From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>, X86 ML <x86@kernel.org>,
linux-sgx@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
Andrew Morton <akpm@linux-foundation.org>,
Matthew Wilcox <willy@infradead.org>,
Jethro Beekman <jethro@fortanix.com>,
Darren Kenny <darren.kenny@oracle.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
asapek@google.com, Borislav Petkov <bp@alien8.de>,
"Xing, Cedric" <cedric.xing@intel.com>,
chenalexchen@google.com, Conrad Parker <conradparker@google.com>,
cyhanish@google.com, Dave Hansen <dave.hansen@intel.com>,
"Huang, Haitao" <haitao.huang@intel.com>,
Josh Triplett <josh@joshtriplett.org>,
"Huang, Kai" <kai.huang@intel.com>,
"Svahn, Kai" <kai.svahn@intel.com>, Keith Moyer <kmoy@google.com>,
Christian Ludloff <ludloff@google.com>,
Neil Horman <nhorman@redhat.com>,
Nathaniel McCallum <npmccallum@redhat.com>,
Patrick Uiterwijk <puiterwijk@redhat.com>,
David Rientjes <rientjes@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
yaozhangx@google.com
Subject: Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect()
Date: Mon, 21 Sep 2020 09:57:58 -0700 [thread overview]
Message-ID: <20200921165758.GA24156@linux.intel.com> (raw)
In-Reply-To: <20200921124946.GF6038@linux.intel.com>
On Mon, Sep 21, 2020 at 03:49:46PM +0300, Jarkko Sakkinen wrote:
> On Fri, Sep 18, 2020 at 04:53:37PM -0700, Sean Christopherson wrote:
> > On Fri, Sep 18, 2020 at 08:09:04AM -0700, Andy Lutomirski wrote:
> > > On Tue, Sep 15, 2020 at 4:28 AM Jarkko Sakkinen
> > > <jarkko.sakkinen@linux.intel.com> wrote:
> > > >
> > > > From: Sean Christopherson <sean.j.christopherson@intel.com>
> > > >
> > > > Add vm_ops()->mprotect() for additional constraints for a VMA.
> > > >
> > > > Intel Software Guard eXtensions (SGX) will use this callback to add two
> > > > constraints:
> > > >
> > > > 1. Verify that the address range does not have holes: each page address
> > > > must be filled with an enclave page.
> > > > 2. Verify that VMA permissions won't surpass the permissions of any enclave
> > > > page within the address range. Enclave cryptographically sealed
> > > > permissions for each page address that set the upper limit for possible
> > > > VMA permissions. Not respecting this can cause #GP's to be emitted.
> >
> > Side note, #GP is wrong. EPCM violations are #PFs. Skylake CPUs #GP, but
> > that's technically an errata. But this isn't the real motivation, e.g.
> > userspace can already trigger #GP/#PF by reading/writing a bad address, SGX
> > simply adds another flavor.
> >
> > > It's been awhile since I looked at this. Can you remind us: is this
> > > just preventing userspace from shooting itself in the foot or is this
> > > something more important?
> >
> > Something more important, it's used to prevent userspace from circumventing
> > a noexec filesystem by loading code into an enclave, and to give the kernel the
> > option of adding enclave specific LSM policies in the future.
> >
> > The source file (if one exists) for the enclave is long gone when the enclave
> > is actually mmap()'d and mprotect()'d. To enforce noexec, the requested
> > permissions for a given page are snapshotted when the page is added to the
> > enclave, i.e. when the enclave is built. Enclave pages that will be executable
> > must originate from an a MAYEXEC VMA, e.g. the source page can't come from a
> > noexec file system.
>
> noexec check is done in __sgx_encl_add_page(), not in this callback.
> sgx_vma_mprotect() calls sgx_encl_may_map(), which iterates the
> addresses, checks that permissions are not surpassed and there are
> no holes.
Yes, that's what I said.
> > The ->mprotect() hook allows SGX to reject mprotect() if userspace is declaring
> > permissions beyond what are allowed, e.g. trying to map an enclave page with
> > EXEC permissions when the page was added to the enclave without EXEC.
>
> For my ear this is tautological because if user space would use
> differing permissions, it would exactly soot itself in the foot.
Not on SGX2 hardware. The kernel can't disable ENCLU[MODPE].
> What really should be documented is to answer why we consider an enclave
> mappable, if and only if the conditions are that I described about
> sgx_encl_may_map() functioning.
>
> This is obviously part of the answer [*], i.e. with pharsing LSM hook
> requires an enclave to have a state, which is compatible with the mmap
> permissions and is fully populated.
>
> The 2nd part of the answer is the answer to the question: why we want to
> feed LSM hooks enclaves exactly in this state.
>
> What would you answer to that?
I would copy-paste the part of the response that was snipped...
> [*] https://lore.kernel.org/linux-sgx/20200918232458.GA6175@linux.intel.com/T/#u
>
> /Jarkko
next prev parent reply other threads:[~2020-09-21 16:58 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200915112842.897265-1-jarkko.sakkinen@linux.intel.com>
2020-09-15 11:28 ` [PATCH v38 10/24] mm: Add vm_ops->mprotect() Jarkko Sakkinen
2020-09-18 12:44 ` Borislav Petkov
2020-09-18 15:09 ` Andy Lutomirski
2020-09-18 23:24 ` [PATCH v38 10/24] mm: Add vm_ops->mprotect()' Jarkko Sakkinen
2020-09-18 23:53 ` [PATCH v38 10/24] mm: Add vm_ops->mprotect() Sean Christopherson
2020-09-19 0:15 ` Andy Lutomirski
2020-09-22 12:58 ` Jarkko Sakkinen
2020-09-22 15:11 ` Dave Hansen
2020-09-23 13:30 ` Jarkko Sakkinen
2020-09-23 13:43 ` Jarkko Sakkinen
2020-09-23 14:33 ` Jarkko Sakkinen
2020-09-24 14:50 ` Dave Hansen
2020-09-24 16:27 ` Sean Christopherson
2020-09-24 19:35 ` Jarkko Sakkinen
2020-09-21 12:49 ` Jarkko Sakkinen
2020-09-21 12:51 ` Jarkko Sakkinen
2020-09-21 13:14 ` Jarkko Sakkinen
2020-09-21 16:57 ` Sean Christopherson [this message]
2020-09-21 21:07 ` Jarkko Sakkinen
2020-09-21 21:18 ` Sean Christopherson
2020-09-22 5:29 ` Jarkko Sakkinen
2020-09-22 5:35 ` Jarkko Sakkinen
2020-09-22 16:43 ` Sean Christopherson
2020-09-23 13:50 ` Jarkko Sakkinen
2020-09-24 19:11 ` Haitao Huang
2020-09-24 19:28 ` Sean Christopherson
2020-09-24 19:39 ` Dave Hansen
2020-09-24 20:01 ` Sean Christopherson
2020-09-24 20:10 ` Dave Hansen
2020-09-24 20:25 ` Sean Christopherson
2020-09-24 20:54 ` Dave Hansen
2020-09-24 22:10 ` Jarkko Sakkinen
2020-09-24 23:05 ` Sean Christopherson
2020-09-24 23:09 ` Dave Hansen
2020-09-25 0:00 ` Sean Christopherson
2020-09-25 17:18 ` Dave Hansen
2020-09-25 19:43 ` Sean Christopherson
2020-09-25 19:53 ` Dave Hansen
2020-09-26 4:15 ` Andy Lutomirski
2020-09-28 0:53 ` Jarkko Sakkinen
2020-09-28 14:04 ` Dave Hansen
2020-09-28 16:19 ` Jarkko Sakkinen
2020-09-28 16:48 ` Dave Hansen
2020-09-28 19:32 ` Jarkko Sakkinen
2020-09-28 19:45 ` Dave Hansen
2020-09-28 20:19 ` Jarkko Sakkinen
2020-09-29 1:37 ` Andy Lutomirski
2020-09-29 4:05 ` Jarkko Sakkinen
2020-09-29 14:24 ` Dave Hansen
2020-09-30 0:20 ` Jarkko Sakkinen
2020-09-30 14:35 ` Dave Hansen
2020-09-28 20:18 ` Jarkko Sakkinen
2020-10-18 8:49 ` Dr. Greg
2020-10-19 21:31 ` Sean Christopherson
2020-10-20 10:01 ` Dr. Greg
2020-10-20 16:40 ` Sean Christopherson
2020-10-24 14:37 ` Dr. Greg
2020-10-24 15:33 ` Andy Lutomirski
2020-10-26 10:51 ` Dr. Greg
2020-10-26 22:59 ` Andy Lutomirski
2020-10-27 0:40 ` Sean Christopherson
2020-09-24 22:07 ` Jarkko Sakkinen
2020-09-24 21:58 ` Jarkko Sakkinen
2020-09-24 21:55 ` Jarkko Sakkinen
2020-09-15 11:28 ` [PATCH v38 11/24] x86/sgx: Add SGX enclave driver Jarkko Sakkinen
2020-09-21 9:30 ` Borislav Petkov
2020-09-21 12:09 ` Jarkko Sakkinen
2020-10-01 17:36 ` Sean Christopherson
2020-10-01 18:49 ` Jarkko Sakkinen
2020-09-15 11:28 ` [PATCH v38 16/24] x86/sgx: Add a page reclaimer Jarkko Sakkinen
2020-09-22 10:45 ` Borislav Petkov
2020-09-22 14:03 ` Jarkko Sakkinen
2020-09-22 14:24 ` Borislav Petkov
2020-09-23 14:52 ` Jarkko Sakkinen
2020-09-29 1:14 ` Sean Christopherson
2020-09-29 3:50 ` Jarkko Sakkinen
2020-09-29 8:35 ` Sean Christopherson
2020-09-22 16:24 ` Sean Christopherson
2020-09-22 18:02 ` Borislav Petkov
2020-09-23 15:25 ` Jarkko Sakkinen
[not found] <20200915110522.893152-1-jarkko.sakkinen@linux.intel.com>
2020-09-15 11:05 ` [PATCH v38 10/24] mm: Add vm_ops->mprotect() Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200921165758.GA24156@linux.intel.com \
--to=sean.j.christopherson@intel.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=asapek@google.com \
--cc=bp@alien8.de \
--cc=cedric.xing@intel.com \
--cc=chenalexchen@google.com \
--cc=conradparker@google.com \
--cc=cyhanish@google.com \
--cc=darren.kenny@oracle.com \
--cc=dave.hansen@intel.com \
--cc=haitao.huang@intel.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jethro@fortanix.com \
--cc=josh@joshtriplett.org \
--cc=kai.huang@intel.com \
--cc=kai.svahn@intel.com \
--cc=kmoy@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-sgx@vger.kernel.org \
--cc=ludloff@google.com \
--cc=luto@kernel.org \
--cc=nhorman@redhat.com \
--cc=npmccallum@redhat.com \
--cc=puiterwijk@redhat.com \
--cc=rientjes@google.com \
--cc=tglx@linutronix.de \
--cc=willy@infradead.org \
--cc=x86@kernel.org \
--cc=yaozhangx@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).