From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Dave Hansen <dave.hansen@intel.com>
Cc: Haitao Huang <haitao.huang@linux.intel.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Andy Lutomirski <luto@kernel.org>, X86 ML <x86@kernel.org>,
linux-sgx@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
Andrew Morton <akpm@linux-foundation.org>,
Matthew Wilcox <willy@infradead.org>,
Jethro Beekman <jethro@fortanix.com>,
Darren Kenny <darren.kenny@oracle.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
asapek@google.com, Borislav Petkov <bp@alien8.de>,
"Xing, Cedric" <cedric.xing@intel.com>,
chenalexchen@google.com, Conrad Parker <conradparker@google.com>,
cyhanish@google.com, "Huang, Haitao" <haitao.huang@intel.com>,
Josh Triplett <josh@joshtriplett.org>,
"Huang, Kai" <kai.huang@intel.com>,
"Svahn, Kai" <kai.svahn@intel.com>, Keith Moyer <kmoy@google.com>,
Christian Ludloff <ludloff@google.com>,
Neil Horman <nhorman@redhat.com>,
Nathaniel McCallum <npmccallum@redhat.com>,
Patrick Uiterwijk <puiterwijk@redhat.com>,
David Rientjes <rientjes@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
yaozhangx@google.com
Subject: Re: [PATCH v38 10/24] mm: Add vm_ops->mprotect()
Date: Thu, 24 Sep 2020 17:00:52 -0700 [thread overview]
Message-ID: <20200925000052.GA20333@linux.intel.com> (raw)
In-Reply-To: <b737fcab-bfde-90e1-1101-82d646a6f5b7@intel.com>
On Thu, Sep 24, 2020 at 04:09:25PM -0700, Dave Hansen wrote:
> On 9/24/20 4:05 PM, Sean Christopherson wrote:
> > The problem is that enforcing permissions via mprotect() needs to be done
> > unconditionally, otherwise we end up with weird behavior where the existence
> > of an LSM will change what is/isn't allowed, even if the LSM(s) has no SGX
> > policy whatsover.
>
> Could we make this a bit less abstract, please?
>
> Could someone point to code or another examples that demonstrates how
> the mere existence of an LSM will change what is/isn't allowed?
>
> I can't seem to wrap my head around it as-is.
Without pre-declared permissions, loading and running an enclave would be:
ptr = malloc(size);
memcpy(ptr, evil_shenanigans, size);
ioctl(sgx_fd, ENCLAVE_ADD_PAGE, ptr, size);
...
ioctl(sgx_fd, ENCLAVE_INIT);
enclave = mmap(sgx_fd, ... PROT_READ);
mprotect(enclave, ..., PROT_READ | PROT_EXEC);
EENTER;
With the existing security_file_mprotect(), an LSM will see:
vma->vm_file ~= /dev/sgx/enclave
prot = PROT_READ | PROT_EXEC
From a policy perspective, the LSM can't do much because every enclave is
backed by /dev/sgx/enclave, and all enclaves need READ and EXEC perms, i.e.
a policy can only deny all enclaves or allow enclaves.
The solution we came up with is to require userspace to declare the intended
permissions at build time so that an LSM hook can be invoked when the source
VMA is availble, e.g. in this example, the LSM would see that the process is
loading executable code into an enclave from an anonymous VMA:
ptr = malloc(size);
memcpy(ptr, evil_shenanigans, size);
ioctl(sgx_fd, ENCLAVE_ADD_PAGE, SGX_PROT_READ | SGX_PROT_EXEC, ptr, size);
{
ret = security_enclave_load(ptr, prot);
if (ret)
return ret;
enclave_page->declared_prot = prot;
}
...
ioctl(sgx_fd, ENCLAVE_INIT);
and then enforce the declared perms via ->mprotect()
enclave = mmap(sgx_fd, ... PROT_READ);
mprotect(enclave, ..., PROT_READ | PROT_EXEC);
|
-> sgx_mprotect(...)
{
if (~enclave_page->declared_prot & prot)
return -EACCES;
}
EENTER;
So the above would be allowed, but this would fail (irrespective of LSM behavior):
ptr = malloc(size);
memcpy(ptr, evil_shenanigans, size);
ioctl(sgx_fd, ENCLAVE_ADD_PAGE, SGX_PROT_READ, ptr, size);
...
ioctl(sgx_fd, ENCLAVE_INIT);
enclave = mmap(sgx_fd, ... PROT_READ);
mprotect(enclave, ..., PROT_READ | PROT_EXEC);
My concern is that if we merge this
ioctl(sgx_fd, ENCLAVE_ADD_PAGE, SGX_PROT_READ | SGX_PROT_EXEC, ptr, size);
without ->mprotect(), we can't actually enforce the declared protections. And
if we drop the field altogether:
ioctl(sgx_fd, ENCLAVE_ADD_PAGE, ptr, size);
then we can't implement security_enclave_load().
next prev parent reply other threads:[~2020-09-25 0:01 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200915112842.897265-1-jarkko.sakkinen@linux.intel.com>
2020-09-15 11:28 ` [PATCH v38 10/24] mm: Add vm_ops->mprotect() Jarkko Sakkinen
2020-09-18 12:44 ` Borislav Petkov
2020-09-18 15:09 ` Andy Lutomirski
2020-09-18 23:24 ` [PATCH v38 10/24] mm: Add vm_ops->mprotect()' Jarkko Sakkinen
2020-09-18 23:53 ` [PATCH v38 10/24] mm: Add vm_ops->mprotect() Sean Christopherson
2020-09-19 0:15 ` Andy Lutomirski
2020-09-22 12:58 ` Jarkko Sakkinen
2020-09-22 15:11 ` Dave Hansen
2020-09-23 13:30 ` Jarkko Sakkinen
2020-09-23 13:43 ` Jarkko Sakkinen
2020-09-23 14:33 ` Jarkko Sakkinen
2020-09-24 14:50 ` Dave Hansen
2020-09-24 16:27 ` Sean Christopherson
2020-09-24 19:35 ` Jarkko Sakkinen
2020-09-21 12:49 ` Jarkko Sakkinen
2020-09-21 12:51 ` Jarkko Sakkinen
2020-09-21 13:14 ` Jarkko Sakkinen
2020-09-21 16:57 ` Sean Christopherson
2020-09-21 21:07 ` Jarkko Sakkinen
2020-09-21 21:18 ` Sean Christopherson
2020-09-22 5:29 ` Jarkko Sakkinen
2020-09-22 5:35 ` Jarkko Sakkinen
2020-09-22 16:43 ` Sean Christopherson
2020-09-23 13:50 ` Jarkko Sakkinen
2020-09-24 19:11 ` Haitao Huang
2020-09-24 19:28 ` Sean Christopherson
2020-09-24 19:39 ` Dave Hansen
2020-09-24 20:01 ` Sean Christopherson
2020-09-24 20:10 ` Dave Hansen
2020-09-24 20:25 ` Sean Christopherson
2020-09-24 20:54 ` Dave Hansen
2020-09-24 22:10 ` Jarkko Sakkinen
2020-09-24 23:05 ` Sean Christopherson
2020-09-24 23:09 ` Dave Hansen
2020-09-25 0:00 ` Sean Christopherson [this message]
2020-09-25 17:18 ` Dave Hansen
2020-09-25 19:43 ` Sean Christopherson
2020-09-25 19:53 ` Dave Hansen
2020-09-26 4:15 ` Andy Lutomirski
2020-09-28 0:53 ` Jarkko Sakkinen
2020-09-28 14:04 ` Dave Hansen
2020-09-28 16:19 ` Jarkko Sakkinen
2020-09-28 16:48 ` Dave Hansen
2020-09-28 19:32 ` Jarkko Sakkinen
2020-09-28 19:45 ` Dave Hansen
2020-09-28 20:19 ` Jarkko Sakkinen
2020-09-29 1:37 ` Andy Lutomirski
2020-09-29 4:05 ` Jarkko Sakkinen
2020-09-29 14:24 ` Dave Hansen
2020-09-30 0:20 ` Jarkko Sakkinen
2020-09-30 14:35 ` Dave Hansen
2020-09-28 20:18 ` Jarkko Sakkinen
2020-10-18 8:49 ` Dr. Greg
2020-10-19 21:31 ` Sean Christopherson
2020-10-20 10:01 ` Dr. Greg
2020-10-20 16:40 ` Sean Christopherson
2020-10-24 14:37 ` Dr. Greg
2020-10-24 15:33 ` Andy Lutomirski
2020-10-26 10:51 ` Dr. Greg
2020-10-26 22:59 ` Andy Lutomirski
2020-10-27 0:40 ` Sean Christopherson
2020-09-24 22:07 ` Jarkko Sakkinen
2020-09-24 21:58 ` Jarkko Sakkinen
2020-09-24 21:55 ` Jarkko Sakkinen
2020-09-15 11:28 ` [PATCH v38 11/24] x86/sgx: Add SGX enclave driver Jarkko Sakkinen
2020-09-21 9:30 ` Borislav Petkov
2020-09-21 12:09 ` Jarkko Sakkinen
2020-10-01 17:36 ` Sean Christopherson
2020-10-01 18:49 ` Jarkko Sakkinen
2020-09-15 11:28 ` [PATCH v38 16/24] x86/sgx: Add a page reclaimer Jarkko Sakkinen
2020-09-22 10:45 ` Borislav Petkov
2020-09-22 14:03 ` Jarkko Sakkinen
2020-09-22 14:24 ` Borislav Petkov
2020-09-23 14:52 ` Jarkko Sakkinen
2020-09-29 1:14 ` Sean Christopherson
2020-09-29 3:50 ` Jarkko Sakkinen
2020-09-29 8:35 ` Sean Christopherson
2020-09-22 16:24 ` Sean Christopherson
2020-09-22 18:02 ` Borislav Petkov
2020-09-23 15:25 ` Jarkko Sakkinen
[not found] <20200915110522.893152-1-jarkko.sakkinen@linux.intel.com>
2020-09-15 11:05 ` [PATCH v38 10/24] mm: Add vm_ops->mprotect() Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200925000052.GA20333@linux.intel.com \
--to=sean.j.christopherson@intel.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=asapek@google.com \
--cc=bp@alien8.de \
--cc=cedric.xing@intel.com \
--cc=chenalexchen@google.com \
--cc=conradparker@google.com \
--cc=cyhanish@google.com \
--cc=darren.kenny@oracle.com \
--cc=dave.hansen@intel.com \
--cc=haitao.huang@intel.com \
--cc=haitao.huang@linux.intel.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jethro@fortanix.com \
--cc=josh@joshtriplett.org \
--cc=kai.huang@intel.com \
--cc=kai.svahn@intel.com \
--cc=kmoy@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-sgx@vger.kernel.org \
--cc=ludloff@google.com \
--cc=luto@kernel.org \
--cc=nhorman@redhat.com \
--cc=npmccallum@redhat.com \
--cc=puiterwijk@redhat.com \
--cc=rientjes@google.com \
--cc=tglx@linutronix.de \
--cc=willy@infradead.org \
--cc=x86@kernel.org \
--cc=yaozhangx@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).