/sgx: Add ENCLS architectural error codes Jarkko Sakkinen
2019-09-27 10:20 ` Borislav Petkov
2019-09-27 16:08 ` Jarkko Sakkinen
2019-09-27 17:20 ` Sean Christopherson
2019-10-01 20:23 ` Jarkko Sakkinen
2019-09-03 14:26 ` [PATCH v22 06/24] x86/sgx: Add SGX microarchitectural data structures Jarkko Sakkinen
2019-09-27 16:27 ` Borislav Petkov
2019-10-01 19:10 ` Jarkko Sakkinen
2019-10-01 20:39 ` Jarkko Sakkinen
2019-09-03 14:26 ` [PATCH v22 07/24] x86/sgx: Add wrappers for ENCLS leaf functions Jarkko Sakkinen
2019-10-04 9:45 ` Borislav Petkov
2019-10-04 18:56 ` Jarkko Sakkinen
2019-10-08 4:04 ` Sean Christopherson
2019-10-08 7:18 ` Borislav Petkov
2019-10-08 13:35 ` Sean Christopherson
2019-10-08 14:56 ` Borislav Petkov
2019-09-03 14:26 ` [PATCH v22 08/24] x86/sgx: Enumerate and track EPC sections Jarkko Sakkinen
2019-10-05 9:26 ` Borislav Petkov
2019-10-07 11:58 ` Jarkko Sakkinen
2019-09-03 14:26 ` [PATCH v22 09/24] x86/sgx: Add functions to allocate and free EPC pages Jarkko Sakkinen
2019-10-05 16:44 ` Borislav Petkov
2019-10-07 14:50 ` Sean Christopherson
2019-10-08 9:09 ` Borislav Petkov
2019-10-08 13:31 ` Sean Christopherson
2019-10-07 17:55 ` Jarkko Sakkinen
2019-10-07 18:09 ` Borislav Petkov
2019-09-03 14:26 ` [PATCH v22 10/24] x86/sgx: Add sgx_einit() for wrapping ENCLS[EINIT] Jarkko Sakkinen
2019-10-08 17:30 ` Borislav Petkov
2019-10-08 17:45 ` Sean Christopherson
2019-10-08 17:46 ` Sean Christopherson
2019-10-08 17:53 ` Borislav Petkov
2019-09-03 14:26 ` [PATCH v22 11/24] mm: Introduce vm_ops->may_mprotect() Jarkko Sakkinen
2019-10-08 17:41 ` Borislav Petkov
2019-09-03 14:26 ` [PATCH v22 12/24] x86/sgx: Linux Enclave Driver Jarkko Sakkinen
2019-10-08 17:59 ` Borislav Petkov
2019-10-08 18:17 ` Sean Christopherson
2019-10-08 19:19 ` Borislav Petkov
2019-09-03 14:26 ` [PATCH v22 13/24] x86/sgx: Add provisioning Jarkko Sakkinen
2019-09-03 14:26 ` [PATCH v22 14/24] x86/sgx: Add a page reclaimer Jarkko Sakkinen
2019-09-03 14:26 ` [PATCH v22 15/24] x86/sgx: ptrace() support for the SGX driver Jarkko Sakkinen
2019-09-03 14:26 ` [PATCH v22 16/24] x86/vdso: Add support for exception fixup in vDSO functions Jarkko Sakkinen
2019-10-02 23:18 ` Jarkko Sakkinen
2019-10-02 23:45 ` Jarkko Sakkinen
2019-10-04 0:03 ` Sean Christopherson
2019-10-04 18:49 ` Jarkko Sakkinen
2019-10-04 0:15 ` Sean Christopherson
2019-10-04 18:52 ` Jarkko Sakkinen
2019-10-05 15:54 ` Sean Christopherson
2019-10-07 7:57 ` Jarkko Sakkinen
2019-10-07 8:10 ` Jarkko Sakkinen
2019-10-07 12:04 ` Jarkko Sakkinen
2019-10-08 4:54 ` Sean Christopherson
2019-10-05 18:39 ` Sean Christopherson
2019-10-07 8:01 ` Jarkko Sakkinen
2019-10-06 23:38 ` Jarkko Sakkinen
2019-10-06 23:40 ` Jarkko Sakkinen
2019-09-03 14:26 ` [PATCH v22 17/24] x86/fault: Add helper function to sanitize error code Jarkko Sakkinen
2019-09-03 14:26 ` [PATCH v22 18/24] x86/traps: Attempt to fixup exceptions in vDSO before signaling Jarkko Sakkinen
2019-09-03 14:26 ` [PATCH v22 19/24] x86/vdso: Add __vdso_sgx_enter_enclave() to wrap SGX enclave transitions Jarkko Sakkinen
2019-09-03 14:26 ` [PATCH v22 20/24] selftests/x86: Add a selftest for SGX Jarkko Sakkinen
2019-09-03 14:26 ` [PATCH v22 21/24] selftests/x86: Recurse into subdirectories Jarkko Sakkinen
2019-09-03 14:26 ` [PATCH v22 22/24] x86/sgx: Update MAINTAINERS Jarkko Sakkinen
2019-09-03 14:26 ` [PATCH v22 23/24] docs: x86/sgx: Document microarchitecture Jarkko Sakkinen
2019-09-27 18:15 ` Randy Dunlap
2019-09-03 14:26 ` [PATCH v22 24/24] docs: x86/sgx: Document kernel internals Jarkko Sakkinen
2019-09-27 17:07 ` Randy Dunlap
2019-10-01 19:34 ` Jarkko Sakkinen
2019-09-13 20:38 ` [PATCH v22 00/24] Intel SGX foundations Dave Hansen
2019-09-14 13:41 ` Jarkko Sakkinen
2019-09-14 15:32 ` Dave Hansen [this message]
2019-09-16 5:23 ` Jarkko Sakkinen
2019-09-24 17:20 ` Andy Lutomirski
2019-09-25 14:32 ` Jarkko Sakkinen
2019-10-02 23:42 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8339d3c0-8e80-9cd5-948e-47733f7c29b7@intel.com \
--to=dave.hansen@intel.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=bp@alien8.de \
--cc=cedric.xing@intel.com \
--cc=haitao.huang@intel.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=josh@joshtriplett.org \
--cc=kai.huang@intel.com \
--cc=kai.svahn@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=luto@kernel.org \
--cc=nhorman@redhat.com \
--cc=npmccallum@redhat.com \
--cc=rientjes@google.com \
--cc=sean.j.christopherson@intel.com \
--cc=serge.ayoun@intel.com \
--cc=shay.katz-zamir@intel.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.